On both sides of Atlantic the debate around strong cryptography frequently resurfaces.
Proponents of weakening cryptography or introduction of backdoors (or "golden keys") cite national security. Technologists and activists oppose such proposals, citing freedoms and cybersecurity.
Regulating cryptography is of course a bad idea. It's true that cryptography can be an obstacle for collecting digital evidence. Generally, that's one of the aims of cryptographic methods: make it difficult to obtain plain-text data. It can be used for the good, as well as for the bad, as with many other tools or technologies.
But it's unclear if policy makers can achieve reasonable regulatory frameworks. And the stakes are high. Weakening cryptography would ultimately lead to far reaching negative impact on digital markets, society, trust, cybersecurity and privacy.
Intentional weakening of cryptography and security solutions - whether by requiring weaker algorithms or key sizes, or introducing backdoors - in order to make life easier for local law enforcement agencies means that criminals and foreign powers will also benefit from those measures.
Good cryptography is strong cryptography.
The discussion apparently has now reached the European Union. It's being debated during high-profile meetings, and by influential figures. Fortunately, the process turns out to be transparent almost from the beginning.
Recently, European Union has conducted a dedicated questionnaire on the Encryption of Data - in order to understand how much trouble cryptography and encryption - causes to national law enforcement agencies. And it turned out answers to this questionnaire are fascinating!
Thanks to Bits of Freedom, those answers
are now public. That's called transparency.
First some numbers.
- 11 EU countries (Denmark, Germany, Estonia, Croatia, Hungary, Italy, Latvia, Poland, Finland, Sweden and the United Kingdom) have agreed to fully disclose their replies
- Czech Republic (and United Kingdom, as it turns out later) restricted some of the answers, citing national security reasons
- Belgium, Bulgaria, Spain, Malta, Portugal and France refused to disclose their answers, citing national security reasons
- Consultations with other Member States is still ongoing.
Details of the questionnaire answers
Let's say it upfront, some answers apparently disclose sensitive material (whether technical or policy-wise). I'll write down the more interesting tidbits, and follow that with more detailed write-up below
- Countries point to difficulty of tackling encrypted data, in particular: encrypted data at rest (using solutions such as TrueCrypt),encrypted data in transit (e.g. SSH, HTTPS, Tor), use of instant messengers such as Skype, WhatsApp, etc., and encrypted mobile devices
- Countries disclose they lack resources such as technology, money or personnel, to effectively fight cybercrime
- Countries disclose some operational measures, in particular the used software, hardware, help of third-party companies
- Italy provides an answer in Caps Lock
It's also interesting to see, that replies of some countries (e.g. Czech Republic, Hungary) indicate that law enforcement agencies rarely encounter encrypted data, while United Kingdom provides a more unambiguous response: almost always.
UK says that Brute-force attacks are done with custom dictionaries to break some encryption measures.
On operational layer, how does Sweden break encryption and passwords? They just ask questions to suspects. This is often a challenge because suspects might not disclose their passwords ("Sometimes this information can be obtained during interviews with the suspect, sometimes not").
Italy provides an all-Caps-Lock answer, where it's confirmed that cryptography remains a challenge:
IN MANY CASE, SIZED COMPUTER OR MEDIA WERE ENCRYPTED BY THE CRIMINALS DUE TO MAKE DATA PROTECTED AND UNAVAIBLE TO FORENSICS ACTIVITY
MANY ONLINE SERVICES (90%) ARE NOW AVAILABLE ON HTTPS PROTOCOL,
DEVICE HAVE NATIVE ENCRYPTED APPLICATIONS.
AS FOR ONLINE ENCRYPTION, ONE MAIN PROBLEM IS THE LACK OF
TRACEABILITY OF TOR CONNECTIONS AND BITCOIN TRANSACTIONS. AS FOR
OFFLINE ENCRYPTION, ONE MAIN PROBLEM IS WITH ONE OF THE MAJOR DEVICES COMPANY.
Sounds like Italy has problems with unlocking/decrypting iPhones, tracing Tor connections, and the fact that Internet is made much safer due to the wide adoption of HTTPS. I'm not sure about the number (90%) but I am happy that HTTPS is in wide use.
Italy discloses even more:
THERE ARE DIFFERENT TECNIQUE ADOPTED CASE BY CASE IN ORDER THE TRY TO
DECRYPT THE INTERCEPTED DATA. ALSO USING THIRD PARTIES (PRIVATE
IN ADDITION THE MAIN IUSSES OFTEN CONCERN THE DIFFICULTY IN REMOTELY
INSTALLING THE “WIRETAP TROJAN” ONTO SUSPECTS’ DEVICE, ESPECIALLY WITH
REGARD TO ONE OF THE MAJOR BRAND.
It seems Italy:
- Uses third-party companies for help with seized data/devices
- Installs wiretap instrumentation/software on remote devices (except iPhones, where it continues to be difficult)
FORENSICS ANALISYS OFTEN REVEAL THAT ENCRYPTED DATA CONTAIN FINACIAL
AND PERSONAL DATA. ALSO ANY OTHER KIND OF INFORMATION WERE FOUND IN SIZED ENCRYPTED
DATA. THE MAIN IUSSES RESULT FROM THE TECHNICAL IMPOSSIBILITY OF DECRYPTING
ONE OF THE MAJOR BRAND’S DEVICES.
**Italy surely doesn't seem to like iPhones.
Now there's also Poland where more details of operational aspects are disclosed:
Open-source tools like “hashcat” are used to decrypt encrypted e-evidence. Using MD5 and SHA1 to secure after decryption. We try to use brute-force / dictionary / profiled dictionary base attacks. It is not practiced to use third-party (external) companies to decrypt data.
Congratulations on using hashcat. However, did they really want to disclose all this information to the whole Internet?
Poland also discloses their technical, financial and "human resources" problems, limiting the efficiency of law enoforcement capabilities.
But the really interesting point is here:
One of the most crucial aspect will be adopting new legislation that allows for acquisition of
data stored in EU countries “in the cloud” without need to apply for MLAT. There is also
need to encourage software/hardware manufactures to put some kind “backdoors” for LEA
or to use only relatively weak cryptographic algorithms.
Poland is calling in the open to weaken cryptography or introduce backdoors. This is a bad idea and it should not stand. We should be happy we've learned it in advance of December's and future meetings.
In fact, many other member states (e.g. Italy, Hungary, Latvia) call for similar regulations. We should watch closely
Debate around regulating cryptography has reached Europe. The recent questionnaire on the Encryption of Data has provided us with interesting insight, both on the challenges (lack of resources, techniques, personnel limitations, lack of knowledge and techniques), the current operational methods. European law enforcement agencies use a wide array of method, ranging from interviewing suspects, to using brute-force techniques or third-party companies. Some are installing malware on target devices.
We are now also aware that there is an upcoming debate in Europe around weakening of cryptography. This issue requires close attention.