Police and tech security experts have weighed in with a possible solution to the immovable-object-meets-irresistible-force conundrum posed by the use of strong encryption.
Across Europe, police argue that the rise of uncrackable encryption, in particular end-to-end encryption, allows criminals to plot in secret, and that investigators should have some way of reading these communications when necessary.
Privacy advocates insist that strong encryption is not only vital for the operation of the internet but also to protect individuals from pervasive state surveillance (as revealed by NSA contractor-turned whisteblower Edward Snowden), and that any mandatory backdoors would weaken protection for everyone.
There doesn't seem to be much of a way to bridge the divide between the two positions, but Europe's top crime agency and its cybersecurity body have made an attempt.
ENISA is the European Union's expert cybersecurity agency, which recently came down firmly against the idea of putting backdoors into encryption. Europol is the EU's law enforcement agency, which focuses on large-scale criminal and terrorist networks -- just the sorts of gangs that could use strong encryption to hide their plots. A new joint statement from the two agencies attempts to find a way forward on the encryption debate.
The two agencies acknowledge the major problems with mandatory backdoors -- that they weaken security for everyone, and probably won't do much to catch exactly the sort of smart criminals that Europol is after.
"While no practical encryption mechanism is perfect in its design and implementation, decryption appears to be less and less feasible for law enforcement purposes," it notes, and warns that government ordered backdoors into encryption are likely to fail to have the required impact
"Criminals can easily circumvent such weakened mechanisms and make use of the existing knowledge on cryptography to develop (or buy) their own solutions without backdoors or key escrow."
That's not to say that they think law enforcement should just give up, but that "breaking the cryptographic mechanisms might cause collateral damage". Another way of putting it, when it comes to breaking encryption, is: does the benefit of catching criminal outweigh the damage done to the security of us all?
The two agencies argue that the emphasis should be on getting access to the communications not on breaking the security.
"The good news is that the information needs to be unencrypted at some point to be useful to the criminals," they say -- which means instead of focusing on encryption police can also consider undercover operations and infiltration into criminal groups, or "getting access to the communication devices beyond the point of encryption, for instance by means of live forensics on seized devices or by lawful interception on those devices while still used by suspects".
After all, cracking the encryption is not the only way to get hold of the communication: if a criminal is known to use encrypted communications, one way of getting access is to seize the device before it can be locked.
But if police (and intelligence agencies) can't require companies to weaken the encryption they use, that doesn't mean that law enforcement isn't allowed to try and crack it. As such we are likely to see much more emphasis on cracking the encryption used in popular products (something intelligence agencies have been doing for decades, of course).
"We observe a continued arms race between cryptographers and crypto-analysts. In terms of practical breaks, cryptographers are currently miles ahead, which is good news for all the legitimate users who can benefit from the improving protection of their data. However, there is no doubt that malevolent parties use the same techniques to conceal their criminal activities and identities. For the investigation and disruption of crimes, it is important to use all possible and lawfully permitted means to get access to any relevant information, even if the suspect encrypted it."
The joint statement calls for the sharing of best practice in circumventing encryption, plus explicit regulation of the lawful use of such tools. These tools might circumvent encryption by exploiting a flaw in its implementation, or in the device itself, for example.
"Moreover, policy makers in consultation with the judiciary could further contribute by issuing clear policy guidance on the proportionality of the online use of such privacy-invasive investigative tools," it says.
The two agencies also call for close cooperation with industry and crypto-cracking researchers, but do leave the door open to some sort of legislation too. "When circumvention is not possible yet access to encrypted information is imperative for security and justice, then feasible solutions to decryption without weakening the protective mechanisms must be offered, both in legislation and through continuous technical evolution," they say.
To some it might seem like a fudge: companies can keep on using and building strong encryption, and law enforcement will keep trying to bypass it.
And there are big, big problems with this approach: is it a good idea that law enforcement agencies buy or research flaws in the security of popular products, and use them to crack the communications of criminals -- but don't tell the makers, so those security holes remain unpatched? What if those same flaws are being used by hackers or hostile nations to read communications or do other damage? At what point does the need to patch a flaw outweigh its usefulness to police?
And it means there will be another secret crypto arms race, and that police and intelligence agencies will build up -- or buy -- their own set of security holes, which will allow them to read communications when they need to. It also means that investigations could hinge on the abilities of police and intelligence agencies to sidestep encryption, which will vary from country to country.
But it's almost certainly a more realistic and effective way forward than trying to legislate backdoors which just won't work (even if the statement doesn't rule out legislation entirely).
"We are convinced that a solution that strikes a sensible and workable balance between individual rights and protection of EU citizen's security interests can be found," the report says. That may not be true -- or some sort of fuzzy compromise like this may be the best we can hope for.
The vast majority of uses of encryption are useful and beneficial to all -- and while Europol and Enisa have made a pragmatic (if carefully hedged) move in the right direction, this in unlikely to be the end of the debate.
More on cyberwarfare and surveillance
- UK boosts spending on cyber army to launch hack attacks on enemies
- The UK's international snooping plan is probably going to end in failure, again
- Defending the last missing pixels: Phil Zimmermann speaks out on encryption, privacy, and avoiding a surveillance state
- Inside the secret digital arms race: Facing the threat of a global cyberwar
- Surveillance laws need rethink, but bulk collection of web data will continue
- The undercover war on your internet secrets: How online surveillance cracked our trust in the web
- The impossible task of counting up the world's cyber armies
- Encryption: More and more companies use it, despite nasty tech headaches