Two EU agencies that have been on opposite sides of a heated debate over encryption just agreed on limits to law enforcement agencies’ access to private data.
The agreement marks a surprise turn in EU officials’ struggle over secure communication that spiked after recent terrorist attacks in Brussels and Paris.
Udo Helmbrecht, the director of ENISA, the EU cybersecurity agency, and Rob Wainwright, director of Europol, the bloc’s law enforcement agency, have been in talks over the last two weeks to try to come up with an agreement on encryption.
Helmbrecht and Wainwright have been at odds over encryption: after bombings in Brussels on 22 March, Wainwright said that terrorists use encryption to communicate securely, making it hard for police to track them.
Helmbrecht told euractiv.com in an interview that creating so-called backdoors to allow law enforcement agencies to access encrypted data would have a ripple effect and weaken security on a broader scale.
But the two directors wanted to dispel rumours that they were at odds over the issue, which was fuelled by Apple’s drawn out legal battle with the FBI over an encrypted iPhone that belonged to a suspected terrorist in California.
After two days of meetings at Europol’s headquarters in the Hague, Wainwright and Helmbrecht said this afternoon (20 May) that they’d found common ground on when police can intercept encrypted communication.
Despite Wainwright’s previous protests about encryption, he and Helmbrecht agreed that built-in backdoors to encryption don’t provide a secure fix to police frustrations.
“While this would give investigators lawful access in the event of serious crimes or terrorist threats, it would also increase the attack surface for malicious abuse, which, consequently, would have much wider implications for society,” the directors wrote in a statement.
The two agency chiefs’ statement echoes Helmbrecht’s plea for preserving strong encryption.
“Intercepting an encrypted communication or breaking into a digital service might be considered as proportional with respect to an individual suspect, but breaking the cryptographic mechanisms might cause collateral damage,” their statement reads.
Helmbrecht told EURACTIV in March that weakening encryption could be catastrophic for cybersecurity and make any system that relies on encryption—like banking software—more vulnerable.
While Helmbrecht and Wainwright say they oppose mandatory backdoors in encryption, they do want policies that give police more leeway to crack encryption legally.
The directors write that if encrypted information is needed for security reasons, “feasible solutions to decryption without weakening the protective mechanisms must be offered, both in legislation and through continuous technical evolution”.
The Europol and ENISA chiefs will keep fine-tuning their position on encryption. They agree that encryption should be protected, but things could get more complicated when they try to iron out details of how law enforcement authorities should technically intercept encryption.
Helmbrecht is outspoken about keeping encryption strong—he warns that backdoors or limiting the size of cryptographic keys will create security vulnerabilities but also hurt Europe’s technology industry.
Speaking in the Hague yesterday (19 May), he warned that “history will repeat itself” and lead to security breaches if laws aren’t updated to make sure encryption is kept strong.
Several EU politicians have called for technology companies to create backdoors to encrypted communication systems for law enforcement agencies. Calls for encryption backdoors were reignited after terrorist attacks in Paris last November.
Apple has been embroiled in a weeks-long battle over encryption with the US government after the FBI demanded access to encrypted data on an iPhone that belonged to a suspect in the shootings last December in San Bernardino, California. On 28 March, US authorities dropped a legal case against Apple after the FBI announced it was able to access the data on the iPhone.