Encryption: finding the balance between privacy, security and lawful data access
Strong encryption is crucial to securing data and communications for individuals, public sector and businesses, including critical infrastructure. These objectives are under assault every day from sophisticated hackers and well-financed criminal organisations.
The technology industry has increasingly introduced built-in and easy-to-use encryption to meet customer requirements and address evolving cybersecurity risks. This trend is likely to continue as enhanced control, e.g. though usermanaged keys and full-disk encryption, is considered a driver for user trust. Additionally, the cost of default encryption will likely continue to decrease and users will therefore assume this feature to be granted in their devices and services.
The following conditions are key to getting the best value out of encryption in today’s technological and economic landscape:
- Technology providers should be enabled and encouraged to develop and implement strong encryption solutions, tailored to achieve the best possible data security and privacy. Government mandates on the design of technology, such as the creation of ‘backdoors,’ will impede innovation, hurt the economy and weaken data security and privacy. Encryption also safeguards democracy and human rights by securing election processes and strengthening free speech and journalistic freedom.
- Strong cooperation between the private and public sectors can solve many challenges presented by access to digital evidence. It is imperative that industry and law enforcement authorities continue to cooperate in areas that can help prevent and investigate crimes.
The internet, and the billions of connected devices it enables, has become essential to modern society. Every day, encryption protects privacy and safeguards the critical infrastructure we rely on, from transportation systems to healthcare, energy grids, critical manufacturing plants and financial systems, among others.
Technological advances lead to new threats as the attack surface increases, giving sophisticated adversaries more avenues to infiltrate and take advantage of sensitive data. The safe operation of these services, even more so on upcoming 5G networks, depends on encryption securing and protecting data from hackers and criminals.
According to the World Economic Forum, ‘cyber incidents targeting the European business sector have increased since 2018: 61% of businesses reported cyber incidents compared to 45% in the previous year.’ ENISA’s 2018 Threat Landscape Report states that ‘mobile threats are expected to increase due to the mobile market growth, users’ shift to mobile banking and the upcoming rollout of the 5G mobile standard,’ noting for instance that industrial control systems operating critical infrastructure ‘will be increasingly targeted by advanced threat actors having … capability and intent.’
In this environment, individuals and organisations have a legitimate expectation that their data, networks, devices and essential services are protected by strong encryption. An informed debate on the most effective use of encryption for jointly pursuing privacy and security and for safeguarding fundamental rights and public interests is therefore needed.
Understanding the value of encryption
The growing importance of data processing in connected devices and in the cloud, including confidential and proprietary data, requires security protections that safeguard the confidentiality, integrity and availability of information for both individuals and organisations, especially in light of the myriad threats to personal data and critical infrastructure. Encryption, alongside other technical and organisational measures, is a critical tool to safeguard data against the worrisome rise in cyber threats.
There is a direct correlation between developments in technology and innovation and an increase in the attack surface. It is estimated that by the end of 2019 there will be 26.66 billion devices, followed by a significant increase to 125 billion devices by 2030, with 90% of individuals older than six being online. This means more network traffic and ultimately more security challenges.
The World Economic Forum’s 2019 Global Risks Report recently identified cyber attacks among the top five global risks, with one-third of the surveyed companies indicating they experienced a cyber incident causing operational impact. Today, the global cost of cyber crime is estimated at about €530 billion.
Attackers are constantly adapting and harnessing new malware, which targets vulnerabilities in the hardware and is more difficult to detect. Encryption is a powerful method that can protect communications and data at rest, in use and in transit.In the last years, for example, ransomware – which encrypts a user’s data and is only decrypted by the hacker if the user agrees to a ransom – has been an increasing threat for public administration, public services, small businesses and citizens.
Encryption protects critical infrastructure
In recent years, malware has been used to target critical infrastructure. In March 2019, Norwegian company Norsk Hydro AS, a renewable energy supplier and one of the world’s largest aluminium producers, was compromised by the LockerGoga ransomware in a targeted cyberattack. The attack affected large parts of the business, resulting in production stoppages in Europe and the US. Projected costs for the company are up to €35 million.
High-impact attacks, like WannaCry or NotPetya ransomware, swept across a wide range of businesses, hospitals, critical manufacturing and transportation modes, while in 2015 a large-scale cyberattack took out large portions of Ukraine’s power grid. Users and organisations that employ cybersecurity best practices and use strong encryption can minimise the risk of these kinds of cyberattacks.
As 5G connectivity spreads, society will become even more dependent on, and intertwined with, wireless communications. Ensuring that sensitive data runs only over trusted 5G infrastructure will be a herculean task. Encryption will help ensure the confidentiality and integrity of data flowing over networks. This will be critically important as more and more functions rely on network access.
