11 December 2020
Security Through Encryption And Security Despite Encryption
Recently, a planned resolution by the Council of the European Union entitled Security through encryption and security despite encryption was leaked through various media.
The resolution acknowledges the benefits of strong cryptography security , yet it also states that:
… law enforcement is increasingly dependent on access to electronic evidence to effectively fight terrorism, organised crime, child sexual abuse.
In order to support law enforcement agencies, the resolution asks for “lawful and targeted” access to encrypted data through competent authorities.In response to this resolution, the academic community has drafted an open letter to the EU institutions. The challenges of law enforcement agencies are indisputable. However, while not explicitly asking for encryption ‘backdoors’, the Council’s resolution suggests a “middle ground” of sufficiently secure cryptography, while still giving competent authorities access to encrypted data. The signatories to the letter explain that such a middle ground does not exist today – and most likely cannot exist. Any attempt to weaken encryption or to introduce other means for digital surveillance introduces a wide variety of risks, ranging from technical weaknesses in implementations all the way to potential violations of fundamental freedom rights.
The authors of the letter conclude by proposing a roadmap towards better capacity building for evidence in information and communication networks. They suggest an honest and open-minded dialogue between policy makers, law enforcement agencies, academic experts from all affected fields (e.g., cryptography, digital forensics, fundamental rights, ethics, or procedural law), in order to avoid negative impacts of any deployed solution for cybersecurity in general as well as society as a whole.
At this point (11 December), more than 190 experts from various fields – cryptography, IT security, law, DPAs, etc – have signed the letter.
For many years, the European Union has been a pioneer of strong cybersecurity, fundamental human rights, and data protection. This position could be put at risk by premature decisions, made without broader consideration of all the consequences, to counter digital crimes.
The four pilot projects – CONCORDIA, CyberSec4Europe, ECHO and SPARTA – represent an embryonic European cybersecurity competence network of multi-disciplinary research experts. This expertise could be tapped to obtain first inputs and to develop a way forward, in order to find the optimal balance between the needs of law enforcement and the security and fundamental rights of all European citizens.
Stephan Krenn, AIT