Encryption Survey Indicates Law Enforcement Feels It's Behind The Tech Curve; Is Willing To Create Backdoors To Catch Up

from the trading-brute-force-for-extra-keys dept

To get a general feel for European law enforcement encryption sentiment (so to speak), the European Union sent questionnaires to member countries, asking for details on what forms of encryption are encountered most frequently and what these agencies feel would be the best approach to tackling encrypted data going forward.

Surprisingly, the EU received several responses and most have been published in full. (The list of PDFs/HTML versions can be found near the bottom of this page.) They were issued in response to a public records request by Rejo Zenger of Dutch digital rights group, Bits of Freedom.

Security researcher Lukasz Olejnik went through the posted documents to find the highlights/lowlights of the submissions. Several countries responded to the EU's questionnaire, but only twelve of those made their answers public. (And, in the case of the UK and the Czech Republic, some answers were redacted.)

Most responding agencies in most countries are running into the same encryption issues.

Countries point to difficulty of tackling encrypted data, in particular: encrypted data at rest (using solutions such as TrueCrypt),encrypted data in transit (e.g. SSH, HTTPS, Tor), use of instant messengers such as Skype, WhatsApp, etc., and encrypted mobile devices

Countries disclose they lack resources such as technology, money or personnel, to effectively fight cybercrime

But not every country treats encryption "problems" the same way. A few didn't consider HTTPS to be an encryption form worth noting, perhaps because it doesn't cover the sort of data or communications they frequently target.

Others, like agencies in Italy (in an ALL CAPS reply), aren't so much worried about encrypted data in transit as much as they are worried about very specific data at rest, located in very specific consumer devices.

AS FOR OFFLINE ENCRYPTION, ONE MAIN PROBLEM IS WITH ONE OF THE MAJOR DEVICES COMPANY.

Hmm. I wonder which "major devices company" that would be? It seems this same "devices company" also thwarts law enforcement's wiretap efforts...

THERE ARE DIFFERENT TECNIQUE ADOPTED CASE BY CASE IN ORDER THE TRY TO DECRYPT THE INTERCEPTED DATA. ALSO USING THIRD PARTIES (PRIVATE INDUSTRIES/COMPANIES) RESOURCES.

IN ADDITION THE MAIN IUSSES OFTEN CONCERN THE DIFFICULTY IN REMOTELY INSTALLING THE “WIRETAP TROJAN” ONTO SUSPECTS’ DEVICE, ESPECIALLY WITH REGARD TO ONE OF THE MAJOR BRAND.

...aaaand forensics efforts.

THE MAIN IUSSES RESULT FROM THE TECHNICAL IMPOSSIBILITY OF DECRYPTING ONE OF THE MAJOR BRAND’S DEVICES.

There seems to be no consensus on mandated encryption backdoors, but there are more than a few countries leaning that way. Estonia believes the problem is of a "technical nature," rather than one that should be solved through mandated backdoors. Belgium's submission flat-out states the country isn't interested in seeking mandated backdoors.

A regulation to prohibit or to weaken encryption for telecommunication and digital services has to be ruled out, in order to protect privacy and business secrets.

On the other end of the spectrum, Poland openly calls for deliberately weakened/compromised encryption.

One of the most crucial aspect will be adopting new legislation that allows for acquisition of data stored in EU countries “in the cloud” without need to apply for MLAT. There is also need to encourage software/hardware manufactures to put some kind “backdoors” for LEA or to use only relatively weak cryptographic algorithms.

The call for backdoors is echoed by Latvia and Italy.

In between, there are several countries that allude vaguely to working in conjunction with tech companies to find some sort of balance between user security and law enforcement's desires. (Then there's Italy, which mostly seems interested in seeing Apple devices wiped from the face of the earth.)

There are almost as many approaches as there are responding countries. We can only speculate on the contents and assertions made by countries that have refused to release their answers for "national security" reasons, but one would expect those with the most to "hide" would be more likely to expect citizens to give up their security for the good of the nation.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: backdoors, encryption, going dark, law enforcement


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Padpaw (profile), 5 Dec 2016 @ 3:35am

    They could always follow America's example and pass their own laws allowing their law enforcement to "legally" hack into computers domestic and foreign.

    reply to this | link to this | view in chronology ]

  • icon
    Lord Lidl of Cheem (profile), 5 Dec 2016 @ 3:44am

    Or just go the all-in UK style, and mandate backdoors...

    reply to this | link to this | view in chronology ]

    • identicon
      minidor, 5 Dec 2016 @ 6:57am

      Re:

      What about the ones that simply won't introduce backdoors. I'm pretty sure messengers that focus on security (like Signal and Threema) won't do it. Do they try to block those?

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 5 Dec 2016 @ 7:31am

        Re: Re:

        depends on where they physically are? If they are within the borders of the EU, they may become CELL blocked if they do not comply.

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 5 Dec 2016 @ 4:49am

    I'm not sure if they know this but: YOU EITHER HAVE STRONG SECURITY OR YOU DON'T.

    There can be no half-measures because if there's a hole in the encryption for government use then it will be found and will be used by malicious hackers and state-sponsored agents.

    But instead of being smart some countries would apparently rather break and compromise security measures.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 5 Dec 2016 @ 5:08am

    "Law Enforcement Feels It's Behind The Tech Curve; Is Willing To Create Backdoors To Catch Up"

    Problem is, they will "never catch" up because why bother?
    Also, what do they think catching up means?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 5 Dec 2016 @ 5:13am

    let them eat backdoors.

    reply to this | link to this | view in chronology ]

  • icon
    Not an Electronic Rodent (profile), 5 Dec 2016 @ 5:19am

    An analogy, you say? Certainly Sir, fresh analogy coming right up!

    Law enforcement insists their cars aren't fast enough to catch criminals and insists that all car manufacturers fit devices to blow all four wheels off the vehicle when activated by secret road-side buttons.

    Road safety advocates point out the obvious danger of wheels being able to come off cars so easily and the danger of having buttons that might be found to do it.

    Law enforcement scoffs at the privacy advocates, calls them all terrorists and fits the buttons anyway.

    Almost instantly, most criminals start driving foreign cars that haven't had the explosive wheels fitted. Law enforcement kills several motorists in error while catching a handful of criminals. Many other motorists killed in multi-car pile-ups as other criminals find the buttons by the road and start merrily pushing them.

    reply to this | link to this | view in chronology ]

  • icon
    Steve R. (profile), 5 Dec 2016 @ 5:24am

    Every Technological "Solution" has a Counter Measure

    Implement a so-called "backdoor", the "bad" guys simply work around it by invoking their own unbreakable encryption app.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 5 Dec 2016 @ 6:32am

      Re: Every Technological "Solution" has a Counter Measure

      > Implement a so-called "backdoor", the "bad" guys simply work around it by invoking their own unbreakable encryption app.

      Just make it illegal to do so. Problem solved!

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 5 Dec 2016 @ 6:39am

      Re: Every Technological "Solution" has a Counter Measure

      "unbreakable encryption app"

      you forgot the /s

      reply to this | link to this | view in chronology ]

  • icon
    Ninja (profile), 5 Dec 2016 @ 8:52am

    This would be funny if it wasn't tragic. We are lagging behind knowledge so instead of updating it we'll bury our heads in the sand and make everybody except the crooks use pseudo-encryption (with backdoors). Because it will surely solve the problems.

    Except, of course, if the intention is not to deal with the crooks.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Insider Shop - Show Your Support!

Essential Reading
Techdirt Insider Chat
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.