ENISA / Europol almost argue against crypto backdoors
Malware and keyloggers are better, we think they're saying
While the FBI, in the person of James Comey, continues its campaign to persuade the tech sector that mathematics isn't that big a thing and therefore backdoors are feasible, The European Union Agency for Network and Information Security (ENISA) and Europol have tip-toed around the issue, issuing a joint statement that both opposes and supports breaking encryption.
Back in February and speaking for itself alone, ENISA was clear about the dangers of undermining encryption. That makes the nasty, suspicious minds at Vulture South suspect that ENISA's ears are ringing from a telling-off by Europol, leading to a more equivocal public position.
The organisations' new joint statement spends most of its words explaining the already-obvious stress between privacy, technology, and law enforcement.
Hence, “proposals to introduce mandatory backdoors or key escrow to weaken encryption” provide access to messages, the statement says, but “it would also increase the attack surface for malicious abuse”.
Stating what's obvious to everybody except the FBI's lobbyist-in-chief, the statement emphasises that “criminals can easily circumvent such weakened mechanisms and make use of the existing knowledge on cryptography to develop (or buy) their own solutions without backdoors or key escrow”.
“In terms of practical breaks, cryptographers are currently miles ahead, which is good news for all the legitimate users who can benefit from the improving protection of their data”.
The statement does offer a concession to law enforcement. Noting that investigations do, after all, go better with access to suspects' communications, ENISA and Europol agree that “For the investigation and disruption of crimes, it is important to use all possible and lawfully permitted means to get access to any relevant information, even if the suspect encrypted it”.
Regulation and bug-sharing seem to be on their mind, although the statement tiptoes around the latter: “it would be worthwhile to collect and share best practices to circumvent encryption already in use in some jurisdictions.
“Investigators would benefit from more explicit and ideally aligned regulation of the lawful online use of privacy-invasive investigative tools and the conditions under which they can be applied.”
In line with existing EU positions on spying on citizens, the statement also notes that governments and the judiciary need to set down “clear policy guidance on the proportionality of the online use of such privacy-invasive investigative tools”.
All of this would seem to be evidence that Europe is moving further away from America in the encryption debate, except that the ENISA/Europol statement indulges in law enforcement bet-hedging right at the end, by which time only the bloody-minded are still reading.
Here's the important bit:
“When circumvention is not possible yet access to encrypted information is imperative for security and justice, then feasible solutions to decryption without weakening the protective mechanisms must be offered, both in legislation and through continuous technical evolution” (emphasis added).
“For the latter, the fostering of close cooperation with industry partners, as well as the research community with expertise in crypto-analyses for the breaking of encryption where lawfully indicated, is strongly advised.”
There is, the statement asserts, a “workable balance” available with enough R&D and collaboration between EU agencies. ®