Encryption Survey Indicates Law Enforcement Feels It's Behind The Tech Curve; Is Willing To Create Backdoors To Catch Up

from the trading-brute-force-for-extra-keys dept

Mon, Dec 5th 2016 3:26am — Tim Cushing

To get a general feel for European law enforcement encryption sentiment (so to speak), the European Union sent questionnaires to member countries, asking for details on what forms of encryption are encountered most frequently and what these agencies feel would be the best approach to tackling encrypted data going forward.

Surprisingly, the EU received several responses and most have been published in full. (The list of PDFs/HTML versions can be found near the bottom of this page.) They were issued in response to a public records request by Rejo Zenger of Dutch digital rights group, Bits of Freedom.

Security researcher Lukasz Olejnik went through the posted documents to find the highlights/lowlights of the submissions. Several countries responded to the EU's questionnaire, but only twelve of those made their answers public. (And, in the case of the UK and the Czech Republic, some answers were redacted.)

Most responding agencies in most countries are running into the same encryption issues.

Countries point to difficulty of tackling encrypted data, in particular: encrypted data at rest (using solutions such as TrueCrypt),encrypted data in transit (e.g. SSH, HTTPS, Tor), use of instant messengers such as Skype, WhatsApp, etc., and encrypted mobile devices

Countries disclose they lack resources such as technology, money or personnel, to effectively fight cybercrime

But not every country treats encryption "problems" the same way. A few didn't consider HTTPS to be an encryption form worth noting, perhaps because it doesn't cover the sort of data or communications they frequently target.

Others, like agencies in Italy (in an ALL CAPS reply), aren't so much worried about encrypted data in transit as much as they are worried about very specific data at rest, located in very specific consumer devices.

AS FOR OFFLINE ENCRYPTION, ONE MAIN PROBLEM IS WITH ONE OF THE MAJOR DEVICES COMPANY.

Hmm. I wonder which "major devices company" that would be? It seems this same "devices company" also thwarts law enforcement's wiretap efforts...

THERE ARE DIFFERENT TECNIQUE ADOPTED CASE BY CASE IN ORDER THE TRY TO DECRYPT THE INTERCEPTED DATA. ALSO USING THIRD PARTIES (PRIVATE INDUSTRIES/COMPANIES) RESOURCES.

IN ADDITION THE MAIN IUSSES OFTEN CONCERN THE DIFFICULTY IN REMOTELY INSTALLING THE “WIRETAP TROJAN” ONTO SUSPECTS’ DEVICE, ESPECIALLY WITH REGARD TO ONE OF THE MAJOR BRAND.

...aaaand forensics efforts.

THE MAIN IUSSES RESULT FROM THE TECHNICAL IMPOSSIBILITY OF DECRYPTING ONE OF THE MAJOR BRAND’S DEVICES.

There seems to be no consensus on mandated encryption backdoors, but there are more than a few countries leaning that way. Estonia believes the problem is of a "technical nature," rather than one that should be solved through mandated backdoors. Belgium's submission flat-out states the country isn't interested in seeking mandated backdoors.

A regulation to prohibit or to weaken encryption for telecommunication and digital services has to be ruled out, in order to protect privacy and business secrets.

On the other end of the spectrum, Poland openly calls for deliberately weakened/compromised encryption.

One of the most crucial aspect will be adopting new legislation that allows for acquisition of data stored in EU countries “in the cloud” without need to apply for MLAT. There is also need to encourage software/hardware manufactures to put some kind “backdoors” for LEA or to use only relatively weak cryptographic algorithms.

The call for backdoors is echoed by Latvia and Italy.

In between, there are several countries that allude vaguely to working in conjunction with tech companies to find some sort of balance between user security and law enforcement's desires. (Then there's Italy, which mostly seems interested in seeing Apple devices wiped from the face of the earth.)

There are almost as many approaches as there are responding countries. We can only speculate on the contents and assertions made by countries that have refused to release their answers for "national security" reasons, but one would expect those with the most to "hide" would be more likely to expect citizens to give up their security for the good of the nation.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: backdoors, encryption, going dark, law enforcement

18 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Padpaw (profile), 5 Dec 2016 @ 3:35am

They could always follow America's example and pass their own laws allowing their law enforcement to "legally" hack into computers domestic and foreign.
[ link to this | view in chronology ]
Lord Lidl of Cheem (profile), 5 Dec 2016 @ 3:44am

Or just go the all-in UK style, and mandate backdoors...
[ link to this | view in chronology ]
- minidor, 5 Dec 2016 @ 6:57am
  
  Re:
  What about the ones that simply won't introduce backdoors. I'm pretty sure messengers that focus on security (like Signal and Threema) won't do it. Do they try to block those?
  [ link to this | view in chronology ]
  - Anonymous Coward, 5 Dec 2016 @ 7:31am
    
    Re: Re:
    depends on where they physically are? If they are within the borders of the EU, they may become CELL blocked if they do not comply.
    [ link to this | view in chronology ]
Anonymous Coward, 5 Dec 2016 @ 4:49am

I'm not sure if they know this but: YOU EITHER HAVE STRONG SECURITY OR YOU DON'T.

