Wednesday, April 13, 2016

How Europe can get encryption right

Thorsten Benner and Mirko Hohmann


BERLIN — While Europe has taken a great interest in the “crypto war” between the U.S. government and Apple as well as other Silicon Valley behemoths, it has yet to wake up to the gathering storm of encryption policy within its own borders. Various EU governments have proposed unilateral measures on how to deal with encryption, and the split between advocates of encryption and staunch opponents is growing.


Hungary’s ruling party Fidesz has suggested legislation that would make encryption software illegal. In France, a draft bill threatens to fine tech companies unwilling or unable to decrypt user data. Similar measures are being discussed in the U.K. as part of the draft Investigatory Powers Bill.

Meanwhile, in the Netherlands the government has argued that it is not “desirable to take legal measures against the development, availability and use of encryption.” The Germans also support “more and better encryption.” In its Digital Agenda, the German government even resolved to become the “world leader in encryption.”

* * *
A lot is at stake in this debate today. Encryption is by far the most important technology for the safeguarding of online security and privacy. Without it, the digital economy would collapse. Yet, as we know, criminals and terrorists use encryption to shield their communication from law enforcement agencies afraid of “going dark.”

But so far neither side of the debate has come up with the right answer. The anti-encryption camp’s solutions are impractical and harmful. It is impossible to give government access to encrypted communication in a way that would not undermine encryption as a whole and compromise users’ security. If France and Hungary were to make it difficult or illegal for companies such as Apple or Whatsapp to offer encryption, interested users could choose from a wide variety of alternative tools freely available from other providers across the globe.

So it is not surprising that the European cybersecurity agency ENISA has come out strongly against backdoor measures, a view shared by most law enforcement officials, not least because encryption is essential in the protection of citizens’ data against criminals. Law-abiding citizens would be the ones to lose out on a law that bans or weakens encryption. It’s unlikely criminals and terrorists would be cowed by such measures.

The pro-encryption camp has not offered up a way to address legitimate concerns by law enforcement. Reacting to the Brussels attacks in March, Europol directorRob Wainwright said: “Encrypted communication via the internet and smartphones are a part of the problems investigators face.” There will be more and more cases in which law enforcement bodies are unable to access data stored on a criminal’s phone or monitor online conversations between terrorists.

German Federal Prosecutor General Peter Frank correctly emphasized that “law enforcement and security agencies need to be able to keep pace with technological progress.”

* * *

Getting encryption right will require a new European consensus that provides answers to the concerns of law enforcement in a way that doesn’t undermine the vital role of encryption for citizens and the economy.

To that end, EU governments should take an “encrypted world” as a given and decisively bid farewell to anti-encryption legislation and backdoors. Instead, the discussion should focus on identifying the tools and resources law enforcement needs in order to fulfill its duties in the face of ubiquitous encryption.


Improving and potentially pooling technical capabilities should be a second priority. If agencies cannot access encrypted communication, computer network exploitation software (also called device hacking) can give them direct access to a suspect’s computer or mobile phone. Yet only a few European countries have access to these tools. And where they do — such as with the German exploitation software Bundestrojaner — they are often technologically limited and lack a clear legal framework.


Similarly, many countries lack the computing capacities to break certain encrypted devices by “brute force,” and do not have the appropriate staff to put these new technologies to the best possible use. EU countries should agree on the capabilities they need and develop a platform to consolidate and exchange them.

Finally, the EU must double down its efforts to update mutual legal assistance regimes, especially its cooperation with the U.S.

The times in which law enforcement agencies served a domestic telecommunications provider with a warrant to gain access to a suspect’s phone conversations are over. A more diverse set of companies now play a role, and most of these are based in the U.S. If the FBI is “going dark,” European agencies should be going even darker, since cooperation across the Atlantic is inevitably slower.

In contrast to their American counterparts, European agencies often lack informal access to American companies and hold less legal sway over them.

In order to pave the way for a European consensus on such measures, the Dutch EU presidency should make encryption a priority for the remainder of its term and source suggestions on how to strengthen law enforcement bodies from policymakers and experts across the Continent — especially in countries currently considering anti-encryption legislation.

EU disunity on encryption weakens Europe’s voice on the global stage on one of the key digital policy issues of our time. The lack of a common policy undermines its common digital market and obstructs the fight against organized crime and terror.

It is about time EU governments jointly live up to this task rather than going it alone.

Thorsten Benner and Mirko Hohmann are researchers with the Global Public Policy Institute (GPPi) in Berlin. 


No comments:

Post a Comment