In January Europol and Eurojust elaborated their first report on encryption in the area of IT security, First report of the observatory function on encryption. Within the framework of the measures presented by the European Commission at the report, both agencies established a joint observatory to analyse the difficulties, the opportunities and the future of encryption in the world of criminal investigation.
The report provides a brief introduction of the concepts, products and servicesthat have a generic use for encryption. Immediately, drawing from the experiences of members of the European Cybercrime Centre (EC3), it involves challenges for the security services and judicial systems when investigating and persecuting penal offences.
Accordingly, in first place a deficient specific legal framework is stressed that does not help security agencies and judicial authorities to address and combat encryption. Despite the difficult balance between the right to privacy and the rights of the victims, the report stresses the need for regulations that facilitate, along with others, the legal obligation to provide the key or the encrypted information on the part of companies and/or servicesand some specific provisions for the use of tools to attack encryption.
Apart from the legal aspects, what stands out is the need to reinforce aspects of operational coordination, technical and technological resources and human resources. According to the observatory, from an operational viewpoint a better coordination of the different security forces and European agencies like Europol and Eurojust is needed. At the same time, it is crucial to invest in computational power in order to carry out attacks aimed at finding the access codes to encrypted information. Nevertheless, and as a complement to technology, training and the presence of forensic experts in the field are essential.
Faced by the afore-mentioned problem of balancing rights to privacy and the need to fight against crime, European Digital Rights (EDRi) indicates that finding the key or discovering it by exploiting vulnerabilities is a good way to respond to the problem. It is in this direction that, according to the report, efforts should be made to meet the challenge of encryption.
Finally, the report refers to new future challenges. The observatory will emphasize three of these, quantum computing, artificial intelligence and the arrival of 5G. For the time being, none of these technologies has meant a radical change in encryption but major advances and some risks are expected, like the Quantum Key Distribution in the case of quantum computing or the International Mobile Subscriber Identity-IMSIin the case of 5G.
Overall, the report presents a dilemma. Although encryption is necessary, in terms of security, for public administrations and private companies, it is also taken advantage of for illegal organised crime activities. The underlying question, therefore, is to provide public services with a legal framework and an operative capacity to progress in this technological environment. Will we be able to, when the report itself stresses that it is private companies that are taking the initiative?
http://www.eurojust.europa.eu/Pages/home.aspx –> Eurojust
https://www.europol.europa.eu/publications-documents/first-report-of-observatory-function-encryptionà Report on the Europol website.
- https://www.torproject.org/index.html.en –> The Onion Router – Tor (free programme)
- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/bb742566(v=technet.10) Virtual Private Networks.
- https://signal.org/ Signal
- https://www.silentcircle.com/ Silent Circle.
- https://www.techopedia.com/definition/13623/full-disk-encryption-fdeDefinition of Full Disk Encryption
https://www.europol.europa.eu/about-europol/european-cybercrime-centre-ec3 European Cybercrime Centre. EC3
For example, in the field of navigators, the use of The Onion Router(Tor), a free programme that, apart from borrowing several IP address, creates random nodes and connections with their respective layers of deciphering, which makes it difficult to trace the original IP. Or the Virtual Private Networks, that protect the connection between the terminal and the server. In voice communications, we have, for example, Signal encryption services as well as the less well-known Silent Circle.
This specific legislation is not generalised, as it could amount to a violation of the right not to incriminate oneself in a crime. Nevertheless, wherever this obligation for service providers exists, on many occasions these very suppliers cannot satisfy demand because they have no access to the end-to-end encryption –E2EE).
The report stresses that, although it is enough with current legislation, concreteness about deciphering tools used, although not necessarily more descriptive in technical terms, could provide more juridical security.
There are deciphering tools that, with current computational competence, make decryption possible in a reasonable amount of time. It is for this reason that experts can provide aspects of the personal context and environment of the object of the investigation to speed up the investigation by focusing resources in one direction.
With 5G, a sole identifier can be temporarily substituted by a dynamic identifier, which generates new manipulation techniques for identifying and hiding.