EU: No encryption backdoors but, eh, let's help each other crack that crypto, oui? Ja?
You scratch my PKCS, and I'll scratch yours
The European Commission has proposed that member states help each other break into encrypted devices by sharing expertise around the bloc.
In an attempt to tackle the rise of citizens using encryption and its effects on solving crimes, the commission decided to sidestep the well-worn, and well-ridiculed, path of demanding decryption backdoors in the stuff we all use.
Instead, the plans set out in its antiterrorism measures on Wednesday take a more collegiate approach – by offering member states more support when they actually get their hands on an encrypted device.
“The commission’s position is very clear – we are not in favour of so-called backdoors, the utilisation of systemic vulnerabilities, because it weakens the overall security of our cyberspace, which we rely upon,” security commissioner Julian King told a press briefing.
“We’re trying to move beyond a sometimes sterile debate between backdoors or no backdoors, and address some of the concrete law enforcement challenges. For instance, when [a member state] gets a device, how do they get information that might be encrypted on the device.”
WHY can't Silicon Valley create breakable non-breakable encryption, cry US politiciansREAD MORE
How exactly... we don't know. Maybe someone has an RSA-cracking supercomputer up their sleeve they're keeping secret. Maybe someone's particularly good with a soldering iron and can read off keys from extracted flash memory chips.
What we do know is that the thrust of the plan boils down to asking member states to help each other by sharing their knowledge on dealing with encryption and creating a observatory to keep an eye on the latest tricks of the trade.
Share the wealth
“Some member states are more equipped technically to do that [extract information from a seized device] than others,” King said.
“We want to make sure no member state is at a disadvantage, by sharing the tech expertise among the member states and reinforcing the support that Europol can offer.”
It's possibly hard to fault the idea of sharing expertise – indeed security researchers The Register contacted said it was a sensible suggestion – and the commission is probably by now aware it’s onto a losing bet if it trots out the tired idea of simply banning or scuttling encryption.
Instead, as Alan Woodward, security professor at the University of Surrey, England, put it: “What they can do is try to level the playing field by ensuring that all member states have access the latest tools and techniques that might have help when encryption is encountered.”
But he added: “This doesn’t mean decryption will be any easier than it is at present for the best equipped. As recent experience has shown, some of the commonly used encryption can be remarkably resistant to analysis.”
There is also the question of whether law-enforcement agencies will be happy to share their knowledge.
Thomas Rid, professor of strategic studies at John Hopkins University in the USA, said that, although it was a sensible suggestion, it was possible “the bigger states would be extremely reluctant to share that kind of capability, because it is so fragile.”
Rid added that, overall, “public key encryption is practically saving the internet from itself,” and that it was disappointing for governments to “treat this most crucial technology as a problem.”
Data slurping measures due out next year
Elsewhere in the commission’s antiterror proposals, it confirmed that measures governing access to “electronic evidence” will be published in 2018.
This, said King, would “ensure law enforcement can get access to information, encrypted or not, when it’s held elsewhere – another member state, another jurisdiction, or in the cloud.”
The commission’s Eurospeak-filled proposals also included a smidge more funding for training investigators – a mere €500,000 from the ISF-police fund in 2018 – and support to boost Europe’s decryption capabilities.
These measures were first discussed back in June, and at the time The Reg was told talks had focused on possible “production orders” that would require technology companies based in one member state to hand over data when it is requested by cops in another. A more extreme proposal, that would allow police to copy data directly from the cloud, was also floated.
Another idea was to oblige member states holding information on a terrorist suspect to share that data on Europe’s border intelligence exchange, the Schengen information system.
"I hope that they will agree that this autumn," King told us.
Europe earlier warned that if the world's tech giants did not make enough progress in removing extremist content as soon as possible from the web, the commission had left itself room to legislate against the internet corps – and this will be reviewed at the start of next year. ®