Encryption – Balancing Needs for IT Security & Law Enforcement

Strong encryption vs. state-mandated access to data and digital evidence like subscriber information and content is currently a topic of ongoing debate around the world. I've been involved in discussions at a number of multinational conferences which have dealt with this topic, including the UN Internet & Jurisdiction Policy Network and the Council of Europe’s Octopus Conference on cyber crime. 

I have also participated in two discussion panels on the topic hosted by the Internet Society (ISOC), the more recent at the Internet Governance Forum in November 2019. eco and ISOC are not alone in being very concerned about encryption policies on a global base. The belief is – and rightfully so – that the only defense we have right now against malicious actors – be it hackers, be it sabotage, espionage, malicious / invasive governments, whoever – is encryption, meaning not only encrypting transmissions, but also encrypting anything which is residing on your system. Currently the only available means to secure your data is to encrypt it. As a result, there is concern about governments who want to outlaw encryption or regulate it to pursue their own ends.

Governments, encryption, and law enforcement

The question here is whether governments will accept that strong encryption without any weaknesses is essential/what is required. In Germany, the government at least as of now has not yet pressed for mandatory weakening of encryption, rather the official government position is that strong encryption is required and even mandated for certain types of data. However, ongoing political debates and requests as well as banter of government officials of “security in spite of encryption” (as former Federal Minister of the Interior, Thomas De Maizière, put it) might be a wink towards a possible future change of policy.

There is an ongoing movement amongst several governments in the world to be able to break encryption or mandate access to encrypted information and contents by placing an obligation on hardware vendors and service providers. Yet another path ventured is by circumventing encryption, i.e. by the Ghost Protocol proposed by GCHQ.

There have also been efforts to weaken encryption, as was done at the IETF (the Internet Engineering Task Force), for example, when the NSA tried to weaken the new TLS 1.3 standard. Using weak cyphers – as was proposed – is completely unacceptable: if we use encryption, it should definitely be strong.

However, this leads to a stalemate in regards to the needs of law enforcement: How do you access systems which use encryption? How do you gain access to communication which is encrypted? There is a legitimate law enforcement angle, where they need access to systems and communications. Typically, this arises in relation to crimes like terrorism and child sexual abuse material (CSAM), but also other forms of serious crime.

There's always an angle where governments want access to communication, and there are considerable efforts underway currently to achieve this on a cross-border level. Here, even if you solve the difficult task of actually gaining access to communication, it doesn't help you if it's encrypted – you might not be able to read it. So what governments are trying to do is tap that at the source before it is encrypted. Unfortunately, this is also riddled with problems.

Circumventing encryption with state-mandated backdoors

Attempts to circumvent encryption leads to an IT security problem as, while governments may accept strong encryption, they end up compromising whole IT systems instead. Be it a mobile phone or a computer system, a laptop or other computing device: the government will want to have backdoors. They collect known vulnerabilities to access these systems, and that, of course, is an even bigger concern. If you accept insecure IT systems even though you already know there is a vulnerability, everyone is at risk.

It has been a point of contention for a couple of years now as to whether states can or even should hoard backdoors. And whether it’s acceptable practice for them to buy backdoors from the grey or even the black market in order to do that. I believe it has now come to a point where governments accept that this puts everyone at risk – even including themselves – but still continue the practice.

Part of the problem is that typically, the state doesn't have the capability to research their own vulnerabilities. They resort to buying them from hackers or dual-use software vendors – companies who basically produce state-mandated malware. However, these companies will not only sell to one government, they'll sell to a multitude of governments. The vulnerability used in country A might very well be known to the government of country B, because they used the same vendor. And cyber criminals from halfway around the world might also know this vulnerability and hence might be able to access the system. As a result, this process is unacceptable and there needs to be a conscious effort to close all known vulnerabilities right away.

Mandating industry to provide access to data and communications

The incidence of cyber crime as a whole and – more to the point – cyber incidents involving a known hack, continues to rise. Already in the first half of 2019, there were the same number of attacks as the previous year in total, meaning a doubling year on year. As a result, there's a growing understanding among states now that you need to secure the systems and close vulnerabilities. This may solve the problem of state-mandated malware, but it brings us back to the question of whether governments can live with strong encryption.

Law makers have come up with solutions like the new Australian law, which basically compels operators and vendors to help the government to decrypt – to offer the possibility for law enforcement to gain access to their hard and software. The law doesn't say how to do this or how it's supposed to be rolled out. Worldwide, there was considerable consternation about this law. It's a very strange piece of legislation because it is even unclear who this actually applies to. Will it apply to individual companies? Can the government even go to an individual employee of a company and demand access?

But that's one potential route that governments might take: accepting secure systems with no backdoors, but compelling the manufacturers, vendors, or operators of an online service to ensure (government) access to unencrypted data.

The Ghost Protocol – the hidden third receiver

Another proposed way forward is what GCHQ – the British secret service – suggested in a paper early in 2018, which is called the Ghost Protocol. This basically allows strong encryption and secure systems, but as an operator of a service, you will have to make sure that there is a third party being added to the communication on request.

