Europol supports encryption. We can relax now… right?

(This post is part 2 of the Europol series. Click here for part 1.)

Rob Wainwright, Europol’s Director, claims that encryption gets in the way of 75% of Europol’s cases; he calls this the ‘encryption dilemma’. He also frequently points out that encryption and anonymisation tools are preventing law enforcement from doing its job. He is not alone in his thinking.

Wainwright’s position reflects that of many law enforcement officers around the world; encryption has recently come under a lot of heat from law enforcement officials and legislators alike. They fear that because encryption has become widely available, it is allowing bad actors to evade detection. Their panic is convincing some people that we should be willing to sacrifice users’ security so that the police can expand their investigative capacity. Yet this argument fails to recognize that encryption provides the foundation both for the exercise of human rights online and the digital economy as a whole. It is an essential security tool, helping individuals around the world communicate with (and in) confidence. It enables victims of violence to reach out for support without fear of repercussions; it helps journalists communicate with their sources; and it helps confidentiality-sensitive services remain truly confidential. That’s naming just a few uses of encryption that have nothing to do with crime or terrorism.

In Europe, it is the European Network and Information Security Agency (ENISA) – an EU body responsible for securing Europe’s information society –  that most touts the merits of encryption. The agency’s key message: undermining encryption will only create and/or exacerbate the vulnerabilities in our networks. In a brief published early this year, ENISA explains why cryptography is important for the (self) protection of EU citizens. The agency makes three important points:

  • Historically, when policy sought to create vulnerability, it exposed the system to abuse and attack. This is damaging to all actors, from industry to individuals.
  • While the widespread implementation of cryptography makes lawful interception harder, any tools which seek to counter this introduce technological risks to key infrastructure and overall security.
  • Banning encryption is not feasible and near impossible to enforce. Restricting the use of cryptography in commercial products would only damage EU-based IT industries.

Encryption and Europol

Europol’s own research indicates that while a blanket ban on encryption would be ‘possible to enforce’ (Europol implements a very interesting line of logic there), it is not ideal for the security of the internet as a whole, and criminals would still have the option of using other technologies to ‘go dark’, such as steganography or even encryption tools from regions where it hasn’t been banned. In fact, in May, a conference called Privacy in the Digital Age of Encryption and Anonymity Online took place at Europol’s premises in the Hague. ENISA and technical experts from the government and private sector, with representation from civil society, overwhelmingly concluded that encryption is a critical tool for the security of IT systems and the safety of the online environment.

However, even if the tide is turning with regard to encryption, law enforcement is also shifting the discussion to malware and other ‘practical solutions’, as well as to what they perceive to be the most problematic issue — anonymity online. Specifically, Europol has thrown its weight behind the ‘obligation to disclose’ — a legal concept wherein law enforcement would have the capacity to compel individuals to provide access to certain information. They want the obligation to disclose to be implemented in a way that would force individuals to cooperate.

The obligation to disclose is a debated concept, and some courts seem to see it as a justified part of criminal investigations. European member state legislation, such as the UK’s infamous Regulation of Investigatory Powers Act (RIPA), attempts to set out penalties for anyone refusing to disclose passwords and grant the police access to certain information. This has led to several individuals being imprisoned for refusing to turn over encrypted material. This may be a justifiable legislative measure, but it must be anchored in proper human rights safeguards, and provide for adequate court oversight. Yet Europol’s analysis sees jurisdiction as the only issue with the obligation to disclose. They make a feeble attempt to grapple with the fact that while some governments should have this power, others with questionable motives potentially should not — a dilemma they propose solving with more discussion among legislators. This is an issue. Europol inherently sees itself as the good guy and refuses to see evidence that its solutions and proposals have the potential to compromise safety and security, especially if they’re not implemented correctly.

Encryption may be safe for now — but what’s next?

On the back of these encryption discussions and the May conference, ENISA and Europol issued a joint statement on the subject. While many people interpret this two-page statement as a sign that Europe won’t see the same kind of ‘crypto wars’ that are currently underway elsewhere (at least for now), the text makes elliptical references to future challenges. For example, in some parts of the text, the statement calls for legislation to resolve uncertainty for law enforcement. If there is no way to access encrypted information that could be imperative for security and justice, the statement calls for a ‘feasible solution to decryption without weakening the protective mechanisms [to be offered] both in legislation and through continuous technical evolution’. The statement implies that privacy should be respected only up to the point when law enforcement has a need to access data. Thus, even though Europol does not attack encryption directly, there is still plenty of room for anticipation and worry.

While we wait, Access Now’s position remains clear: encryption and anonymity provide the privacy and security necessary for the exercise of an individual’s right to freedom of opinion and expression in the digital age. We hope you stand with us in support of encryption and anonymity, and we encourage you to check out our initiatives: Encrypt all the Things and Secure the Internet.


Image source: Christiaan Colen