After three years of development, a decryption unit has officially started work at Europol. The criticism of the EU crypto course is growing.
In a virtual ceremony this week, high-ranking representatives from Europol, the EU Parliament, the Council of Ministers, and the Commission inaugurated a European decryption platform that has been promoted for three years. According to official information, the facility is intended to significantly improve Europol’s ability to decipher information lawfully obtained during criminal investigations.
“Encryption will not be restricted or weakened.”
Europol celebrates the move as “a milestone in the fight against organized crime and terrorism in Europe.” With “full respect for fundamental rights,” this initiative will be available to the national law enforcement authorities of all Member States “to ensure the safety of societies and citizens.”
The investigators vowed: encryption itself will not be restricted or weakened. So what remains is cracking or bypassing. On Friday, Europol did not respond to a question about the proposed methods. The federal government revealed in the spring that, among other things, the agency’s employees were already experimenting with an instrument for a “context-based approach to targeted decryption.” It is a software-supported process that runs on the platform on the hardware side.
Search for state trojans
Between 2017 and 2019, the Federal Criminal Police Office (BKA) turned to the European police authority in six cases with relevant “decryption orders.” The approach’s success rate, which is not described in detail in its functioning, was mixed. “In two cases, the access restrictions could be overcome,” the government said. Europol had not yet commented on a case.
It is also known that Europol has been looking for state Trojan software for some time in order to be able to listen to encrypted messenger services such as WhatsApp, Signal, or Threema as well as Internet calls. The Commission recently had solutions for access to messages in plain text such as hash matching, also with the help of Europol, sounded out, but the IT security experts have so far considered unsuitable.
Evidence for decryption to Europol
The platform is operated by Europol’s European Cybercrime Center (EC3). It should “use its in-house expertise” to effectively support the federal investigations. The EC3 focuses on cybercrime committed by organized groups that generate high profits through online fraud, severely harm victims, for example, through child sexual exploitation, or affect critical infrastructures and IT systems in the EU.
“The national police forces can now send legally obtained evidence to Europol for decryption,” said EU Interior Commissioner Ylva Johansson, welcoming the official launch of the platform. This is particularly important in the fight against the sexual abuse of children. The police authority developed the position in close collaboration with the Commission’s Joint Research Center (JCR). The money comes from the EU.
At the end of 2017, the Council approved the Commission’s plan to set up a decryption initiative at EC3, initially with 86 new employees, based on the model of the German Central Office for Information Technology in the Security Sector (Zitis). In 2018, following the start-up funding, the EU again approved five million euros to improve Europol’s ability to read encrypted content.
It was only on Monday that the EU countries had a controversial declaration on “security through encryption and security despite encryption.” You are pushing for a form of exceptional access to encrypted data in plain text for security authorities. This idea was mainly propagated by secret services such as the NSA and the GCHQ via the so-called Five Eyes Association and the FBI in the ongoing Crypto Wars. Fundamental security flaws for all other users of a service or technology are not intended to be created. Technicians consider such a “magical solution” to be a fairy tale, as there is no such thing as “a little bit encrypted”.
“Criminalizing Effective End-to-End Encryption”
The criticism of this line does not stop. “Back doors, master keys, and similar instruments are the only conceivable technical implementations of the required ‘lawful access'”, complains the New Judges Association. Such measures would not only categorically invalidate end-to-end encryption for everyone who depends on it, such as journalists, activists, lawyers, whistleblowers, and companies. Furthermore, they are “also completely unsuitable for promoting the intended fight against crime”.
To this day, domestic and security policy have failed to provide evidence “that the lack of monitoring of encrypted individual communication would actually be a relevant obstacle to the detection of serious crimes,” says the judges’ alliance. The project now amounts to the “abolition or even criminalization of effective end-to-end encryption”. The Commission must therefore take an exact position against the Council’s demands.