Going Dark? Analysing the Impact of End-To-End Encryption on The

arXiv:2104.06444v1 [cs.CR] 13 Apr 2021 necpin G hn sarltvl xesv rdc nwihn which on product expensive PG relatively liv so-called a use is jo of phone offenders hundreds and PGP saved But organizations A probably rights groups. interception. has rights human PG human PGP E2E helped from police. offering has environments. Letters the been hostile PGP avoid has in to als users. WhatsApp alley cate customers dark and billion a their [15], a in mo and over E2EE meet of the dealers to implementation of have drug used longer object one But no secondary meet they a communicate. phones cause was Mobile to use ability Civil navigation. the [5]. GPS-based targets out without Chica their two the lost to and Only missiles Times guide The tips. to key: confidential PGP a receive s have Wall to not Post, do PGP Washington worldwide Times, use newspapers LA Times Times, Financial informat NY and confidential the pass as Prett to such [13]. tipsters important newspapers secur rights allows most human national that and The technologies about [11] the concerns journalists expression. of that En protection and ensure source End-to-End opinion must of of states use freedom th member the journalistic to of for influence the right recommendations the covers the make describing also studies studies this everyo two Both gives 2011, published Rights Since recently Human UNESCO of expression. Declaration and Universal opinion the of 19 Article Introduction 1 on ak nlsn h mato n-oedencryption end-to-end of impact the Analysing dark? Going oee,eeytcnlg a rgtadadr ie[] o exam For [8]. side dark a and bright a has technology every However, o.I otatt htteU tonygnrlwnsu obe E2EE. to by us hampered wants seem general co not attorney US does encrypted en the cases on law what of Dutch to rely contrast that who In show offenders not. wha results prosecuting Our to in outcome. show successful their by to impacted and are Netherlands court service policymaking the to prosecution public of from the basis and data sole agencies court the public as suitable analyse synd not not drug is therefore from however, and statement, ranging This - platforms. communication (CSAM) material encrypted a on hampers main rely (E2EE) The encryption who end-to-end enforcement”. that law pr is precluding enforcement be wholly must of cybersecurity expense and privacy the encrypt and end-to-end vital on is statement encryption a published have countries omrU tonygnrlWlimBr n a enforcement law and Barr William general attorney US Former nteotoeo uc rmnlcutcases court criminal Dutch of outcome the on 1 itrHartel Pieter { pieter.hartel,r.s.vanwegberg 1 pi 5 2021 15, April Abstract 1 ofvnWegberg van Rolf } @tudelft.nl h s fEE nbign cases bringing in E2EE of use the o rmwihw ut:“while quote: we which from ion tce,ta hudntcm at come not should that otected, upre yeprclevidence, empirical by supported hti h,i u ok we work, our in why, is That . toiispoeuigcriminals prosecuting uthorities mncto stoewodo who those as mmunication ruetptfradb law by forward put argument iv,a es h prosecution the least at lieve, -odPiay(G)i n of one is (PGP) y-Good-Privacy t n rm ontaetthe affect not do crime and ity o ojunlss otquality Most journalists. to ion ctst hl eulabuse sexual child to icates ocmn per ob as be to appears forcement hns[0 odfa lawful defeat to [10] phones P xetlwenforcement law extent t rpin(2E oprotect to (E2EE) cryption etergtt reo of freedom to right the ne v,btnww ol be would we now but ive, olausfo other from colleagues 1 rtcino ore [3]. sources of protection si h oootheatre Kosovo the in es nento ril 19. Article on Internet e tol G sinstalled, is PGP only ot eomnaini that is recommendation re ora,Guardian, journal, treet oeterpoe be- phones their love o oTribune. go l,GSwsdesigned was GPS ple, tbschmnneeds: human basic st rait ocommuni- to urnalists a h rtwidely first the was P ic pi 06to 2016 April since E fteegtquality eight the of but from which also all non-essential hard and software have been removed [6]. So, all these technologies have two sides, but to what extent does the dark side have the upper hand? We probably agree that navigation with GPS and communication with a mobile phone has so many advantages that we accept the disadvantages. But do the advantages of E2EE also outweigh the disadvantages? Here, it is important to note that E2EE only works properly if it is correctly implemented in a trustworthy execution environment and if the private keys remain secret. However, this is more easily said than done. In recent law enforcement operations against providers of PGP phones such as Phantom Secure, IronChat, Ennetcom, Encrochat, and Sky ECC, the police have managed to obtain messages, whereas the companies claimed that this should be impossible. The police were legally allowed to take action against all of these service providers since there was a well-founded suspicion that these companies provided services to criminals. For example, Phantom Secure was a Canadian company that was infiltrated by FBI employees in 2018. Recorded conversations with Phantom Secure’s CEO led to a valid allegation that the company’s modified Blackberry phones were used for drug trafficking [6]. Offenders not only use PGP, but they also use WhatsApp, as exemplified by the following quotes from Dutch court judgments: • “The offender, together with another person, threatened [victim 1] and [victim 2] with death using WhatsApp messages” ECLI:NL:RBMNE:2018:4435. • “The fact that the offender sold these drugs came to light after four young adults became un- well from drugs they had bought after WhatsApp contact with a dealer” ECLI:NL:RBNNE:2018:5197. • “Suspect then sends 11 images to [person] via WhatsApp. These are all child pornographic images of [victim 2]” ECLI:NL:RBNHO:2018:10646. However, offenders use PGP and WhatsApp for different reasons. Most users probably know that WhatsApp offers E2EE, but they do not seem to care about it [1]. WhatsApp is a success because almost all the people you want to communicate with are already using it - i.e., the network effect. WhatsApp is easy to use, WhatsApp is free and even ad-free. PGP phones are an expensive niche product. The users buy such a device because the confidentiality of the messages they exchange with it is of vital importance to them. Specialised companies sell PGP phones and service subscriptions at premium prices. Offenders might use WhatsApp to communicate with clients or victims, but they would prefer a PGP-phone to communicate with co-offenders. In the Netherlands, several Ennetcom cases have now been concluded, and some of the court judgments have been made public as open data. To gain insight into the impact of E2EE on the outcome of Dutch criminal court cases, we will analyse these and other relevant court judgments. Our contribution is that we provide the evidence that is needed to help us understand if law enforcement is going dark due to E2EE [7].

