Encryption Survey Indicates Law Enforcement Feels It's Behind The Tech Curve; Is Willing To Create Backdoors To Catch Up
from the trading-brute-force-for-extra-keys dept
To get a general feel for European law enforcement encryption sentiment (so to speak), the European Union sent questionnaires to member countries, asking for details on what forms of encryption are encountered most frequently and what these agencies feel would be the best approach to tackling encrypted data going forward.
Surprisingly, the EU received several responses and most have been published in full. (The list of PDFs/HTML versions can be found near the bottom of this page.) They were issued in response to a public records request by Rejo Zenger of Dutch digital rights group, Bits of Freedom.
Security researcher Lukasz Olejnik went through the posted documents to find the highlights/lowlights of the submissions. Several countries responded to the EU's questionnaire, but only twelve of those made their answers public. (And, in the case of the UK and the Czech Republic, some answers were redacted.)
Most responding agencies in most countries are running into the same encryption issues.
Countries point to difficulty of tackling encrypted data, in particular: encrypted data at rest (using solutions such as TrueCrypt),encrypted data in transit (e.g. SSH, HTTPS, Tor), use of instant messengers such as Skype, WhatsApp, etc., and encrypted mobile devices
Countries disclose they lack resources such as technology, money or personnel, to effectively fight cybercrime
But not every country treats encryption "problems" the same way. A few didn't consider HTTPS to be an encryption form worth noting, perhaps because it doesn't cover the sort of data or communications they frequently target.
Others, like agencies in Italy (in an ALL CAPS reply), aren't so much worried about encrypted data in transit as much as they are worried about very specific data at rest, located in very specific consumer devices.
AS FOR OFFLINE ENCRYPTION, ONE MAIN PROBLEM IS WITH ONE OF THE MAJOR DEVICES COMPANY.
Hmm. I wonder which "major devices company" that would be? It seems this same "devices company" also thwarts law enforcement's wiretap efforts...
THERE ARE DIFFERENT TECNIQUE ADOPTED CASE BY CASE IN ORDER THE TRY TO DECRYPT THE INTERCEPTED DATA. ALSO USING THIRD PARTIES (PRIVATE INDUSTRIES/COMPANIES) RESOURCES.
IN ADDITION THE MAIN IUSSES OFTEN CONCERN THE DIFFICULTY IN REMOTELY INSTALLING THE “WIRETAP TROJAN” ONTO SUSPECTS’ DEVICE, ESPECIALLY WITH REGARD TO ONE OF THE MAJOR BRAND.
...aaaand forensics efforts.
THE MAIN IUSSES RESULT FROM THE TECHNICAL IMPOSSIBILITY OF DECRYPTING ONE OF THE MAJOR BRAND’S DEVICES.
There seems to be no consensus on mandated encryption backdoors, but there are more than a few countries leaning that way. Estonia believes the problem is of a "technical nature," rather than one that should be solved through mandated backdoors. Belgium's submission flat-out states the country isn't interested in seeking mandated backdoors.
A regulation to prohibit or to weaken encryption for telecommunication and digital services has to be ruled out, in order to protect privacy and business secrets.
On the other end of the spectrum, Poland openly calls for deliberately weakened/compromised encryption.
One of the most crucial aspect will be adopting new legislation that allows for acquisition of data stored in EU countries “in the cloud” without need to apply for MLAT. There is also need to encourage software/hardware manufactures to put some kind “backdoors” for LEA or to use only relatively weak cryptographic algorithms.
The call for backdoors is echoed by Latvia and Italy.
In between, there are several countries that allude vaguely to working in conjunction with tech companies to find some sort of balance between user security and law enforcement's desires. (Then there's Italy, which mostly seems interested in seeing Apple devices wiped from the face of the earth.)
There are almost as many approaches as there are responding countries. We can only speculate on the contents and assertions made by countries that have refused to release their answers for "national security" reasons, but one would expect those with the most to "hide" would be more likely to expect citizens to give up their security for the good of the nation.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: backdoors, encryption, going dark, law enforcement
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in thread ]
[ link to this | view in thread ]
There can be no half-measures because if there's a hole in the encryption for government use then it will be found and will be used by malicious hackers and state-sponsored agents.
But instead of being smart some countries would apparently rather break and compromise security measures.
[ link to this | view in thread ]
Problem is, they will "never catch" up because why bother?
Also, what do they think catching up means?
[ link to this | view in thread ]
[ link to this | view in thread ]
An analogy, you say? Certainly Sir, fresh analogy coming right up!
Road safety advocates point out the obvious danger of wheels being able to come off cars so easily and the danger of having buttons that might be found to do it.
Law enforcement scoffs at the privacy advocates, calls them all terrorists and fits the buttons anyway.
Almost instantly, most criminals start driving foreign cars that haven't had the explosive wheels fitted. Law enforcement kills several motorists in error while catching a handful of criminals. Many other motorists killed in multi-car pile-ups as other criminals find the buttons by the road and start merrily pushing them.
[ link to this | view in thread ]
Every Technological "Solution" has a Counter Measure
[ link to this | view in thread ]
Re: An analogy, you say? Certainly Sir, fresh analogy coming right up!
That is almost possible today, BMW traps alleged thief by remotely locking him in car
[ link to this | view in thread ]
Re: Re: An analogy, you say? Certainly Sir, fresh analogy coming right up!
Yeah, sadly too easy with modern cars, and it's going really well so far!
[ link to this | view in thread ]
Re:
https://www.techdirt.com/articles/20150917/10383032284/why-backdoors-always-suck-tsa-travel-loc ks-were-hacked-tsa-doesnt-care.shtml
I'd be willing to bet that any laws mandating backdoors in encryption will have exemptions for law enforcement and government, so they won't be bothered a bit if the key to the backdoor is leaked.
[ link to this | view in thread ]
Re: Every Technological "Solution" has a Counter Measure
Just make it illegal to do so. Problem solved!
[ link to this | view in thread ]
Re: Every Technological "Solution" has a Counter Measure
you forgot the /s
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Except, of course, if the intention is not to deal with the crooks.
[ link to this | view in thread ]
Re:
(seriously though, I do agree that there is no middle ground here.)
[ link to this | view in thread ]
Re:
Whether they know it or not doesn't ultimately matter because they simply don't care. 'Bad people' are using encryption to hide from the 'good guys', therefore encryption needs to be crippled.
That this will result in an increase in crime to absolutely dwarf what was happening before isn't something they concern themselves, because they can simply blame the tech companies for not nerding hard enough and letting the bad guys through.
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]