Encryption Survey Indicates Law Enforcement Feels It's Behind The Tech Curve; Is Willing To Create Backdoors To Catch Up
from the trading-brute-force-for-extra-keys dept
To get a general feel for European law enforcement encryption sentiment (so to speak), the European Union sent questionnaires to member countries, asking for details on what forms of encryption are encountered most frequently and what these agencies feel would be the best approach to tackling encrypted data going forward.
Surprisingly, the EU received several responses and most have been published in full. (The list of PDFs/HTML versions can be found near the bottom of this page.) They were issued in response to a public records request by Rejo Zenger of Dutch digital rights group, Bits of Freedom.
Security researcher Lukasz Olejnik went through the posted documents to find the highlights/lowlights of the submissions. Several countries responded to the EU’s questionnaire, but only twelve of those made their answers public. (And, in the case of the UK and the Czech Republic, some answers were redacted.)
Most responding agencies in most countries are running into the same encryption issues.
Countries point to difficulty of tackling encrypted data, in particular: encrypted data at rest (using solutions such as TrueCrypt),encrypted data in transit (e.g. SSH, HTTPS, Tor), use of instant messengers such as Skype, WhatsApp, etc., and encrypted mobile devices
Countries disclose they lack resources such as technology, money or personnel, to effectively fight cybercrime
But not every country treats encryption “problems” the same way. A few didn’t consider HTTPS to be an encryption form worth noting, perhaps because it doesn’t cover the sort of data or communications they frequently target.
Others, like agencies in Italy (in an ALL CAPS reply), aren’t so much worried about encrypted data in transit as much as they are worried about very specific data at rest, located in very specific consumer devices.
AS FOR OFFLINE ENCRYPTION, ONE MAIN PROBLEM IS WITH ONE OF THE MAJOR DEVICES COMPANY.
Hmm. I wonder which “major devices company” that would be? It seems this same “devices company” also thwarts law enforcement’s wiretap efforts…
THERE ARE DIFFERENT TECNIQUE ADOPTED CASE BY CASE IN ORDER THE TRY TO DECRYPT THE INTERCEPTED DATA. ALSO USING THIRD PARTIES (PRIVATE INDUSTRIES/COMPANIES) RESOURCES.
IN ADDITION THE MAIN IUSSES OFTEN CONCERN THE DIFFICULTY IN REMOTELY INSTALLING THE “WIRETAP TROJAN” ONTO SUSPECTS’ DEVICE, ESPECIALLY WITH REGARD TO ONE OF THE MAJOR BRAND.
…aaaand forensics efforts.
THE MAIN IUSSES RESULT FROM THE TECHNICAL IMPOSSIBILITY OF DECRYPTING ONE OF THE MAJOR BRAND’S DEVICES.
There seems to be no consensus on mandated encryption backdoors, but there are more than a few countries leaning that way. Estonia believes the problem is of a “technical nature,” rather than one that should be solved through mandated backdoors. Belgium’s submission flat-out states the country isn’t interested in seeking mandated backdoors.
A regulation to prohibit or to weaken encryption for telecommunication and digital services has to be ruled out, in order to protect privacy and business secrets.
On the other end of the spectrum, Poland openly calls for deliberately weakened/compromised encryption.
One of the most crucial aspect will be adopting new legislation that allows for acquisition of data stored in EU countries “in the cloud” without need to apply for MLAT. There is also need to encourage software/hardware manufactures to put some kind “backdoors” for LEA or to use only relatively weak cryptographic algorithms.
The call for backdoors is echoed by Latvia and Italy.
In between, there are several countries that allude vaguely to working in conjunction with tech companies to find some sort of balance between user security and law enforcement’s desires. (Then there’s Italy, which mostly seems interested in seeing Apple devices wiped from the face of the earth.)
There are almost as many approaches as there are responding countries. We can only speculate on the contents and assertions made by countries that have refused to release their answers for “national security” reasons, but one would expect those with the most to “hide” would be more likely to expect citizens to give up their security for the good of the nation.
Filed Under: backdoors, encryption, going dark, law enforcement
Comments on “Encryption Survey Indicates Law Enforcement Feels It's Behind The Tech Curve; Is Willing To Create Backdoors To Catch Up”
They could always follow America’s example and pass their own laws allowing their law enforcement to “legally” hack into computers domestic and foreign.
Or just go the all-in UK style, and mandate backdoors…
What about the ones that simply won’t introduce backdoors. I’m pretty sure messengers that focus on security (like Signal and Threema) won’t do it. Do they try to block those?
Re: Re: Re:
depends on where they physically are? If they are within the borders of the EU, they may become CELL blocked if they do not comply.
I’m not sure if they know this but: YOU EITHER HAVE STRONG SECURITY OR YOU DON’T.
There can be no half-measures because if there’s a hole in the encryption for government use then it will be found and will be used by malicious hackers and state-sponsored agents.
But instead of being smart some countries would apparently rather break and compromise security measures.
At least one branch of the US government already has first hand experience with this problem. The Government response is that they simply don’t care.
I’d be willing to bet that any laws mandating backdoors in encryption will have exemptions for law enforcement and government, so they won’t be bothered a bit if the key to the backdoor is leaked.
I nominate you to write these things for Italy, You’ve already got use of the caps lock key down!
(seriously though, I do agree that there is no middle ground here.)
Whether they know it or not doesn’t ultimately matter because they simply don’t care. ‘Bad people’ are using encryption to hide from the ‘good guys’, therefore encryption needs to be crippled.
That this will result in an increase in crime to absolutely dwarf what was happening before isn’t something they concern themselves, because they can simply blame the tech companies for not nerding hard enough and letting the bad guys through.
Re: Re: Re:
‘Bad people’ are using window blinds to hide from the ‘good guys’, therefore window blinds need to be transparent.
“Law Enforcement Feels It’s Behind The Tech Curve; Is Willing To Create Backdoors To Catch Up”
Problem is, they will “never catch” up because why bother?
Also, what do they think catching up means?
let them eat backdoors.
An analogy, you say? Certainly Sir, fresh analogy coming right up!
Law enforcement insists their cars aren’t fast enough to catch criminals and insists that all car manufacturers fit devices to blow all four wheels off the vehicle when activated by secret road-side buttons.
Road safety advocates point out the obvious danger of wheels being able to come off cars so easily and the danger of having buttons that might be found to do it.
Law enforcement scoffs at the privacy advocates, calls them all terrorists and fits the buttons anyway.
Almost instantly, most criminals start driving foreign cars that haven’t had the explosive wheels fitted. Law enforcement kills several motorists in error while catching a handful of criminals. Many other motorists killed in multi-car pile-ups as other criminals find the buttons by the road and start merrily pushing them.
Re: An analogy, you say? Certainly Sir, fresh analogy coming right up!
That is almost possible today, BMW traps alleged thief by remotely locking him in car
Re: Re: An analogy, you say? Certainly Sir, fresh analogy coming right up!
Yeah, sadly too easy with modern cars, and it’s going really well so far!
Every Technological "Solution" has a Counter Measure
Implement a so-called “backdoor”, the “bad” guys simply work around it by invoking their own unbreakable encryption app.
Re: Every Technological "Solution" has a Counter Measure
Re: Every Technological "Solution" has a Counter Measure
“unbreakable encryption app”
you forgot the /s
This would be funny if it wasn’t tragic. We are lagging behind knowledge so instead of updating it we’ll bury our heads in the sand and make everybody except the crooks use pseudo-encryption (with backdoors). Because it will surely solve the problems.
Except, of course, if the intention is not to deal with the crooks.