The two major international security agencies in Europe agree that building backdoors into encryption platforms is not the best way to secure systems because of the collateral damage it would do to privacy and the security of communications.
“While this would give investigators lawful access in the event of serious crimes or terrorist threats, it would also increase the attack surface for malicious abuse, which, consequently, would have much wider implications for society,” says a joint statement by European Police Office (Europol) and European Network and Information Security Agency (ENISA), which focuses on cyber security.
In contrast to the U.S. Department of Justice and FBI Director James Comey, the European agencies support a balance privacy and security concerns.
Comey says he wants providers of encryption products and services to be able to fulfill court orders to provide plaintext of encrypted communications. He doesn’t go into how that might be done, and says he’s not asking for backdoors. But backdoors that also represent a weakening of encryption systems are the only known way to do what he wants.
Europol and ENISA call for carefully worded legislation to address the issue that balances the severity of the crime being investigated with the allowable intrusiveness of the investigative methods.
“Legislation must explicitly stipulate the conditions under which law enforcement can operate. Here, we want to stress the importance of proportionality for the use of intrusive investigative tools,” the statement says. “This requires that the intrusive effect of the investigative measure is proportionate to the crime that was committed. It also requires the selection of the least intrusive measure to achieve the investigative objective.”
The groups also advocate using alternative means for gathering the same information that they might glean using decryption. “This creates opportunities for alternatives such as undercover operations, infiltration into criminal groups, and getting access to the communication devices beyond the point of encryption, for instance by means of live forensics on seized devices or by lawful interception on those devices while still used by suspects,” the statement says.
These alternative methods are technically available now, but the groups call for legislation to formalize their use and spell out privacy stafeguards.
They say that encryption backdoors would give investigators a powerful tool, but it would also give criminals a bigger attack surface to work against when attacking traffic that was encrypted for legal purposes. “Moreover, criminals can easily circumvent such weakened mechanisms and make use of the existing knowledge on cryptography to develop (or buy) their own solutions without backdoors or key escrow,” they say. In other words, criminals would switch to encryption platforms that don’t have backdoors.
A study of encryption platforms worldwide earlier this year concurred. “The smart criminals that any mandatory backdoors are supposed to catch – terrorists, organized crime and so on – will easily be able to evade those backdoors,” according to “A Worldwide Survey of Encryption Products” written by Bruce Schneier of Harvard’s Berkman Center for Internet and Society, independent security researcher Kathleen Seidel, and Saranya Vijayakumar, a Harvard student.
Still, the European agencies want a way to decrypt any communication and hold out hope that technologists will come up with a way to do that without making the crypto systems easier to attack.
Sign up for CIO Asia eNewsletters.