Encryption protects personal privacy and security
Technology providers are challenged every day to protect sensitive user data from numerous sophisticated threats. In the first nine months since the General Data Protection Regulation (GDPR)9 came into effect, the European Data Protection Board (EDPB) reported data protection authorities (DPAs) received 64,484 breach notifications. That is just a small percentage of a global trend – according to a 2019 report, over four billion personal records were breached in 2019.
Data breaches can expose sensitive information of millions of users and can have potentially life-threatening consequences. Encryption is one of the best tools in protecting users’ privacy from malicious actors, as recognised in the GDPR.
Encryption safeguards democracy and human rights
There is increasing recognition that cybersecurity in general, and encryption more specifically, is fundamental to safeguard democracy.
Notably, cyberattacks threaten to undermine the integrity of, and confidence in, electoral processes. According to the NIS Cooperation Group, encryption is a necessary tool to help ensure the integrity and security of EU elections.
Encryption also plays a pivotal role in protecting those who advocate for fundamental human rights. According to the UN Special Rapporteur on Human Rights, ‘[e]ncryption and anonymity, and the security concepts behind them, provide the privacy and security necessary for the exercise of the right to freedom of opinion and expression in the digital age. Such security may be essential for the exercise of other rights, including economic rights, privacy, due process, freedom of peaceful assembly and association, and the right to life and bodily integrity.’
Encryption also protects journalists, providing a measure of security to reporters who expose government abuse or mistreatment of citizens. The 2018 Accra Declaration calls on each UNESCO Member State to ‘[r]efrain from prohibiting or criminalizing the use of encryption and anonymity tools.’ Journalistic freedom is an essential component to a democratic society, and encryption is an avenue that allows journalists to continue doing work securely and safely.
Exceptional access weakens security
A backdoor is a feature or defect of a computer system, unknown by the technology provider or undocumented to the user, that allows unauthorized access to data to third parties, e.g. to intelligence agencies. Such exceptional access represents a great risk for security.
For example, Australia’s Telecommunications Assistance and Access Act requires providers to insert a vulnerability into all of their products, so long as the government only requests that it be used against certain targets. This fundamentally misunderstands the nature of technology: if a capability to target a user is built, it can be used against all users both by well-intentioned law enforcement authorities and malicious hackers, who will inevitably try to gain access.
Mandatory key escrow and key recovery systems to ensure lawful interception have been suggested many times in the past by policymakers. However, such policy options would not only introduce new technological risks to IT infrastructure but could also be easily bypassed by those who wish to keep their communications secret.
Backdoors turn down best practices on security and require increased complexity of IT systems in order to manage vulnerabilities, in turn attracting bad actors such as terrorists, criminals and hacktivists to exploit these vulnerabilities.
Applicable law and oversight of exceptional access in multiple countries would further complicate the above-described scenario. As service providers must respond to many thousands of data requests, from different jurisdictions with different legal standards, properly managing and overseeing the use of an exceptional access mechanism would pose a significant challenge given the likely scale of demands.
Maintaining the security of an encryption backdoor that is subject to regular access would be extremely challenging, if not impossible. Additionally, if companies were forced to build an encryption backdoor for rights-respecting countries, they would also face significant pressure to turn over their users’ data from countries with less developed democratic standards, which could threaten the human rights of people in those countries.
Finally, encryption remains available through the continuous development of open source software. Forcing companies to weaken the security of their products and services will just drive criminals to use security technologies that are widely understood and available in the public domain or developed in other countries.
Enhancing collaboration between industry and law enforcement
DIGITALEUROPE considers cooperation with public authorities to combat terrorism and crime as a priority when access to data is lawful.
The advancement of technology that provides law enforcement authorities various channels to monitor suspects allows for companies to continue providing robust encryption methods.18 The volume of data generated by the digital economy has given law enforcement authorities access to more data than at any time in history. In addition, combing with new data mining and processing abilities, authorities are able to gain insights on an unprecedented scale.
Encryption is one element in a complex and ever-changing mosaic of digital evidence that law enforcement agencies must contend with. As new products and services come online, and older ones change, access to certain data often changes or becomes more restricted, or on the other hand new data may become available. Understanding these developments and incorporating them into investigative practice is quite difficult.
While some countries have passed laws that allow governments to mandate exceptional access, other laws highlight the benefits of security and enhanced cooperation between law enforcement and industry. DIGITALEUROPE believes that the former, if used to compel law enforcement access, could have dangerous consequences for users around the globe, undermining security and disrupting trust in the digital economy.
