European Law Enforcement Say Breaking Encryption Disproportionate, Backdoors Dangerous

In an unexpected move the European Police Office (EUROPOL) and the European Network and Information Security Agency (ENISA) have issued a joint statement setting out their views on encryption and police hacking. The agencies have come out against breaking encryption, which is a welcome development in the heated public debate on privacy and encryption.

The statement, the first joint communication from the agencies responsible for coordinating police and cybersecurity cooperation in Europe, calls on European legislators to clarify the rules around law enforcement access to encrypted communications. It advocates for greater oversight of intrusive powers and calls for police intrusion to be proportionate to the crime being investigated. It also makes clear that breaking “cryptographic mechanisms’ is not a proportionate way of accessing the content of a suspect’s communication: recognising that the negative societal consequences of breaking encryption far outweigh the benefits of access to a communication.  

It also makes clear that breaking “cryptographic mechanisms’ is not a proportionate way of accessing the content of a suspect’s communication.

The publication comes at a critical moment in both the UK and US encryption debate. As the US considers whether it should adopt the ‘Stopping Mass Hacking Act’ or the widely denounced ‘Compliance with Court Orders Act’, the ‘Investigatory Powers Bill’ looks set to grant the UK government unprecedented power to make companies assist with both hacking and decryption. In both counties, law enforcement agencies have tended to support anti-encryption measures while failing to fully grasp the consequences.

It is significant that the European law enforcement statement takes a different line. It asserts that the growing threat to cybersecurity from organised crime, as well as the threat to privacy from automated data analysis, means that ‘technical protection’ of communications is no longer optional but ‘mandatory’.  Backdoors, described in the document as ‘Solutions that intentionally weaken technical protection mechanisms to support law enforcement’ are considered to ’intrinsically weaken the protection against criminals’ and are not endorsed.

This is a welcome statement as it recognises that police activity should focus on means of gathering information other than attempting to break encryption. However, we do remain concerned that European agencies, although stepping back from attempts break encryption themselves, still intend to, ‘collect and share best practices to circumvent encryption’.