Insight: “Encryption: a double-edged sword – EU law protections simultaneously impeding cross-border serious crime investigations?” by Anjum Shabbir
Encryption: a double-edged sword – EU law protections simultaneously impeding cross-border serious crime investigations?
The use of data and information gives rise to competing interests, and the desire of law enforcement bodies to have lawful backdoor access to encrypted data is not new: information is not only the new currency, it is also a way to take down organised crime and cybercrime (most EU Member States have signed and ratified the Council of Europe’s Convention on Cybercrime), and terrorism.
To create an area of freedom, security and justice, an EU objective set out in Article 3(2) TEU, the EU has a shared competence with the Member States under Article 4(3) TEU (see further Title V, Articles 67 to 89 TFEU). As a result, it has developed a common strategy so that criminal justice and enforcement authorities in Member States can work together to combat crime efficiently. That shared competence comes to the fore in particular to tackle serious organised crime committed across Member States’ borders: the EU cooperates in law enforcement by taking action against organised crime and helping national police forces work better together through the EU Agency Europol (Regulation 2016/794). Its strategy also includes ensuring that enforcers and judiciaries can trust and rely on each other, supported by EU Agency Eurojust (Council Decision 2002/187/JHA of 28 February 2002 as amended, Regulation 2018/1727).
Eurojust and Europol have recently published a joint report (their second) on the challenges criminal law enforcement bodies face during investigations when technology, in particular encrypted data, is used by criminals in crime and to circumvent law enforcement. As a specific example of when this has revealed itself to be a concern, in May 2019, in a joint operation (‘Icebreaker’) involving both EU Agencies, authorities were able to seize around 100 encrypted mobile phones customised for encrypted communications. The report hopes to encourage stakeholders to weigh in and provide input on how to identify future technological developments so that law enforcement methods can translate and adapt accordingly.
How encryption impedes law enforcement according to the report
Law enforcement in the digital context was described by the first joint report of these EU Agencies as taking place either through an ‘attack’ mode – using brute force, installing tools, or lawful interceptions, or through a ‘bypassing’ mode – requesting or ordering that a suspect, third party, or service provider handover encryption keys/unencrypted data.
The report points out that the use of end-to-end encryption (E2EE) in circumstances where governments and enforcement bodies do not have lawful backdoor access prohibits the ability to investigate and prevent (organised) crime.
It notes that the approach of tech, telecoms and social media companies is unhelpful when carrying out investigations as it blocks access to electronic evidence through E2EE, as well as by providing the possibility to enable covert and remote wiping of devices. An example from across the pond is offered, concerning a Canadian company, Phantom Secure, which had marketed its products as resistant to decryption or wiretapping and created specifically to facilitate drug trafficking. The report also points out that certain companies have provided their customers with ‘duress passwords’ that are alternatively called ‘panic’ or ‘distress’ passwords, enabling users to covertly wipe the device.
Another issue it faces is that the technological means used by criminals develops constantly and the law cannot keep up (see page 22 on magic mirrors, watermarking, DoH and DoT, the use of neural networks), and that existing means are diverse – including changes to the Domain Name System, quantum computing, and 5G. To take one of the examples listed, there are ancillary methods to encryption such as ‘stenography’, which entails ‘hiding information in an innocuous cover’ such as another image, document, or any other file, which can be used instead of encryption.
Homomorphic encryption (a weaker form of encryption) is acknowledged in the report as an alternative solution, which allows for data to be computed without compromising the privacy of that data, and where no decryption is needed to process the data, but the report points out that the huge computational capacity needed to process this type of encryption has meant that its adoption has been slow.
How rights granted under EU and national law protected by encryption impede law enforcement
The report cites or infers the strong protection of certain rights stemming from EU and national law as impeding law enforcement.
In particular, it refers to the possible infringement of the right not to incriminate oneself if an individual is forced to hand over encryption keys or to unencrypt data, provide a password, or use one’s fingerprint to unlock a device. It also notes that certain national legislation has treated this as the breach of the right to silence. It can be considered here that the report means the presumption of innocence, right to a defence, and fair trial under Articles 47 and 48 of the Charter and Article 6 ECHR.
The report also points out however that, given the above, only four Member States (Belgium, Croatia, France, Ireland) and the UK currently compel the handing over of an access key by law.
Although not mentioned by the report, E2EE encryption also ties in perfectly with protection of the right to data protection, right to private life, and (indirectly) freedom of expression under Article 16 TFEU and Articles 7, 8 and 11 of the Charter, and Articles 8 and 10 ECHR, which could not occur if the handing over of encrypted keys and encrypting data reveals information beyond what is required by investigating authorities. Furthermore, it might be considered from another angle that restrictions on companies to assist in such investigations may impinge on the freedom to provide services, or freedom to conduct a business.
Regulation relating to encryption in the European Union
These problems are not properly dealt with either at the national or EU legislative levels.
