THIRD REPORT OF THE OBSERVATORY FUNCTION ON ENCRYPTION Joint report Manuscript completed in June 2021. Europol and Eurojust Public Information Neither the European Commission nor any person acting on behalf of the Commission is responsible for the use that might be made of the following information. © European Union, 2021 cover Picture: ©iStock Reuse is authorised provided the source is acknowledged. CONTENTS 1 Executive Summary 6 2 Introduction 8 3 The legal aspects of handling encryption in criminal investigations 9 3.1 Legislative overview of legal frameworks relating to attacking encryption 9 3.1.1 Background 9 3.1.2 Current legislative overview on encryption 9 3.1.3 Relevant jurisprudence 13 3.1.4 Casework experiences related to the use of encryption tools by criminals 14 4 Technical developments and their effects on investigation efforts 16 4.1 Hardware based encryption 16 4.2 Encrypted communication devices using a variety of different encryption algorithms standards 18 4.3 Bcrypt Password Hashing and Increased iteration count 18 4.4 On-Client (browser) password policy checking mechanisms 22 4.5 oDoH-Oblivious DNS over HTTPs 22 4.6 Quantum computing 24 4.6.1 Upcoming opportunities and challenges 24 4.6.2 A standardisation effort initiated 25 4.7 Conclusion 26 5 EncroChat case: An example of good practice 27 6 Policy developments influencing and shaping the debate on encryption 29 6.1 Introduction to the policy debate 29 6.2 Developments within the European Union 30 6.3 Developments outside of the European Union 31 6.3.1 Encryption and the Five Eyes Intelligence Alliance 31 6.3.2 Focus on Australia. The Access and Assistance Act 32 6.3.3 Efforts in the United States 34 6.3.4 Conclusion 35 7 Conclusion 36 Table 1 Legal Provisions on Attacking Encryption by Law Enforcement. 10 Figure 2 HBE in Apple devices using the T2 security chip 17 Figure 3 Pre-computation step 20 Figure 4 Recovery Step 20 Figure 5 Traditional DNS requests 23 Figure 6 DoH requests 23 Figure 7 ODoH requests 23 LIST OF ABBREVIATIONS AES Advanced Encryption Standard AFP Australian Federal Police APFS Apple File System ASIO Australian Security Intelligence Organisation BPF Browser Password Field CDT Center for Democracy & Technology DNS Domain Name System DoH DNS-over-HTTPS DPP Domain Password Policies E2ee End-to-end encryption EC3 European Cybercrime Centre ECHR European Court of Human Rights EIO European Investigation Order EJCN European Judicial Cybercrime Network EU European Union FBI Federal Bureau of Investigation FDE Full disk Encryption HBE Hardware-based Encryption HTTP HyperText Transfer Protocol HTTPS HyperText Transfer Protocol Secure IP Internet Protocol ISP Internet Service Provider JHA Justice and Home Affairs JIT Joint Investigation team LEA Law Enforcement Authority MLA Mutual Legal Assistance Request NCMEC National Centre for Missing and Exploited Children ODoH Oblivious DNS over HTTPs QSC Quantum-Safe Cryptography SSD Solid State Drive TPM Trusted Platform Module TLS Transport Layer Security 1. EXECUTIVE SUMMARY Access to data-in-clear of encrypted communications and stored data presents several difficult and controversial issues and continues to create tensions between key stakeholders, including law enforcement and the judiciary and civil society organisations, leaving policy makers with the mammoth task of balancing all the important considerations in this debate. Thus far efforts to identify technical solutions that are feasible and proportionate and which safeguard fundamental rights have struggled to reconcile all the equities. In the midst of this discussion encryption continues to develop and become the main means to safeguard a number of online technologies, including electronic communication services, online storage spaces, mailboxes etc...This further complicates the encryption landscape, and significantly challenges criminal investigations. This third report of the Observatory Function on encryption builds on previous reports and looks at the relevant technical and legislative developments, re-visiting some topics, which deserved further consideration. In the interim between this and previous reports, there have only been a few developments in European Union (EU) Member States’ national legal regimes to incorporate new provisions that tackle the challenge of encryption in criminal investigations. These new approaches can be categorised into two distinct parts: one deals with tools that directly tackle encryption and the others category provides for tools to gain access to content before it is encrypted, or after it is decrypted and bypass encryption altogether. This is further underpinned by jurisprudence that exemplifies the use of the provisions mentioned. Insights are shared on encryption in the context of cross-border cases. Eurojust here identifies two key focuses; cases in which decryption of the tool used by criminals is the main focus of the investigation and ‘spin-off cases’ where the focus is on other aspects rather than decryption, but where the decrypted communications among criminals are required as evidence. An analysis of considerations ancillary to decryption, such as the need to