The European Union will boost its law enforcement agency and free up funding to help police break encryption for investigations, but the move is unlikely to satisfy Europe’s most powerful governments that want broad access to chat messages and data.
The Commission said Wednesday it wants to create a “toolbox” to help national law enforcement break encryption, provide up €500,000 to train European police and boost its police agency Europol’s ability to hack into phones, computers and private messages.
“Some member states are more equipped, technically, than others to do that,” Commissioner for the Security Union Julian King said. “We want to look at how we can increase the cooperation between intelligence communities and law enforcement.”
The question is whether Europe’s national capitals will be satisfied with the Commission’s move.
Faced with terror and criminal investigations that rely on digital evidence, some of Europe’s law enforcers have called for access to encrypted communications.
“Google knows where I’ve been every day. That information is being used, sold, processed … Compare that to what we need to do our jobs, to find the truth in criminal cases — saying we can’t access [those data], that’s not acceptable,” said Philippe Van Linthout, a Belgian investigatory judge who prosecutes terror cases.
Governments, including the U.K., are demanding that intelligence services and law enforcement have access to encrypted communication, targeting messages sent over apps like WhatsApp and Telegram. A survey of EU countries, obtained by privacy NGO Bits of Freedom last year, showed countries including Italy, Poland and Hungary have asked for the EU to legislate on the issue.
Europol previously said about 75 percent of major cybercrime investigations face the problem of having to crack encrypted devices. Investigations facing encryption issues range from accessing drug dealers’ computers to tapping into communication networks that perpetrated the Brussels terror attacks on March 22, 2016.
The Commission proposed that Europol would boost its decryption capabilities. Europol will get 19 additional staffers to decrypt data for investigations and help national police access encrypted phones or software. It also wants to “establish a network of centers of encryption expertise.”
The proposed “toolbox for legal and technical instruments” is inspired by recent publications that outline different ways intelligence agencies and law enforcement can get around encryption.
Europol now provides what they call “a limited decryption facility” for member countries. It also provides advice and guidance to member countries on decryption matters, but didn’t disclose figures on how often it actually hacks phones or decrypts to help investigations.
But police and governments railing against encryption face strong opposition from small, digitally minded countries, privacy advocates, tech companies and cybersecurity experts.
The tech industry has embraced encryption technology. Encryption software has enabled retailers to sell to customers on the web, banks to go online or health care to dive into e-health technologies. Facebook bought secure messaging app WhatsApp and rolled out encryption on its own Facebook Messenger application. Apple enhanced the security of iMessage, messages sent from one iPhone to another, with encryption technology to convince users their data is safe with the company.
“We trust the EU will remain mindful of the widespread support for encryption as expressed by European commissioners, ENISA, data protection authorities, industry, and civil society,” said Christian Borggreen, vice president of CCIA Europe, a lobby group whose members include Google, Facebook and other tech companies.
Joe McNamee, executive director of European Digital Rights, said the Commission’s approach was “vastly more balanced than some of the more breathless populist scaremongering on the topic emanating from certain national capitals.”
The Commission acknowledges the dangers of weakening security technology.
“We are not in favor of so-called backdoors — that is, systemic vulnerabilities … What we’re trying to do today is move beyond the sometimes sterile debate of backdoors [versus] no backdoors,” King said.
His announcements also open up new questions on the power governments hold to get into people’s phones and computers.
Leaks that became public last year showed U.S. intelligence agencies were stockpiling vulnerabilities in popular software.
That annoyed tech companies, who argued it held them back in fixing security glitches in their software. Security experts also pointed out that such large collections of harmful loopholes in software could eventually find their way into the hands of malicious hackers.
“Stockpiling vulnerabilities is controversial, but — want it or not — it is the reality in many countries,” said Lukasz Olejnik, an independent cybersecurity researcher.
While a wide-ranging coalition managed to halt EU-level regulation that would weaken encryption, several countries have broadened the powers of security authorities to hack citizens and devoted resources to boosting their capabilities to police and surveil the web.
The Commission’s plans this week stop short of answering questions about these new powers. They also lack guidance on whether EU countries can pass national laws demanding tech companies provide them with “backdoors.”
“We’ve been having this conversation for years now,” said David Kaye, the U.N. special rapporteur for freedom of expression, about governments’ insistence to get direct and constant access to encrypted information.
“The idea that any society would undermine the backbone of the digital economy for really uncertain gains,” said Kaye, “at best, it strikes me as crazy.”
Giulia Paravicini contributed reporting.