2 Background and research questions

In the Netherlands, law enforcement has a wide range of special powers at their disposal, as described in Article 126 of the Code of Criminal Procedure. The application of these powers is subject to strict rules. In particular, special powers may only be used for serious offences, and permission from the examining magistrate is required. It should also be possible to check afterward whether the powers have been used correctly. These checks and balances are in place to ensure a fair trial. The technical special powers that are often used in cases where the offender tries to evade detection through technology are (1) reading out and analysing confiscated smartphones, (2) placing telephone or Internet taps, (3) obtaining cell tower data from a telecommunications operator to trace the location of a mobile phone, and (4) hacking the computer or another device of the offender. There are other special powers, such as a subpoena for financial data, systematic observation, and systematic gathering of information, but we will not consider these here because they are not technical in nature. We will describe in more detail the two often used special powers that suffer most from E2EE.

2 Reading out and analysing confiscated smartphones Most modern laptops and smartphones have device encryption turned on by default. This means that data on devices seized by law enforcement can only be read out if the device owner supplies the passcode. Law enforcement has several options to unlock a seized smartphone with a passcode: • The owner may surrender the code to the police. This should not be done under duress because, in most countries, the offender should not be obliged to cooperate with his conviction (Nemo tenetur) [10]. • In some countries, the police may force one to give up a fingerprint to unlock a smartphone [6]. • In some cases, special tools can bypass the passcode. For example, to crack the San Bernardino terrorist’s iPhone 5C, the FBI had to pay more than $ 1M to a specialist company [4]. • With the permission of the examining magistrate, the police may install keylogger malware on a smartphone. The keylogger reports the passcode without the suspect knowing [2]. • Law enforcement does not deal with the smartphone directly, but with the company that manages the network that the smartphone uses to communicate. To the best of our knowledge, there are no statistics on cracking locked smartphones, except for some anecdotal evidence from the US [4].