Regulation of access to encrypted data in the criminal law and criminal investigation contexts is fragmentary at the national level, as shown by the disparate legal provisions relied on by various Member States in pages 11 and 12 of the report. A small number of Member States are actively encryption-protection friendly, while others are less unwilling to put aside competing interests and use legal provisions to obtain unlocked and cracked codes for the purposes of law enforcement. This arguably generates legal uncertainty and conflicting obligations for the type of cross border serious crimes that the EU Agencies coordinate.
To add a further complexity, not referred to in the report, the data which these EU Agencies seek in their operations are probably prone to being dumped quickly from the jurisdiction of one Member State to another, or are saved on a server in one or multiple places.
That provides an inkling of a suggestion that EU input may be more effective. But EU law is silent on encryption where serious cross-border crime is concerned.
Back in April 2018, the Commission did table two proposals, for a Regulation and Directive, to establish a legal framework making it easier and faster for law enforcement and judicial authorities to secure and obtain access to electronic evidence in cross-border cases, pursuant to which the Council has adopted general approaches, the European Parliament has issued several working documents, the European Data Protection Board has given an opinion, as has the European Data Protection Supervisor (on 31 January 2020). However, there is no mention of electronic evidence in the form of encrypted data.
Furthermore, it can be inferred that the EU has thus far – in its legislative approach – considered encryption mostly from the perspective of protecting data security and data rights, and other fundamental rights.
Four spontaneous examples, though not all specifically from the angle of investigation of serious cross-border crime investigations such as those Eurojust and Europol may coordinate, support that inference.
First, Council Decisions 2008/616/JHA and 2008/615/JHA on the stepping up of cross-border cooperation, particularly in combating terrorism and cross-border crime, only refer to encryption in the context of protecting the transfer of specific data (DNA).
Second, the Electronic Communications Code (Recast Directive 2018/1972), does not prevent Member States from taking necessary measures to permit the investigation, detection and prosecution of criminal offences, as long as they take into account Articles 7, 8 and 11 of the Charter. But concerning encryption specifically, that Code rather emphasises its security-building aspect: it states that e-communications network and service providers should inform users of ‘measures they can take to protect the security of their communications’ including using ‘encryption technologies’, and – without prejudice to criminal investigations – states that encryption, ‘end-to-end where appropriate’, ‘should be promoted and where necessary, encryption should be mandatory’.
Third, Directive 2016/680 governs the protection of the free flow and processing of personal data of natural persons for the purposes of preventing, investigating, detecting or prosecuting criminal offences, while at the same time requiring a high level of protection of personal data. It does not apply to activities that are not covered by EU law (such as criminal law) or EU Agencies (Article 1(3)(b)), but in any event, again refers to encryption in the context of building security, and as a tool to mitigate personal data breaches.
Fourth, Advocate General Pitruzzella recently advised the Court of Justice on the interpretation of Data Retention Directive 2002/58 in criminal proceedings brought based on data sought from a telecoms company. He described its scope as covering not only data retention, but also extending to access to data. Although not examining encrypted data, this case is important as it will reveal more broadly how the Court of Justice will carry out the balancing exercise between the need for data for the purposes of criminal prosecution vs data protection rights. For more on that matter, read Alberto Miglio’s Analysis, in which he points out that ‘the Court of Justice has been under considerable pressure to ease its stance on the lawfulness of bulk data retention, which several Member States perceive to be an important tool in the fight against terrorism and serious crime’.
Issues to consider in balancing crime-prevention with protection of rights
For now, although the regulation of encryption in the specific context referred to in the joint report is not on the legislative agenda, it raises and evokes certain important issues that do need to be considered carefully if disparities at the Member State level impede the effective combating of serious cross border crime, including whether that ought to occur at the Member State, EU, or shared-competence level under an Article 82 TFEU legal basis.
For example, it would have to legally be determined (i) whether the encrypted data that law enforcement bodies wish to access is stored independently of the will of the owner when it is already stored on a server or device; (ii) whether the seriousness of the offence plays a role in determining whether lawful interception is allowed (such as suspecting that the location of kidnapped children is detectable through the encrypted device(s) in question); (iii) it makes sense to consider the conditions under which a warrant or decryption order should be provided for and required (which could be interesting if provided specifically and only for Europol/Eurojust organised operations under EU rules) – but also how this could work in investigations where ‘time is of the essence’; (iv) in response to the concerns raised in the report, it could be examined whether service providers and telecoms companies should be jointly liable for preventing access to potentially incriminating evidence and under what conditions.
Overall, the report raises some interesting legal issues and adds to an ongoing debate that revolves around balancing rights for the access to, retention of, and use and processing of data, in the specific context of fighting serious cross-border crime. It seems clear that coordination mechanisms to tackle cross-border serious crime need to be updated, and continue to be updated (including for European Investigation Orders in criminal matters, for OLAF and the EPPO).
Anjum Shabbir is an Assistant Editor at EU Law Live