Initial Concept for the Secure Communication Platform

The Secure Communication Platform (SCP), envisaged to be linked to the One-Stop Hub, aims to facilitate exchange of information and communication among practitioners in relation to their cooperation in the investigation and prosecution of corruption cases. UNODC will provide technical and operational services to build the Secure Communication Platform pursuant to the concept note of the GlobE Network. The third and fourth sessions of the Interim Task Force 3 on Tools and Services under the GlobE Network were held to collect specific customer needs and requirements of the SCP. The meeting had a fruitful discussion on the following matters:

1. Type of information to be exchanged

Although there are other communication platforms available for the secure exchange of information, experts and UNODC discussed the establishment of a complementary communication platform for anti-corruption law enforcement authorities, in particular those independent anti- corruption agencies with law enforcement mandates. The SCP could not only enable users to establish initial contact and exchange strategic information, but could also provide them with an additional channel to transmit operational or case-sensitive information in a safe and secure manner. Requirements for the SCP are intrinsically linked to issues of access to the platform as well as the level of security.

2. Access to the SCP Experts advised that the SCP should be accessible to individuals designated as focal points through selection/nomination by the GlobE Network members. A number of experts expressed concern that practitioners would be hesitant to transmit case-sensitive information through focal points and may also need access to the SCP on a temporary basis to discuss specific cases with their foreign counterparts. For this purpose, the GlobE Network may wish to consider the possibility of granting certain practitioners temporary access to the SCP at a later stage. Specific vetting or a nomination procedure in this regard should be put in place by the secretariat in consultation with the GlobE Network members. Furthermore, a few experts proposed to establish a temporary secure “room” to bring together investigators and/or prosecutors from multiple jurisdictions involved in the same case and facilitate their communication. However, relevant feasibility needs to be further discussed with the IT specialists.

With regard to the number of focal points, consideration should be given to the administrative impact of a significant number of users. It was suggested that access numbers per jurisdiction should be restricted, at least initially, to allow the managed development of an effective system.

1

3. Level of security Although no online information is truly safe (other channels neither), security levels for online exchange of operational information can be stacked by utilizing appropriate encryption protocols to realize end-to-end encryption and adopting additional security measures. Experts welcomed the use of end-to-end encryption for the exchange of operational information and discussed the possibility of temporarily storing information on the server in an encrypted manner, in accordance with domestic privacy and data protection laws, while also maintaining user friendliness for the SCP.

I. Encryption Protocols Encryption protocols refer to the methods to send information safely from one user to another, which include two main approaches, i.e. client-to-server and end-to-end. While the first is not a preferred solution, the latter enables end-to-end encrypted transmission of information and uses the server as a momentary storage medium before the recipient user receives the information.

End-to-end encryption protocols would make the hacking of a packet of information stored on the server extremely difficult. More specifically, the technology of “Double Ratchet Algorithms” is used which allows each packet of information sent to be encrypted with a different key every time. In this context, even if an outside party manages to break the encryption of a message, the key is only useful for one particular packet of information and does not compromise the entire system.

It was recommended that the secretariat, together with the UNODC IT department, examine existing solutions/products implementing these end-to-end encryption protocols, which may include Signal, Threema, Element.io, etc. The added benefit of these existing products is two-fold: the protocols used are recognized to be of high quality and the top-tier protocols are also open-source platforms. In other words, the underlying codes that make these platforms are available to anyone to assess and audit. Therefore, it would bring a high level of transparency and accountability, as security issues can be crowdsourced and fixed at an astonishing rate compared to other close-sourced systems that require prolonged internal assessment.

II. Additional measures of security It is also important to add certain levels of security that can be implemented on the users’ side. Users should be aware that they must practice personal security on how they access their information, instead of merely counting on the security level of the SCP. Relevant measures/options that can be taken by users include: secure passwords, biometrics access control, multi-factor/two factor authentication (mostly known as two-step verification) and using a mobile phone as a means of verification. Notably, a majority of smartphones nowadays come with cryptographic chips in their hardware implementing certain level of security within the phone.

Possible way forward for the establishment of the SCP includes: implementing an existing product that fits the requirements and adapting it to the intended SCP, building a customized SCP platform that also uses the latest and recognized encryption protocols, and other options subject to further discussion with the GlobE Network members.

Annex Presentation of the UNODC IT Department

2 GlobE SCP (Secure Communication Platform) Concept Notes

Tobias Schoessler UNODC / ITS / Substantive Web Applications Team

Information and Technology Services 1 Talking Points from ITF Discussions

→ “What can / should be shared?” → “Who should access the Platform?” → “There are existing platforms …” → “Can’t we just use email? (or WhatsApp?)” → “We should not reinvent the wheel …” → “End to End encryption (E2EE)” → “Nothing (on the internet) is secure” → “Cost of Security”

Information and Technology Services 2 Data Classification

• User • Community • One to One Public Registration Resticted • Databases Operational • Highly Website • Vetting Area • Identity Messaging Secure • Login Directory Platform

Information and Technology Services 3 Communication Concepts on the Internet

→ Internet Protocol → Client Server Model → Data Packet Routing → Data at Rest / Data in Transit → Can we have serverless communication? → Lower Level Protocols → OSI (Open System Interconnection Model) end-to-end encryption → Security Protocols → Client-to-Server → End-to-End → Browser / Mobile Apps Client Server Client (Browser) (Browser)

https:// https:// Information and Technology Services client-to-server encryption client-to-server encryption 4 Security Concepts

→ Advancements in Cryptography → Symmetric Encryption → Public / Private Key Encryption → Double Ratchet Algorithm → E2EE (End to End Encryption) → Signal Protocol → Password Policies → Multi-factor Authentication → Password – Something I know → Physical Key (phone) – Something I have → Phone as a secure Platform → Biometric Sensors → Cryptographic chips

Information and Technology Services 5 Existing Solutions

→ Commercial Solutions → Cost effectiveness → Evaluation of Quality → E2EE Protocol, Implementation, Platform → Business Model / Privacy Policy → Peer Review (Open Source) → Certifications (Close Source) → Reproducible / Signed Builds → Endorsements → Global Acceptance ?

→ Existing Law Enforcement Communication Platforms → learn from existing implementation → establish trust level of information exchange on implementation details

Information and Technology Services 6 Thank You.

Information and Technology Services 7 (Image) Sources

→ https://www.khanacademy.org → https://signal.org → https://threema.ch → https://wire.com → https://element.io → https://www.whatsapp.com

Information and Technology Services 8