Placing telephone or Internet taps Lawful interception allows authorised law enforcement agencies to obtain communication network data from individual subscribers. The signalling and network management information will be cleartext, for example, IP addresses. The contents of the data can be encrypted, for example, when HTTPS or E2EE is used. In almost all implementations of E2EE, devices communicate with each other through a server, which is also the Achilles heel of these systems. There are several options to eavesdrop on encrypted messages, such as: • If the implementation contains a bug, an exploit can be deployed to eavesdrop on the con- versation. This has happened to WhatsApp. • If the administrators of the server make mistakes, the server can be hacked. That has happened to Encrochat. • If the administrators of the server are issued a subpoena by the court to hand over data from speciﬁc customers, they will have to comply. This has happened to HushMail. • If law enforcement can pose as a reseller of handsets, they can insert a backdoor into the handset before delivering them to the customer. This has allegedly happened to Sky ECC. • The judiciary can also take the servers down and arrest the owners. This has happened to Phantom secure. In all cases mentioned above, the servers probably provided more valuable evidence to law enforcement than phone or Internet taps.

Research questions The law ensures that an offender is only convicted if all evidence is legally obtained and conclusive. Suppose that the content of a message from an offender is encrypted. The court may still be able to see to whom the offender has sent the message, but the court does not learn the content of the message. Then the message could be legal evidence, but the court will probably deem it inconclusive. Also, assume that there is no other evidence, just the encrypted message. Then, all cases where the offender has used E2EE will lack conclusive evidence and are either not brought to court or lead to an acquittal by the court. This is a hypothetical situation, as there should be enough other evidence to convict the offender, for example, location data. It does not matter whether the offender has used a PGP phone or WhatsApp because in both cases,

3 the phone must communicate regularly with a cell tower. The location of the phone in question is therefore known to the telco. And with the location data obtained from the telco, the court may decide that the evidence is conclusive. Because E2EE may reduce the number of options that law enforcement has to collect legal and convincing evidence, our first research question is: To what extent does law enforcement use its special powers when offenders resort to E2EE? (RQ1) Cases for which the police cannot obtain sufficient evidence are normally not tried in court. We have made inquiries at the Netherlands Forensic Institute, but unfortunately, no public data or statistics are available on these types of cases. Our analysis is therefore limited to cases brought in front of the courts. Because acquittal can be a consequence of the use of E2EE, our second research question is: To what extent are offenders using E2EE acquitted? (RQ2)

3 Method

In six years (2015 - 2020), the Dutch district courts published 25,366 anonymized court judgments on rechtspraak.nl. This represents about 5% of the total number of court judgments in that period. The courts publish all judgments with a crime against life, where the maximum sentence is at least four years, or when the court expects interest from the public or journalists. Therefore, judgments of the most serious cases are likely to be included in our data set. To answer RQ1, we will compare court judgments in which the offender has used PGP to court judgments from a precision-matched control group. For each PGP case, our precision matching algorithm searches for another judgment where (a) E2EE has not been used, and (b) the set of offences of the matching judgment includes the set of offences of the PGP case. For example, a drug-related offence matches a drug-related offence combined with money laundering. The matching algorithm ensures that each matching case represents a set of offences that is at least as serious as the offences of the PGP case. Therefore, we expect law enforcement to use at least the same number of special powers for the matching case as for the PGP case. To answer RQ2, we will investigate the conviction rates of three groups: PGP cases, WhatsApp cases, and the control. If indeed, as claimed by advocates of E2EE restrictions, that E2EE perverts the course of justice, we would expect the conviction rates for E2EE groups to be lower than for the control. To support the statistical analysis of the court judgments, we define an independent variable and two dependent variables as follows: • The first dependent variable special power encodes the special powers used by law enforcement in reaction to the offender using E2EE. • The second dependent variable decision encodes whether the offender is convicted or acquitted. • The independent variable technology encodes whether the offender used PGP, WhatsApp, or neither (control). A case with both WhatsApp and PGP is considered a PGP case.