Challenges and opportunities in digital evidence
The most pressing digital evidence challenges for law enforcement are understanding what data is available, which providers have it, how to obtain it and how to interpret it. In addition, incomplete legal structures and ineffective cross-border data investigatory processes pose significant challenges for law enforcement agencies within the EU.
These are challenges that are solvable through enhanced collaboration between industry and law enforcement, without compromising the security of millions of technology users.
Typically, intelligence agencies have more tools and techniques available than law enforcement authorities. For example, hacking an end-device – some data is encrypted while in transit but needs to be decrypted in plaintext to be read on the device once received. Furthermore, national authorities have the means to request data (electronic evidence) held by service providers through a combination of national production orders, voluntary disclosure or various mutual legal assistance schemes in cross-border cases. Figures from service providers’ transparency reports show that under these frameworks a significant amount of data is being disclosed to law enforcement authorities as part of criminal investigations on daily basis.
Furthermore, a number of Member States are signatories to the Council of Europe’s Budapest Convention on Cybercrime, a non-binding resolution which encourages parties to take legislative measures to empower competent authorities to lawfully intercept content data. In cross-border cases, where suspects and evidence may be found in different countries, conflicting national legislation, lengthy procedures for mutual legal assistance (MLA) and competent jurisdiction issues hamper the retrieval of electronic evidence, despite the longstanding cooperation with digital service providers.
Easing the burden on law enforcement
There is a significant amount of important work being done in the EU and internationally to address some of the existing legal and capacity bottlenecks that are frustrating law enforcement authorities’ ability to efficiently access data for criminal investigations.
To alleviate some of the practical challenges of the MLA process on law enforcement agencies, both the US and the EU have adopted, or are in the process of adopting, landmark legislation. Industry has supported these efforts, understanding that reducing these barriers will help law enforcement carry out its crucial work.
The US passed the CLOUD Act in 2018, and the EU is currently scrutinizing a legislative proposal on e-evidence. Both legislations seek to streamline the process by establishing a legal framework to allow local law enforcement authorities investigating a criminal matter to directly issue a legally binding order to produce data, regardless of where the service provider or data is legally established. A mandate for negotiations on an EU-US agreement has also been adopted and similar work is being done to develop a new protocol to the Budapest Convention on Cybercrime.
In addition, the European Commission has committed significant resources and investment to improve law enforcement authorities’ ability to deal with encrypted data. This includes supporting Europol in further developing its decryption capabilities, providing training programmes and toolkits as well as establishing a network of points of expertise and excellence centres for law enforcement authorities to leverage. There is more work to be done here and DIGITALEUROPE’s members remain committed to exploring enhanced training for law enforcement.
Lawful interception requirements in the EU have been primarily regulated within national telecommunications legal frameworks. These have been largely operationalised by standards developed by the European Telecommunications Standards Institute (ETSI), the Third Generation Partnership Project (3GPP) or Cable Labs for wireline/internet, wireless and cable systems, respectively.
There is a concern that introducing end-to-end encryption in 5G would prevent legal authorities from accessing necessary data in a similar way to current messaging services operating on 4G networks. However, lawful intercept on new 5G services can be managed through existing technical solutions, and there are no plans for 5G technologies or standards to disable the ability of lawful interception for law enforcement purposes. A lawful interception interface allows the operator to obtain the relevant keys required to decrypt the intercepted traffic in the same way this is already achieved today.
Although encryption of International Mobile Subscriber Information (IMSI) does not prevent law enforcement capabilities such as location tracking, this is currently an optional feature of network operation. The use of IMSI catchers outside the scope of legitimate criminal investigations can be prevented by the IMSI encryption feature and regulators can choose whether operators should enable this. Any information necessary to facilitate lawful intercept as regards IMSI is handled at the core of the network, which can be accessed via existing lawful interception interfaces.
Privacy and security, both of individuals’ personal data and of critical infrastructure, are important preconditions for economic growth and societal benefit. Encryption is a crucial tool to achieve these goals.
Any approach to weaken or grant backdoor access to encryption methods defeats the entire purpose of encryption and undermines users’ trust, exposing IT systems to increased risks.
At the same time, it remains vitally important that companies and law enforcement authorities continue to work together, ensuring that authorities have the best methods and access to electronic evidence without weakening or putting strong encryption at risk.
We encourage Member States to remove obstacles in national legislation to Mutual Legal Assistance and to take advantage of the European and international e-evidence negotiations. Companies rely upon the rule of law and a stable political environment where they can freely manufacture and develop their products and architectures, without being required to protect data against access and weaken such protections at the same time.
DIGITALEUROPE is committed to working closely with the EU institutions to encourage opportunities of dialogue between industry, policymakers and authorities.