They say that only two things are certain in life: death and taxes. But here on Techdirt, we have a third certainty: that governments around the world will always seek ways of gaining access to encrypted communications, because they claim that things are "going dark" for them. In the US and elsewhere, the most requested way of doing that is by inserting backdoors into encryption systems. As everyone except certain government officials know, that’s a really bad idea. So it’s interesting to read a detailed and fascinating report by Matthias Monroy on how the EU has been approaching this problem without asking for backdoors -- so far. The European Commission has been just as vocal as the authorities in other parts of the world in calling for law enforcement to have access to encrypted communications for the purpose of combating crime. But EU countries such as Germany, Finland and Croatia have said they are against prohibiting, limiting or weakening encrypted connections. Because of the way the EU works, that means the region as a whole needs to adopt other methods of gaining access. Monroy explains that the EU is pinning its hopes on its regional police organization:
At EU level, Europol is responsible for reading encrypted communications and storage media. The police agency has set up a "decryption platform" for that. According to Europol’s annual report for 2018, a "decryption expert" works there, from whom the competent authorities of the Member States can obtain assistance. The unit is based at the European Centre for Cybercrime (EC3) at Europol in The Hague and received five million euros two years ago for the procurement of appropriate tools.
The Europol group uses the open source password recovery software Hashcat in order to guess passwords used for content and storage media. According to Monroy, the "decryption platform" has managed to obtain passwords for 32 cases out of 91 where it the authorities needed access to an encrypted device or file. A 39% success rate is not too shabby, depending on how strong the passwords were. But the EU wants to do better, and has decided one way to do that is to throw even more number-crunching power at the problem: in the future, supercomputers will be used. Europol is organizing training courses to help investigators gain access to encrypted materials using Hashcat. Another "decryption expert group" has been given the job of coming up with new technical and legal options. Unfortunately, the approaches under consideration are little more than plans to bully Internet companies into doing the dirty work:
Internet service providers such as Google, Facebook and Microsoft are to create opportunities to read end-to-end encrypted communications. If criminal content is found, it should be reported to the relevant law enforcement authorities. To this end, the Commission has initiated an "expert process" with the companies in the framework of the EU Internet Forum, which is to make proposals in a study.
This process could later result in a regulation or directive that would force companies to cooperate.
There’s no way to "create opportunities" to read end-to-end encrypted communications without weakening the latter. If threats from the EU and elsewhere force major Internet services to take this step, people will just start using open source solutions that are not controlled by any company. As Techdirt has noted, there are far better ways to gain access to encrypted communications -- ones that don’t involve undermining them.
Our IP Address: