Europol seeks evidence of encryption on crime enforcement as it steps-up pressure on Big Tech
European Union member states have been asked to gather examples of how encryption technologies are frustrating criminal investigations as police and governments step-up demands for lawful access to end-to-end encrypted messaging services.
Europol aims to gather evidence to show how encrypted communication services supplied by tech companies including WhatsApp, Meta and Signal are exploited by criminals to hide their tracks, the agency has confirmed.
According to a European Commission working group, law enforcement agencies have struggled to “quantify” the challenges that end-to-end encryption poses in monitoring the communications of criminals and terrorists, as it has not been possible to collect data.
Known examples include the case of Khalid Masood, who conducted the London Bridge attack in 2017, killing 29 people and injuring six.
Minutes before the attack, it emerged that he had sent a PDF document entitled “Jihad” to a large number of his contacts on WhatsApp and Apple’s iMessage, both of which are encrypted by default.
In another case, UK police say their investigation into a rape was hindered because the suspects had used WhatsApp to send encrypted messages.
The European Commission confirmed last night that it was seeking to gather examples from European states to show how encryption has disrupted police investigations. A spokesperson said it was not yet clear whether the examples would be released publicly.
Europol chief steps up pressure
The move comes as Europol’s director general, Catherine De Bolle, stepped up public pressure on Big Tech during the World Economic Forum in Davos, Switzerland, calling in a newspaper interview for them to give law enforcement access to encrypted communications and data.
De Bolle told the Financial Times that Big Tech companies had a “social responsibility” to give police access to encrypted messages that were being used by criminals to protect their identity. She claimed that tech companies that did not comply could threaten democracy in Europe.
Her comments show the width of the gap between tech companies, computer experts and cryptographers, and police and intelligence agencies. Technology experts argue that any attempt to weaken encryption would put the public and businesses at greater risk from cyber criminals.
The European Commission’s high level working group, argues that while encrypted apps and devices protect the privacy of legitimate users, they also allow criminals to hide their identities, market illegal products and services, and launder money without detection.
Police should be granted “lawful and strictly controlled effective access to data”, it said. Law enforcement should also be involved in standards bodies to ensure that products are “shaped” to ensure that the technical requirements of law enforcement are “taken into account at an early stage”.
“Cooperation between companies and law enforcement is inadequate and deficient, and needs to be supplemented by clear rules,” the group’s November 2024 report said. “Without clear and enforceable legal obligations, companies are often unable to assist law enforcement in accessing data.”
Route to lawful access of encrypted data
The high-level group found the interception of telecommunications is an essential tool in investigations, but its effectiveness has decreased following the take-up of encrypted messaging apps, including WhatsApp, Facebook and WeChat, which account for 97% of messages.
Law enforcement experts have suggested a cautious approach, according to the working group. Technology companies should not be asked to integrate into any system likely to systematically weaken encryption for all users of the service. Lawful access should be targeted on a “communication by communication” basis.
There is a need to “advance gradually” and involve tech companies, cyber security and privacy experts given the “potential risks” and the sensitivity around public debate, the report argues.
De Bolle said that in the physical world, when police have a warrant to search a house, and the door is locked with the criminal inside, the public would demand that police should be able to enter the house. The same principles should apply to messages and data that are locked inside encryption, she argued.
European police chiefs’ warning on encryption
European police chiefs and the UK’s National Crime Agency warned in a declaration in April 2024 that privacy measures including end-to-end encryption would stop law enforcement’s ability to prosecute the most serious crimes, including child sexual abuse, drug trafficking, human trafficking, murders, economic crimes, and terrorism.
According to the declaration, signed by 32 countries, police chiefs were “deeply concerned” that end-to-end encryption would undermine the ability of law enforcement and tech companies to detect crime.
“Companies will not be able to respond effectively to a lawful authority,” the declaration states. “Nor will they be able to identify or report illegal activity on their platforms. As a result, we will simply not be able to keep the public safe.”
The police chiefs said they did not accept that there was a binary choice between cyber security and privacy, and public safety, arguing that technical solutions existed that would allow both, if industry and governments were flexible.
However, police and government claims that it is possible to provide law enforcement with access to encrypted communications are disputed by technology companies and cryptographic experts.
According to security expert Bruce Schneier, Chinese hackers appear to have accessed backdoors used by the US government to execute wire-tapping requests to breach US telecoms networks in the Salt Typhoon attack, posing major security risks to the country.
Many of the world’s top computer scientists and cryptographers warned in 2017, for example, that proposals by Apple to scan encrypted messages for illegal content on behalf of law enforcement were unworkable, vulnerable to abuse, and a threat to safety and security.
Weakening encryption is ‘threat to democracy’
Amandine Le Pape, co-founder of encrypted messaging service Matrix, which is used by police forces, governments and military organisations in Europe, told Computer Weekly that degrading encryption to provide access to law enforcement would weaken security for everyone, including police forces.
“I feel that weakening encryption is a threat to democracy because that gives the opportunity to any state to spy on their citizens,” she said. “Maybe we can trust our European governments today, but what about tomorrow?”
Le Page said there are ways for law enforcement to investigate crimes without having to break into encryption, which include monitoring unencrypted chats, social media and analysing meta data from communications.
The Matrix founder said that under De Bolle’s analogy of a locked door in a house, providing law enforcement access to encrypted messages was the equivalent to weakening the lock on the door.
“If the house has no door, then anyone can come into it, whether it’s the police or criminals wanting to break in,” she said.