Descriptive statistics The total number of court judgments for the three groups is N=3,214. This is about 1% of the total number of criminal judgments processed by the Dutch district courts in the given 6-year period. In 439 judgments (13.7%) PGP was used, WhatsApp was used in 2,382 judgments (74.1%), and the control consists of 393 (12.2%) judgments. Of the 3214 cases, 20.3% were drugs-related, and 20.3% were violence-related, including Child Sexual Abuse Material (CSAM) and terrorism. These percentages are higher than the national averages of 9.7% and 9.2% respectively [9, Table 6.2 and 6.12] because the courts mainly publish judgments of serious crimes. The offender is female in 9.3% of judgments. The average age of the offender at the time of the court ruling is 34.1 (SD = 12.6) years. Of the offenders, 38.1% are first-time offenders, and 34.8% are repeat offenders. These demographics are consistent with the demographics of the whole population of Dutch criminal offenders convicted for serious crime [14].

4 Of the 3,214 judgments, 83.0% have resulted in incarceration, including involuntary commit- ment, imprisonment, and military detention. The average length of incarceration is 33.6 (SD = 44.3) months, which is more than eight times the national average of 4 months [9, Table 6.11], again because of the focus on serious crime. Community service represents 8.0%, acquittal 5.4%, and a ﬁne 1.3%. The remaining 2.3% of the judgments are procedural, such as an extradition request and pre-trial hearings. The police have used their technical special powers as follows: in 50.5% of cases, a phone or Internet connection was tapped; in 16.9% of cases, a seized mobile phone was read out; in 6.9% of cases, cell tower data was requested. The Dutch police have hacked into the oﬀender’s systems eight times in 2019, just after passing the relevant law that made this possible. However, none of those judgments are public (yet), so that we have no data on police hacks.

Table 1: Contingency table of court cases using specific technology (left) versus offence type (top) Property Violent Public General Road Drug Weapon Other (Proce- Total offence offence order provi- traffic related related criminal dural) offence sions offence offence offence offence WhatsApp 656 996 224 17 27 216 53 126 67 2382 cases 27.5% 41.8% 9.4% 0.7% 1.1% 9.1% 2.2% 5.3% 2.8% 100.0% PGPcases 30 60 50 14 1 233 12 39 0 439 6.8% 13.7% 11.4% 3.2% 0.2% 53.1% 2.7% 8.9% 0.0% 100.0% Control 62 57 43 0 3 202 12 14 0 393 15.8% 14.5% 10.9% 0.0% 0.8% 51.4% 3.1% 3.6% 0.0% 100.0% Total 748 1113 317 31 31 651 77 179 67 3214 23.3% 34.6% 9.9% 1.0% 1.0% 20.3% 2.4% 5.6% 2.1% 100.0%

Table 2: Contingency table of court cases using speciﬁc technology (left) versus special power used by law enforcement (top) No special Tapped Tapped Tapped Tapped / Total power and/or and/or readout/ located readout located WhatsAppcases 982 879 80 404 37 2382 41.2% 36.9% 3.4% 17.0% 1.6% 100.0% PGPcases 87 145 38 123 46 439 19.8% 33.0% 8.7% 28.0% 10.5% 100.0% Control 263 83 17 27 3 393 66.9% 21.1% 4.3% 6.9% 0.8% 100.0% Total 1332 1107 135 554 86 3214 41.4% 34.4% 4.2% 17.2% 2.7% 100.0%

