Tackling encryption: law enforcement agencies favour practical, effective solutions for access rather than new legal powers?

Support our work: become a Friend of Statewatch from as little as £1/€1 per month.

- In answer to a Questionnaire Member States' responses showed: "the need for practically orientated measures prevailed over the need for adoption of new legislation on EU level."

 

The Council of the European Union is considering ways for law enforcement agencies to get access to encrypted messages. There are different laws and practices in Member States and it appears that a majority of them favour the better exchange of knowledge and practices to get access rather than a harmonised EU law. Many national laws prescribe that: "a prior judicial order is often required."

 

The Questionnaire

In September 2016 the Council Presidency circulated to Member State the following: Encryption of data - Questionnaire (LIMITE doc no: 12368-16, pdf):

"Over lunch during the informal meeting of the Justice Ministers (Bratislava, 8 July 2016) the issue of encryption was discussed in the context of the fight against crime. Apart from an exchange on the national approaches, and the possible benefits of an EU or even global approach, the challenges which encryption poses to criminal proceedings were also debated. The Member States' positions varied mostly between those which have recently suffered terrorist attacks and those which have not. In general, the existence of problems stemming from data/device encryption was recognised as well as the need for further discussion.

To prepare the follow-up in line with the Justice Ministers' discussion, the Presidency has prepared a questionnaire to map the situation and identify the obstacles faced by law enforcement authorities when gathering or securing encrypted e-evidence for the purposes of criminal proceedings." [emphasis added]

A number of questions to Member States concern whether judicial authorities have to agree access including:

"Under your national law, is there an obligation for the suspects or accused, or persons who are in possession of a device/e-data relevant for the criminal proceedings, or any other person to provide law enforcement authorities with encryption keys/passwords? If so, is a judicial order (from a prosecutor or a judge) required? Please provide the text of the relevant provisions of your national law." [emphasis added]

The response of Member States

Member States responses to the Questionnaire is not available but the Council Presidency has circulated a summary and made recommendations in: LIMITE doc no: 13434-16 (pdf:

"Delegations will find in annex a discussion paper to facilitate the debate on the issues related to encryption following the answers to the questionnaire provided by Member-States."

The need for secure and safe communications in everyday life is seen as a fundamental right so:

"The e-Privacy Directive... encourages the use of encryption technologies to protect users' communications. However, the opportunities offered by the encryption technologies are also exploited by criminals in order to hide their data and potential evidence, protect their communications and mystify their financial transactions."

And:

"The use of encryption deprives law enforcement of crucial evidential opportunities, especially given the fact that it is no longer restricted to desktop computers but increasingly available on mobile devices and many commercially available communication platforms have now encryption by - default (increasingly by way of end-to-end encryption leading to situations where services are not interceptable)." [emphasis added, here and below]

And:

"neither the suspect, nor the accused who is in possession of a digital device/electronic data are under the legal obligationto provide to the law enforcement authorities the encryption keys/passwords, in most cases due to the right against self-incrimination.....

service providers are obliged according to national law to provide law enforcement authorities with encryption keys/passwords; a judicial order is not always required. However...

interception/monitoring of encrypted data flows is possible under certain conditions prescribed in the national law with the aim of obtaining decrypted data; a prior judicial order is often required...."

Lack of technical capacity, finance and training

Among top 3 "challenges" emerging from the questionnaire is the:

"the lack of sufficient technical capacity both in terms of efficient technical solutions to decrypt and respective equipment is among the top 3 challenges, followed by the lack of sufficient financial resources and personal capacity (both in terms of numbers and training of staff)."

And the conclusion drawn from the questionnaire is:

"the need for practically orientated measures prevailed over the need for adoption of new legislation on EU level."

Our work is only possible with your support.
Become a Friend of Statewatch from as little as £1/€1 per month.

 

Spotted an error? If you've spotted a problem with this page, just click once to let us know.

Report error