Tech companies must surrender their crypto-keys, says EU adviser

EU counter-terrorism measures propose enforced hand-over of encryption keys - a proposal described as unenforceable and ineffective policy decided by people who don't understand the technology.

Tech companies must surrender their crypto-keys, says EU adviser
Tech companies must surrender their crypto-keys, says EU adviser

Internet and telecoms companies should be forced to hand over their data encryption keys to security agencies, according to the European Union's counter-terrorism co-ordinator.

Gilles de Kerchove's controversial call comes in a briefing note that “sets out priorities which should be taken forward urgently” by EU Justice and Home Affairs Ministers.

The 14-page document, which has been leaked to London-based civil right group Statewatch, complains that “the encryption internet and telecoms companies have started to use increasingly makes lawful interception by the relevant national authorities technically difficult or even impossible”.

In response, de Kerchove urges: “The European Commission should be invited to explore rules obliging internet and telecoms companies operating in the EU to provide - under certain conditions as set out in the relevant national laws and in full compliance with fundamental rights - access of the relevant national authorities to communications (ie, share encryption keys).”

If his policy is accepted, it would go forward to the EU heads of government, including David Cameron, who are meeting on 12 February.

The advice echoes Cameron's current campaign to ‘roll back' the encryption that firms such as Google, Facebook, Apple and Microsoft have introduced to protect customer privacy in the wake of the Snowden revelations - which has also gained some support from US President Obama.

The briefing document refers directly to the recent Paris terrorist murders and says: “The EU has to respond with meaningful action. Failure to do so could result in disillusionment of citizens with the EU.”

It suggests:

* The European Commission could present “as soon as possible” a new legislative proposal for data retention.

* The Commission should deepen its engagement with internet companies. “A dialogue with the internet companies is necessary at both EU and at international level.”

* The Commission should look at ways to speed up the process of getting cross-border information about owners of IP addresses.

* Other European countries could match the UK's Counter-Terrorism Internet Referral Unit (CTIRU), which flags terrorist and extremist content to social media platforms, and has had 72,000 pieces of content removed since February 2010.

* The EU could create a team of cyber-terrorism prosecutors within a European cyber-crime judicial network.

But European cyber-expert Brian Honan, head of BH Consulting, said the proposal to force tech firms to hand over their encryption keys would simply not work.

“Apart from the fact that it undermines the security and privacy of those who depend on encryption, it's not a workable solution in technical terms,” he told SCMagazineUK.com.

“If you're using end-to-end encryption like PGP or similar to secure your email, you own the keys yourself. Your ISP doesn't have the keys, the telecoms companies don't have the keys, so it's not going to enable law enforcement agencies to monitor encrypted traffic of criminal or terrorist suspects, because they will be using those technologies.”

Honan added: “My concern is that we would have politicians and others who don't understand technology and the implications of the technology, bringing in laws or regulations that would be unenforceable and ineffective against the targets that they're after.

“If you make certain encryption tools illegal, it's not going to stop criminals or terrorists from using them. If you introduce backdoors or weaken encryption in certain tools or products, it's just going to the legitimate tools or products that normal people use - and again the criminals or terrorists will use alternatives that can't be regulated.”

Honan said: “Maybe part of the problem is that somebody needs to be seen to be doing something.

“If regulations or legislation is introduced to support that policy, then it's succeeded. If no rules are brought in and an atrocity happens, people can raise up their hands and say ‘you know they used encrypted communications, that's why this happened'.

“For those pushing that policy, either way potentially it could be a win win.”

UK cyber-expert Professor John Walker, director of cyber-forensics at Cytelligence Ltd, said he had sympathy with de Kerchove's idea - but he too doubted it would catch real terrorists.

Walker told SC via email: “I applaud any action which works toward diminishing the obvious threat we now all face with the underpin of the internet and global communications channels to accommodate the passing of radicalised, and terror-related information.

“I would have no issue whatsoever in any government department or international agency having access to my data, so long as such access is regulated, and proportionate to the invasion.

“The only flag I would raise is, this will not counter the communication capabilities of the covert channels of the dark web, and will not catch those serious individuals who have the knowledge to circumvent such monitoring capabilities.”