4 Results

Table 1 tabulates the crime rates for the eight main offence types defined by Statistics Netherlands cbs.nl. Other criminal offence tallies offences not covered by any of the other categories, for example, environmental crime or economic crime. Sometimes procedural judgments are not tied to a specific offence, for instance, extraditions. These are tallied in a separate column to be able to account for all 3,214 judgments. An offender may commit more than one crime, but we have counted only the offence with the most severe maximum sentence. A χ2 test of association between technology and offence type was found to be statistically significant (χ2(16) = 854.7,p< 0.0005). This means that the different crime rates for offenders using a PGP phone or WhatsApp are

5 Table 3: Contingency table of technology (left) versus decision (top) Convicted Acquitted (Procedural) Total WhatsAppcases 2220 117 45 2382 93.2% 4.9% 1.9% 100.0% PGPcases 397 28 14 439 90.4% 6.4% 3.2% 100.0% Control 351 28 14 393 89.3% 7.1% 3.6% 100.0% Total 2968 173 73 3214 92.3% 5.4% 2.3% 100.0% unlikely to exist due to chance. As expected, the statistics of the precision-matched control group closely resemble those of the PGP cases. Table 2 shows the relationship between the variables technology and special power. A χ2 test of association between technology and special power was found to be statistically significant (χ2(8) = 331.3,p < 0.0005). Therefore, we may conclude that the police (a) uses its special powers more for PGP and WhatsApp cases than for the control group, (b) prefers the tap over other special powers (34.4%), (c) uses the tap often in combination with other special powers (24.1%), and (d) has not used its special powers in all cases and therefore still has powers to deploy. Table 3 shows the relationship between the variables technology and decision. In a procedural judgment, the offender is neither acquitted nor convicted. This column is included to account for all 3,214 judgments. A χ2 test of association did not reveal a significant difference between the conviction rates of the three groups. This means that there is no evidence that the outcome of a trial depends on whether the offender used E2EE.

5 Discussion

Research questions The answer to RQ1 is that law enforcement uses more special powers in cases where offenders use EE2E than where they do not. This places a burden on law enforcement and ultimately on the taxpayer. However, law enforcement does not use all its special powers, and it does not use special powers for all cases either. More specifically, we have shown that taps, cell tower data requests, and seized phone readouts are more frequent for PGP cases than other cases. This can be explained by assuming that in a PGP case, a mere Internet tap would not provide enough data to create conclusive evidence. We have also shown that law enforcement does not use all its special power for all cases. This suggests that law enforcement has sufficient options to fight crime while the use of E2EE is not restricted. Some courts seem to hint towards legislative action against ‘criminal use’ of E2EE, as evidenced by phrases from court judgments such as: • “Encryption telephones can be used to commit similar crimes, and their uncontrolled possession is contrary to the public interest, now that this type of telephone is often used in criminal circles.” ECLI:NL:RBAMS:2020:2075. • “This crypto phone belongs to the accused and is of such a nature that its uncontrolled possession is contrary to the law or the public interest.” ECLI:NL:RBZWB:2020:1216. • “The court is officially aware that such telephones are mainly used in criminal circles to hide conversations from the judicial authorities.” ECLI:NL:RBAMS:2019:2541. The operational phrase in these citations is “uncontrolled possession” with which the judge indi- cates that PGP phones should not be used by just anyone. What the courts have probably not considered is whether controlling possession is feasible. The courts also did not consider the fact

