Decryption techniques should be further developed instead

The encryption debate doesn’t look to be ending any time soon, as global governments turn up the pressure on tech companies to combat the growing tide of cybercrime and terrorism networks.

Speaking at the RSA Conference in San Francisco last month, FBI director Christopher Wray reiterated the challenges of the long debated “going dark” problem, where secure messaging apps and devices are said to embolden criminal activity, both online and off.

“It can’t be a sustainable end state for there to be an entirely unfettered space that’s utterly beyond law enforcement for criminals to hide,” Wray told attendees at RSA.

“This is an issue that is getting worse and worse all the time, and every state and local law enforcement leader that I deal with, every member of the intelligence community that I deal with, every foreign partner that I deal with, is raising this issue with growing urgency.”

“But we’re also duty bound to protect the American people,” he said. “We have to figure out a way to deal with this problem.”

The FBI’s latest push to create systems that would provide law enforcement with exceptional access is unlikely to slow down, particularly when its overseas allies – such as Australia and the UK – have passed anti-encryption legislation that paves the way for what feels like Doomsday for privacy advocates everywhere.

But over in Europe, the stance on backdoors – or “backdoors by another name” – remains the same: there is no trade-off between security and privacy.

That’s, at the very least, a belief held by Yves Vandermeer, chair of the European Cybercrime Training and Education Group (ECTEG) – a non-profit organization that develops training materials on subjects such as computer forensics for universities and law enforcement across Europe, the UK, and beyond.

“Looking at decryption and encryption, if we respect privacy, then encryption is the main key to security in the IT world,” Vandermeer said, somewhat echoing comments made by Wray with the notion that secure communication is a crucial component to our digital infrastructure and, indeed, our rights as citizens.

“But we need to address the [encryption] challenge in other ways.”

Shut the front door

The ECTEG has been around for over 17 years, working closely with over 30 institutions, including Europol, and offering of courses aimed at improving the cyber capabilities of national law enforcement in several countries – especially those officers who are first to respond to a crime.

“The first responders are the biggest challenge, and that includes the encryption and decryption issue,” Vandermeer told The Daily Swig.

“When you shut down a computer, for example, some essential evidence may be lost.”

Vandermeer explained how an entire investigation could be slowed down due to lack of awareness over digital evidence gathering.

“Let’s say, for instance, the suspect writes down their password on a piece of paper on their desk,” he said.

“If the first responder doesn’t understand that encryption is a major challenge, it means that they will not make a copy of that piece of paper, which contains the password of the encryption key.

“And from that moment, the entire investigation is slowed down, and it will require a lot of resources to bypass the encryption.

“We need [financial] help with the existing ways there are to bypass encryption.”

Throw away the keys

In 2018 the European Commission allocated €500,000 (approximately $557,000) to helping law enforcement obtain access to encrypted information alongside a proposal to develop a toolbox of “alternative investigation techniques”.

Unlike a backdoor, these techniques are more thought of as encryption workarounds, which infosec researchers Orin Kerr and Bruce Schneier have previously classified as: “Find the key, guess the key, compel the key, exploit a flaw in the encryption software, access plaintext while the device is in use, and locate another plaintext copy.”

“Australia had made it mandatory for all the service providers to provide a backdoor to allow law enforcement to access data,” Vandermeer said.

“The EU, at the political level, has gone counterclockwise and decided not to require mandatory backdoors, which I think is a good decision because once criminals know the software that has a backdoor, they’ll move to another software.”

He added: “It’s quite easy to produce a software enabling encryption.”

While Europe has so far remained steadfast in refusing to take up the backdoor battle cry, multiple stakeholders in the cybercrime arena have pushed for a new legal framework to be developed in order to effectively deal with cybercrime and terrorist cases.

“Encryption combined with other technologies, like the cloud, means that somebody can arrest me, [but] I can refuse to give over my passwords, and ask two accomplices to use my passwords to wipe all my data,” Yandermeer explained.

“Then there is a risk that evidence will be deleted, or compromised, and that is something that is not acceptable on the side of the process of the investigation, and also on the rule of law.”

The current challenge that encryption presents in legislation and the courtroom is the disintegration of a search warrant – a digital equivalent of a house search, which is needed in many investigations but is blocked by a technical capability with no easy way in.

But Vandermeer says there’s always a way – one that shouldn’t undermine the security of wider communications but which needs international cooperation to facilitate expertise exchange.

“The criminals should know that we will always try to bypass encryption in criminal and terrorist cases,” he said.

“They may change the encryption system, they may change the communication systems, they may hide evidence, but that’s the duty of law enforcement – to find evidence, and there’s always a weak link somewhere in that process.”

RELATED ‘Are we building surveillance into systems, or are we building in security?’