There can be no half-measures because if there's a hole in the encryption for government use then it will be found and will be used by malicious hackers and state-sponsored agents.

But instead of being smart some countries would apparently rather break and compromise security measures.
[ link to this | view in chronology ]
- Chris-Mouse (profile), 5 Dec 2016 @ 6:12am
  
  Re:
  At least one branch of the US government already has first hand experience with this problem. The Government response is that they simply don't care.
  https://www.techdirt.com/articles/20150917/10383032284/why-backdoors-always-suck-tsa-travel-loc ks-were-hacked-tsa-doesnt-care.shtml
  
  I'd be willing to bet that any laws mandating backdoors in encryption will have exemptions for law enforcement and government, so they won't be bothered a bit if the key to the backdoor is leaked.
  [ link to this | view in chronology ]
- Oninoshiko (profile), 5 Dec 2016 @ 9:30am
  
  Re:
  I nominate you to write these things for Italy, You've already got use of the caps lock key down!
  
  (seriously though, I do agree that there is no middle ground here.)
  [ link to this | view in chronology ]
- That One Guy (profile), 5 Dec 2016 @ 1:08pm
  
  Re:
  Whether they know it or not doesn't ultimately matter because they simply don't care. 'Bad people' are using encryption to hide from the 'good guys', therefore encryption needs to be crippled.
  
  That this will result in an increase in crime to absolutely dwarf what was happening before isn't something they concern themselves, because they can simply blame the tech companies for not nerding hard enough and letting the bad guys through.
  [ link to this | view in chronology ]
  - Anonymous Coward, 5 Dec 2016 @ 1:53pm
    
    Re: Re:
    'Bad people' are using window blinds to hide from the 'good guys', therefore window blinds need to be transparent.
    [ link to this | view in chronology ]
Anonymous Coward, 5 Dec 2016 @ 5:08am

"Law Enforcement Feels It's Behind The Tech Curve; Is Willing To Create Backdoors To Catch Up"

Problem is, they will "never catch" up because why bother?
Also, what do they think catching up means?
[ link to this | view in chronology ]
Anonymous Coward, 5 Dec 2016 @ 5:13am

let them eat backdoors.
[ link to this | view in chronology ]
Not an Electronic Rodent (profile), 5 Dec 2016 @ 5:19am

An analogy, you say? Certainly Sir, fresh analogy coming right up!
Law enforcement insists their cars aren't fast enough to catch criminals and insists that all car manufacturers fit devices to blow all four wheels off the vehicle when activated by secret road-side buttons.

Road safety advocates point out the obvious danger of wheels being able to come off cars so easily and the danger of having buttons that might be found to do it.

Law enforcement scoffs at the privacy advocates, calls them all terrorists and fits the buttons anyway.

Almost instantly, most criminals start driving foreign cars that haven't had the explosive wheels fitted. Law enforcement kills several motorists in error while catching a handful of criminals. Many other motorists killed in multi-car pile-ups as other criminals find the buttons by the road and start merrily pushing them.
[ link to this | view in chronology ]
- Anonymous Coward, 5 Dec 2016 @ 5:34am
  
  Re: An analogy, you say? Certainly Sir, fresh analogy coming right up!
  
  and insists that all car manufacturers fit devices to blow all four wheels off the vehicle when activated by secret road-side buttons.
  
  That is almost possible today, BMW traps alleged thief by remotely locking him in car
  [ link to this | view in chronology ]
  - Not an Electronic Rodent (profile), 5 Dec 2016 @ 5:56am
    
    Re: Re: An analogy, you say? Certainly Sir, fresh analogy coming right up!
    
    That is almost possible today, BMW traps alleged thief by remotely locking him in car
    
    Yeah, sadly too easy with modern cars, and it's going really well so far!
    [ link to this | view in chronology ]
Steve R. (profile), 5 Dec 2016 @ 5:24am

Every Technological "Solution" has a Counter Measure
Implement a so-called "backdoor", the "bad" guys simply work around it by invoking their own unbreakable encryption app.
[ link to this | view in chronology ]
- Anonymous Coward, 5 Dec 2016 @ 6:32am
  
  Re: Every Technological "Solution" has a Counter Measure
  > Implement a so-called "backdoor", the "bad" guys simply work around it by invoking their own unbreakable encryption app.
  
  Just make it illegal to do so. Problem solved!
  [ link to this | view in chronology ]
- Anonymous Coward, 5 Dec 2016 @ 6:39am
  
  Re: Every Technological "Solution" has a Counter Measure
  "unbreakable encryption app"
  
  you forgot the /s
  [ link to this | view in chronology ]
Ninja (profile), 5 Dec 2016 @ 8:52am

This would be funny if it wasn't tragic. We are lagging behind knowledge so instead of updating it we'll bury our heads in the sand and make everybody except the crooks use pseudo-encryption (with backdoors). Because it will surely solve the problems.

Except, of course, if the intention is not to deal with the crooks.
[ link to this | view in chronology ]