Mixed messages: crypto and other closed-door conversations in the EU

Note: This is a continuation of a previous post – “EU ministers are targeting encryption We need to know more”

Several weeks ago, we reported that the EU’s justice ministers have been discussing possible action to undermine encryption. Well, they met on that very topic yesterday…and while they may have decided not to attack encryption outright, it’s not out of the crosshairs just yet. We can happily report that yesterday we handed our encryption petition with more than 1,900 signatures to the Slovak Permanent Representation in Brussels (as well as the inboxes of all the justice ministers and their cabinets) — so we thank every one of you who signed!

Back in September, the French and German Ministers of Interior called for a “solution to encryption” — whatever that may be. It’s positive that, after much pushback, they no longer seem to be seeking to limit the development or use of encryption. However, instead, they have reshaped their request in their most recent letter to the Council of the European Union (dated 7 November 2016), and despite the peaceful, placating tone with regard to encryption, what they are proposing is just as invasive. They now seek arbitrary data retention and an increased emphasis on privatised enforcement, while hinting at the need to require data localisation for communications services and those that provide them. Whether or not they attack encryption, these requirements would turn any communications platform into an efficient surveillance tool, ripe for abuse by nosy governments, malicious third parties, and data-greedy companies alike.

Today and in the coming months, we sincerely hope that the justice ministers reject these demands and instead formulate a proportionate and informed response to the issues France and Germany have raised.

In the meantime, we continue to fight for more transparency into the council’s activities and plans…and hidden answers to the encryption surveys.

The 12368/16 encryption of data questionnaire

Over the past several weeks, we have sent around letters to all the justice ministers and their cabinets, asking them to hand over their responses to the questionnaire circulated by the council which sought to outline national positions on encryption. Some member states have responded (the tracker is available here) and their answers have provided us with great insight!

Some things we learned:

  1. VPN, SSH, PGP, and Tor, as well as Telegram, Signal, and WhatsApp come up repeatedly as an issue, and as tools used by “suspects”.
  2. Law enforcement lacks specific knowledge to deal with cases with electronic evidence. They lack the “technical capability” as well.
  3. Law enforcement uses commercially available decryption tools.
  4. State authorities are recognising that “HTTPS is a common tool and not a choice of suspects”.
  5. The right to not to incriminate oneself prevents legislation which would force individuals to decrypt… but not in all countries! Netherlands is currently weighing the option.
  6. The principle of territoriality seems to be inadequate, given the cross-borders nature of the internet.
  7. Court orders are necessary in order to request data from telecommunications providers or wiretap a connection.
  8. Italy allows wiretapping of encrypted data flows through the so-called Trojan inoculation technique, on the basis of a court order.
  9. Most states indicated a need for a European platform for decryption, to be used by law enforcement.
  10. Data needed by law enforcement can be decrypted with the help of private industry third parties.
  11. Data decrypted or obtained in such a way may help the investigation, but is not admissible in court.
  12. When vulnerabilities are used to obtain evidence, this information is used by the provider to patch the vulnerability. Still not admissible in court.

All in all, while member state ministers agree that encryption should be protected, countries struggle with encryption and security protocols to varying levels. Because there is a lack of technical expertise and computer processing power, we can expect an extensive conversation around government hacking capacities, reform of mutual legal assistance treaties (MLATs), and cross-border cooperation in the coming months.

We will continue pushing to collect all of the member state responses in the coming weeks, and will be working with our partners around the EU to file local freedom of information requests so we can all learn more about these issues.

Improving criminal justice in cyberspace questionnaire

In our search for answers to one questionnaire, we stumbled upon the existence of another; it was also circulated to the council members, but regards improving criminal justice in cyberspace.

The content of this second questionnaire deals largely with access to data, and indeed, reforming MLAT is necessary to ensure a functional international system of information exchange in criminal matters. However, there is a problematic tone to this questionnaire: it asks national ministries to detail “top service providers in terms of requests for direct cooperation” (both domestic and foreign), and goes on to ask how “direct cooperation” with providers works. This tone suggests that the European Commission is scoping out the environment to make direct “short cut” deals with certain telecommunications providers, once more, outside the rule of law.

The public availability of member state responses is an essential tool for further analysis and better understanding of the decision-making process. We have filed a freedom of information request to get access to all the responses and are awaiting a response from DG Home. We are curious to hear more, and will — as always — keep you updated as we move forward with uncovering the answers to both of these surveys.