6 that the same technology is used by WhatsApp. If the legislator restricts the use of EE2E, the authorities would have to verify that all service providers duly implement the restrictions. We think that this would be a heavier burden on governments (and on the taxpayer) than the status quo. The US attorney general claims that CSAM platforms and their actors who use encrypted messaging to communicate should be combatted by mandating a backdoor into all uses of E2EE. Naturally, we also want to see the successful prosecution of CSAM cases but wonder whether a backdoor is appropriate [12]. We have shown that in the Netherlands, the police have sufficient resources at their disposal to act effectively, even if offenders use E2EE. There is no question that E2EE without back doors makes the work of the police more difficult. But it is also not true that offenders in CSAM or terrorism cases who use E2EE go free. The answer to RQ2 is that there is no evidence in our dataset that the conviction rate of offenders who use EE2E differs from the conviction rate of offenders who do not use EE2E. Moreover, it behooves us to assure that the 28 offenders in the dataset who used PGP and were acquitted were not terrorists or child abusers - as 20 out of the 28 cases are drugs-related. A further 3 are money laundering cases, 3 are murder cases, and 3 are extortion cases. There were no CSAM or terrorism cases amongst the 28. In 18 out of the 28 judgments, there was insufficient evidence to convict the offender, but there was enough evidence to convict a co-offender. This means that in the remaining 10 out of 439 cases (2.7%), a crime was committed while the offender was acquitted for lack of legal and convincing evidence.

Public-policy debate The former U.S. Attorney General and his law enforcement colleagues bring up the burden of additional police costs to work around E2EE. But there are other interests too. For example, national security agencies will never use backdoor encryption because of the risk of the key to the back door ending up in the wrong hands. And confidentiality is crucial for national security agencies. Also, the commercial use of E2EE with a back door would probably not be viable because of the risk that a competitor would get hold of the keys. This means that many legitimate users of E2EE will find alternative means of secure communication that law enforcement will not be able to tap, thus aggravating the problem for law enforcement rather than ameliorating it. The European Council, in its draft resolution on encryption of 6 Nov 2020, proposes to follow the lead of the US attorney general. One of the triggers for this initiative is the recent Vienna terrorist attack. What we know about this attack is that the gunman who was shot dead by the police was imprisoned in April 2019 to serve a 22-month term for terrorist activities. Unfortunately, he managed to persuade the Austrian deradicalization program that he was no longer a threat and he was therefore released on parole in December 2019. It is unlikely that banning E2EE would have prevented this error. When making decisions, the justice system has an unenviably difficult task of (1) protecting society, (2) punishing offenders, and (3) not overwhelming the resources of the criminal justice system. Sentencing decisions must be made in a limited amount of time and based on limited information. This can lead to errors, but we believe that the likelihood of such errors can be reduced by providing appropriate resources to the criminal justice system. If E2EE is weakened by policies that demand a back door, an infrastructure is needed to manage those backdoors. Every nation-state will need to access these backdoors to prosecute its nationals, including states on the EU sanctions list. We believe that this is a recipe for disaster. Banning E2EE will simply force terrorists, drug dealers, and pedophile rings to use alternative technologies. Well-funded offenders are already starting to develop their encryption platforms MPC. Initially, such tools will have many issues, but over time they will get better and will create a formidable obstacle to law enforcement. Law enforcement currently does an excellent job of taking down dubious companies like Phan- tom Secure. Recent law enforcement operations against these dubious companies show that there are sufficient opportunities to monitor them and to act upon information that shows their involve- ment in illegal activity. Our recommendation is therefore not to build a back door into every application of E2EE, but to keep a watchful eye on relevant, ’criminal’ service providers.

7 Limitations Our analysis is focused on PGP and WhatsApp, as only nine cases mention Signal and two mention Telegram. We do not know when special powers have proven insuﬃcient for law enforcement to build a case because such information is conﬁdential. Instead, we have used acquittal by the courts as an indication of inconclusive evidence. The data we have used stems from the Dutch government and is not necessarily representative of other countries. The dataset also represents about 1% of all criminal judgments in the Netherlands.

6 Conclusions

The information position of technology companies and governments today is vastly superior to that of the nineties due to massive surveillance from online and offline sources. Encryption is one of the few technologies available to law-abiding citizens, corporations, and national security agencies that protect privacy. Criminals use that same technology, but does this give governments the right to take that last protection away from us? We believe that this would be akin to throwing the baby away with the bathwater. We have shown that law enforcement in a democracy with sufficient checks and balances can do its work without legislation that breaks encryption. And more specifically, an offender using E2EE does not necessarily influence the outcome of a criminal court case.

