Euro agencies on encryption backdoors: Create 'decryption without weakening'

Police, cyber security groups seek legislation that balances law enforcement and privacy needs

The two major international security agencies in Europe agree that building backdoors into encryption platforms is not the best way to secure systems because of the collateral damage it would do to privacy and the security of communications.

“While this would give investigators lawful access in the event of serious crimes or terrorist threats, it would also increase the attack surface for malicious abuse, which, consequently, would have much wider implications for society,” says a joint statement by European Police Office (Europol) and European Network and Information Security Agency (ENISA), which focuses on cyber security.

In contrast to the U.S. Department of Justice and FBI Director James Comey, the European agencies support a balance privacy and security concerns.

Comey says he wants providers of encryption products and services to be able to fulfill court orders to provide plaintext of encrypted communications. He doesn’t go into how that might be done, and says he’s not asking for backdoors. But backdoors that also represent a weakening of encryption systems are the only known way to do what he wants.

Europol and ENISA call for carefully worded legislation to address the issue that balances the severity of the crime being investigated with the allowable intrusiveness of the investigative methods.

“Legislation must explicitly stipulate the conditions under which law enforcement can operate. Here, we want to stress the importance of proportionality for the use of intrusive investigative tools,” the statement says. “This requires that the intrusive effect of the investigative measure is proportionate to the crime that was committed. It also requires the selection of the least intrusive measure to achieve the investigative objective.”

The groups also advocate using alternative means for gathering the same information that they might glean using decryption. “This creates opportunities for alternatives such as undercover operations, infiltration into criminal groups, and getting access to the communication devices beyond the point of encryption, for instance by means of live forensics on seized devices or by lawful interception on those devices while still used by suspects,” the statement says.

These alternative methods are technically available now, but the groups call for legislation to formalize their use and spell out privacy stafeguards.

They say that encryption backdoors would give investigators a powerful tool, but it would also give criminals a bigger attack surface to work against when attacking traffic that was encrypted for legal purposes. “Moreover, criminals can easily circumvent such weakened mechanisms and make use of the existing knowledge on cryptography to develop (or buy) their own solutions without backdoors or key escrow,” they say. In other words, criminals would switch to encryption platforms that don’t have backdoors.

A study of encryption platforms worldwide earlier this year concurred. “The smart criminals that any mandatory backdoors are supposed to catch – terrorists, organized crime and so on – will easily be able to evade those backdoors,” according to “A Worldwide Survey of Encryption Products” written by Bruce Schneier of Harvard’s Berkman Center for Internet and Society, independent security researcher Kathleen Seidel, and Saranya Vijayakumar, a Harvard student.

Still, the European agencies want a way to decrypt any communication and hold out hope that technologists will come up with a way to do that without making the crypto systems easier to attack.

Join the CSO newsletter!

Error: Please check your email address.

More about Department of JusticeEuropolFBI

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts