The European Commission is working alongside Europol and EU member states to “identify appropriate ways of preserving lawful interception capabilities in 5G networks,” said Ylva Johansson, the EU’s Home Affairs Commissioner.
New challenges for law enforcement authorities will arise with the gradual onset of 5G in Europe, because the technology employs 256-bit encryption that allow for unprecedented levels of privacy and anonymisation in mobile communications networks.
One example of 5G’s significantly bolstered privacy standards is the encryption of the International Mobile Subscriber Identity (IMSI) number within 5G networks. This will mean that “security authorities are no longer able to locate or identify mobile devices,” Europol said in a note last year.
“The authorities are then also unable to assign a device to a specific person,” according to the paper, published by Statewatch, a privacy NGO.
Such improved standards in mobile communications may, in turn, allow for a user’s identity and location to be protected, therefore undermining police authorities’ ability to conduct “lawful interception” – in other words, wiretapping or eavesdropping.
In Europe, fears among politicians and police authorities in this regard are starting to provoke ideas about how these higher levels of encryption may be bypassed.
“The Commission, Europol and Member States’ law enforcement authorities are working together to identify appropriate ways of preserving lawful interception capabilities in 5G networks,” a written statement from Commissioner Johansson said on Monday (13 January). The statement was delivered after German leftist MEP Cornelia Ernst pressed the EU’s executive branch for a response on the matter in October.
Ernst had claimed that European police forces are attempting to establish “eavesdropping opportunities” in 5G networks by working with certain international standardisation bodies, including the Technical Committee Lawful Interception working group of the European Telecommunications Standards Institute (ETSI), and the 3rd Generation Partnership Project (3GPP) of the UN’s International Telecommunication Union.
In May last year, the EU Counter-Terrorism Coordinator suggested that Europol could strengthen its capabilities related to 5G. “Europol could consider to become a member in ETSI and then the law enforcement subgroup of the 3GPP process to support Member States to defend European law enforcement’s concerns,” Gilles de Kerchove said in a note to EU national delegates.
According to Johansson, “Europol encourages the participation of Member States in standardisation committees dealing with lawful interception and cybersecurity of 5G”. This aims to allow police authorities better access to consumer data in the course of a criminal investigation, she said in her written response to Ernst.
Johansson added however, that the “direct involvement” of Europol in such activities is “currently limited.”
EURACTIV caught up with Ernst on Tuesday (14 January), to hear about her concerns on the matter.
“5G is by design protected against interception. To circumvent this, essentially two possibilities exist,” she said.
“Either you can try make hardware manufacturers include in their devices a kind of backdoor that would funnel unencrypted data out of the system. Or you can try to weaken the software standards so that you retain the possibility to decrypt the communication you want to intercept.”
The first example relates to what the US accuses Huawei of doing in their equipment – a claim the Chinese company has consistently denied. The second example, meanwhile, relates to what the Commission has admitted Europol is doing, Ernst said.
Civil rights activist Matthias Monroy has previously drawn attention to comments from the German Interior Ministry suggesting privacy standards in 5G network communications could be lowered to facilitate police investigations.
Uncertainty over Europe’s G5 infrastructure
Europe’s renewed concerns over police access to 5G data come amid growing uncertainties over the bloc’s future in 5G.
The US has been ramping up pressure on the UK regarding China’s involvement in the country’s future 5G infrastructure. On Monday, a delegation from the US led by deputy National Security Adviser Matt Pottinger sat down with ministers in London ahead of a decision on Huawei’s involvement in UK 5G networks due later this month.
EURACTIV recently spoke to an official at the UK’s Digital Ministry who refused to confirm a specific deadline but said a decision would soon be made by Digital Secretary Nicky Morgan. “The security and resilience of the UK’s telecoms networks is of paramount importance. The government continues to consider its position on high-risk vendors and a decision will be made in due course,” the source said.
More broadly, in December, EU ministers adopted conclusions, stressing that an EU approach to 5G cybersecurity should be comprehensive and risk-based, while also taking into account “non-technical factors”.
In the Commission, an October report on the coordinated risk assessment of 5G networks noted that “threats posed by states or state-backed actors are perceived to be of highest relevance”.
Member states have now been tasked with working on a set of measures to mitigate the cybersecurity risks outlined in the report. EU nations are currently working alongside the Commission and ENISA, the European Agency for Cybersecurity, in drawing up the plans, which are due to be published in the “coming weeks” an EU official told EURACTIV.
[Edited by Frédéric Simon]