On 12 September, EDRi published the position paper “Encryption Workarounds: a digital rights perspective”. It was published in response to the European Commission’s expert consultation exercise around the Encryption Workarounds paper by Orin Kerr and Bruce Schneier.
Encryption is probably the most effective way to protect our electronic data. It transforms data into ciphertext, which looks like a random set of characters. A user can access the data in its original form – decrypt the ciphertext and turn it back into its original form – using an encryption key or password. Even if encryption is hard or impossible to break, there are several workarounds available that could help access the data. These practices can facilitate police investigations, but they can also directly interfere with fundamental rights, which is why safeguards are needed. The European Commission has recognised in its recent cybersecurity strategy that encryption “enables protecting fundamental rights such as freedom of expression and the protection of personal data”.
EDRi’s position paper describes ways law enforcement authorities can use to access encrypted data within the framework of their investigations. The current policy applicable to these practices does not provide an adequate level of protection for fundamental rights, especially for the rights to privacy, personal data protection, free expression and due process. There are several techniques that law enforcement authorities can use to access encrypted data. They can be broadly divided into two approaches, each of which can be subdivided into different workarounds, as illustrated in the Kerr / Schneier paper:
- The first approach consists in obtaining the key: law enforcement authorities can (a) find the key through a physical search for its copy, which could be stored, for example, on a USB drive or on a scrap of paper; (b) guess the key by trying different keys until one of them works; or (c) obtain the key from the user of the device, for example via social engineering or legal obligation.
- The second approach relates to accessing plaintext through bypassing the key. The most frequent workarounds proposed for this are: (a) exploiting a flaw or weakness in the system (or government hacking) after having discovered or purchased vulnerabilities within a legal framework based around human rights; (b) accessing plaintext when it is in use through either the installation of software or spyware, or conducting physical surveillance; and (c) locating a plaintext copy, maybe on another device or via another user.
In EDRi’s position paper “Encryption Workarounds: a digital rights perspective”, we stress the importance of putting in place specific and strong safeguards for any planned encryption workaround. These protections are indispensable, especially concerning highly sensitive data on a decrypted device. However, safeguards related to traditional searches also need to be taken into account, particularly in regards to practices such as the use of CCTV in public places or the installation of a keylogger on a suspect’s device. Nowadays, governments are increasingly using hacking to access data. As shown by research conducted by EDRi members, like Access Now, there are no examples of governments respecting basic human rights principles to be found among current instances of government hacking. Therefore, the paper recommends government hacking to be presumptively banned until further safeguards are met.
The Commission, as “Guardian of the Treaties”, has to investigate and address this situation with regard to activities that fall under its remit, and to closely examine the issue of government hacking in particular. Current law and policy fail to provide adequate protection of fundamental rights – the need to assess and reform them is pressing.
EDRi’s paper Encryption workarounds: a digital rights perspective (12.09.2017)
Encryption – debunking the myths (03.05.2017)
Orin Kerr’s and Bruce Schneier’s paper Encryption workarounds (20.03.2017)
European Commission’s communication Resilience, Deterrence and Defence: Building strong cybersecurity for the EU (13.09.2017)
(Contribution by Ana Ollo, EDRi intern)