Acknowledgment

Conversations with Phil Zimmermann have been a great source of inspiration for this work. We thank Roel Wieringa for his comments on the paper.

References

[1] Ruba Abu-Salma, M. Angela Sasse, Joseph Bonneau, Anastasia Danilova, Alena Naiak- shina, and Matthew Smith. Obstacles to the adoption of secure communication tools. In IEEE Symp. on Security & Privacy (S&P), pages 137–153, San Jose, CA, May 2017. IEEE. DOI:10.1109/SP.2017.65. [2] Steven David Brown. Hacking for evidence: the risks and rewards of deploying malware in pursuit of justice. ERA Forum: J. of the Academy of European Law, 20:423–438, Feb 2020. DOI:10.1007/s12027-019-00571-z. [3] Edward L. Carter. ”not to disclose information sources”: Journalistic privilege under article 19 of iccpr. Communication Law and Policy, 22(4):399–426, Oct 2017. DOI:10.1080/10811680.2017.1364912. [4] Fred H. Cate, Dan Boneh, Frederick R. Chang, Scott Charney, Shafrira Goldwasser, David A. Hoﬀman, Seny Kamara, David Kris, Susan Landau, Steven B. Lipner, Richard Littlehale, Kate Martin, Harvey Rishikof, and Peter J. Weinberger. Decrypting the encryption debate: A framework for decision makers. Consensus study report, The National Academies Press, Washinton DC, 2018. DOI:10.17226/25010. [5] Per Enge and Pratap Misra. Special issue on global positioning system. Proceedings of the IEEE, 87(1):3–15, Jan 1999. DOI:10.1109/JPROC.1999.736338. [6] Europol. Second report of the observatory function on encryption. Joint reports, EuroPol and EuroJust public information, Feb 2020. https://www.europol.europa.eu/publications- documents/second-report-of-observatory-function-encryption. [7] Joan Feigenbaum. Why the law-enforcement access question will not just go away. Commun. ACM, 62(5):27–29, May 2019. DOI:10.1145/3319079.

8 [8] Marcus Felson and Mary Eckert. Crime and everyday life. Sage publishing, London, sixth edition, 2019. [9] Ronald F. Meijer, Susan W. van den Braak, and Sunil Choenni. Crimi- naliteit en rechtshandhaving 2019 ontwikkelingen en samenhangen. Cahier 2020-16, Wetenschappelijk Onderzoek- en Documentatiecentrum (WODC), 2020. https://repository.wodc.nl/handle/20.500.12832/254. [10] Catherine O’Rourke. Is this the end for ’encro’ phones? Computer Fraud & Security, 2020(11):8–10, Nov 2020. DOI:10.1016/S1361-3723(20)30118-4. [11] Julie Posetti. Protecting journalism sources in the digital age. Unesco series on Internet freedom, United Nations Educational, Scientific and Cultural Organization, Paris, France, 2017. https://unesdoc.unesco.org/ark:/48223/pf0000248054. [12] Ronald L. Rivest. The case against regulating encryption technology. Scientific American, 279(4):116–117, Oct 1998. DOI:10.1038/scientificamerican1098-116. [13] Wolfgang Schulz and Joris van Hoboken. Human rights and encryption. Unesco series on Internet freedom, United Nations Educational, Scientific and Cultural Organization, Paris, France, 2016. https://unesdoc.unesco.org/ark:/48223/pf0000246527. [14] Sigrid van Wingerden, Johan van Wilsem, and Brian D. Johnson. Offender’s personal cir- cumstances and punishment: Toward a more refined model for the explanation of sentencing disparities. Justice Quarterly, 33(1):100–133, 2016. DOI:10.1080/07418825.2014.902091. [15] Philip R. Zimmermann. The Official PGP User’s Guide. The MIT Press, Jan 1996. https://dl.acm.org/doi/book/10.5555/202735.