find legal means to decrypt electronic communications, admissibility of evidence obtained from decrypted devices, and the sharing of such data with other law enforcement agencies in the context of cross-border cases is explored. The report elaborates on the challenges faced by law enforcement in environments where encryption is a default setting for many user devices and services, presenting recent developments in products that make use of encryption or develop it further. The report takes a detailed look at hardware based encryption, the Bcrypt password hashing function and increased iteration counts. It also provides information on the increasing robustness of browser password checking mechanisms employed by companies to help users generate and utilise stronger passwords ensuring that they remain safe online. Linking up from previous reports, this piece of work introduces the concept of oblivious DNS (Domain Name System) over HTTPs (Hypertext Transfer Protocol Secure) that separates IP (Internet Protocol)addresses from search queries. This is done by adding a layer of encryption around the DNS query before it is sent to the proxy serve that acts as a go-between for the internet user and the website they want to visit. This technology shields the sender of the query from the DNS resolver. All these developments reflect the increasing dependence on encryption to safeguard cybersecurity, data protection and privacy of communications. In itself this is a welcome and necessary development. Unfortunately, this technology can equally be used for criminal purposes, complicating further criminal investigations. Quantum computing may in the next decade offer some possibilities to help mitigate these difficulties. Quantum technology is set to have a significant effect on cryptography, however it remains hard to predict the timing and the concrete effects it would have on encryption. The report explores what quantum computers might be able to achieve in the future. 6 Another important element in this report is an overview of the EncroChat case. It is an example of good practice that incorporated the right technical and legislative elements that have underpinned this delicate operation. A background and insights into the case shed more light on the effort and quantifies the developments and the next steps. For the first time, the report introduced a third viewpoint, cataloguing the key policy developments taking place in regions and countries around the world. This complements the other parts of the report and aims to provide readers with a more complete understanding of this complex topics and set out with more clarity and helps piece together the interactions between the technical, legislative and policy challenges. In this first inclusion, the report highlights developments inside the EU, particularly the adoption by the Council of the EU of the resolution on encryption and it provides information on the US EARN IT act that is being taken forward in Congress. The report also covers the discussion on encryption taking place in the Five Eyes Country alliance and the adoption by the UK, US, Australia, Canada New Zealand, Japan and India of the international statement on end-to-end encryption and public safety. This is followed by a piece on Australia’s Access and Assistance Act of 2018. 7 2. INTRODUCTION As we continue to spend more of our lives online, we expect more digital security to safeguard our activities. Whilst encryption technology on its own does not solve the challenge of providing effective security for data and systems, it is at the heart of digital security, making it part of our daily lives and fuelling developments in this area of technology and others reliant on it. At the same time, the wider usage of encryption technology continues to be increasingly exploited by criminals, both as part of their modus operandi and as a mean to enable secret communication and illegal activities by putting them out of law enforcement’s reach. This continues to create challenges for both the law enforcement and the judiciary communities and significantly hampers these authorities’ ability to investigate and prosecute. The first Observatory Function report provided a brief overview and historical background of encryption, and explored the challenges faced in the context of law enforcement and prosecution. The second report provided a comprehensive update of the encryption challenge and looked at the potential of a number of options that could help law enforcement mitigate the issues arising from encryption and related challenges. This third report is similarly structured to provide an update capturing the legal and technical developments that have taken place since the previous report, and what they mean in practical terms. A number of topics presented in previous reports, such as quantum computing are re-visited here as developments continue to take place in these specific areas. A third aspect has been included in this report looking at a number of policy developments on encryption inside the European Union (EU) and in other key regions.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages37 Page
-
File Size-