So, if you have individual communication, two persons who are talking to each other, there would potentially be a hidden third receiver who will receive an encrypted copy of the communication. The interesting bit about this is that even the exfiltrate – the copy of the communication – will be securely transmitted to this third receiver. From a technical perspective, this is almost the perfect solution. But from an administrative perspective, it's a nightmare. Who will be able to add receivers? 

If authorities in country A can do it, will authorities in country B be able to do it? If a court in Russia says they want a receiver added, will an American company comply?

Even just looking at a federal state like Germany – where there are 16 state police forces, plus the federal police, plus fiscal and border police forces – and each force will want to be able to add receivers individually for their own separate investigations. And it won’t stop there, there will be further parties who will want this option. There could be at least 100 persons with the operational authority to add this third receiver. 

Anyone who ever worked with a group of people this large knows: It would no longer be possible to keep the keys and the method secure – and I am only talking about Germany, not the 195 countries of the world. In the end, basically anyone could add a receiver, which then leads to complete mistrust in electronic communication. This would put users in the position where they may well have a secure system, a secure transmission channel, and the best encryption standard, but they still wouldn't know if their communication remains private. The encryption debate would become a security debate with a complete loss of trust in the confidentiality of electronic communication. That is something we just can't afford in a digital society.

Making digital evidence accessible and usable

So what is the best way forward? To be perfectly honest, it's not like we – as an industry – don't understand that gaining access to digital communication is important. We, as network operators, ISPs, cloud service providers, and so on, are ourselves targets of cyber attacks, and we report a lot of incidents to the police. 

At the Octopus Conference this fall, I learned that 90 percent of all police investigations today require some form of digital evidence. Of this evidence, 60 percent is hosted somewhere in a foreign country. As a result, cross-border access to digital evidence has become a big issue for law enforcement.

A central point of discussion stems from the volatile nature of much of the data requested, which will only be stored for a couple of days, at the most maybe a couple of months. Given that the historic cross-border process – the so-called Multilateral Agreements or MLATs – is very slow (a problem that law enforcement agencies have been complaining about), only in about 1 percent of cases do they actually get the digital evidence that law enforcement sought. Of that, in the end only about a tenth is usable for prosecution purposes: Some of it is encrypted, and other items have problems with attribution or the chain of custody.

I completely understand and even support the general idea that something needs to be changed, that these figures are not acceptable in upholding the rule of law. But if you look at it objectively, encryption might be reducing 1 percent to 0.1 percent – while 99% are lost due to ineffective, non-digital processes. The question has to be asked: Is encryption really the problem?

You don't fire your weapon in a public crowd

Certainly, it is important to address the problem of criminal activity. But at the same time, obviously, you don't accept risks to the general public that stem from your capability to hunt criminals. You don't fire your weapon in a public crowd. 

You can't do that because the risk to everyone else is too high. You might hit the target, but you might also miss and cause collateral damage. These are established procedures and it's blatantly obvious that you cannot put the general public at risk in order to prosecute single individuals.

But in the cyber realm, we're doing exactly that. We are risking the general public if we don't have a very concise strategy to say we'll close every security vulnerability we discover, and that we will compel everyone to do that, regardless of who that is. 

This is, I think, the only way forward to ensure the safety of everyone – individuals, companies and even the state itself, because they themselves might be the target of the cyber criminal as well.

It is a problem, and it’s obvious that this won't go away. But you have that in a lot of areas of police work, that you can only go so far. You're not requesting that police have a second key for every home. Which is kind of like the same thing as the Ghost Protocol. There are certain established risks where we believe there should be limits to state authority, and this holds true for the cyber realm as well.

Securing systems against remote access – a compromise worth considering

For example, in Germany a provision has just been added that the German domestic intelligence service, the Verfassungsschutz (Office for the Protection of the Constitution), can put malware on a system at the location of the hardware. Most systems can be compromised when you have actual physical access to the systems. So this can be seen as an intermediary measure.

We at the eco Association have actually proposed this approach as well. Our suggestion was basically to take an in-between approach stating that every vulnerability which is accessible remotely from somewhere in the world should be secured immediately and should be reported. Anything which can be abused by a cyber criminal, by another state, by whomever, from a remote location should be closed. We're not so stringent about vulnerabilities which can be exploited when you have the device in your hand, when you are onsite or you can access the system in the home of the individual in question. This would give law enforcement access to the system, but would still prevent it from being exploited by cyber criminals. The same goes for access to a server in a data center: You would have to have physical access to the machine.

The key point is that we ensure there are no vulnerabilities which can be exploited remotely, because that is really the biggest concern right now. And if you look at the rating of vulnerabilities, there's always a much higher priority given to vulnerabilities which will give you root access from a remote location. Anything which is local has a much lower priority in being closed. Remote, in this case, might also mean through the LAN – the local area network – of a company. It's about gaining physical access to the device, being able to sit in front of the device, or open it up etc.. We at eco proposed it as an intermediate solution in talks with our members, with law enforcement, and the judiciary.

Obviously, if you take the purist approach, you shouldn't be able to do this even if you physically have the device in your hand: All data should be encrypted, even locally, and all of these vectors should be closed. But if you want to work with law enforcement, if you believe that law enforcement should have some way to access the data as part of criminal proceedings, then at least when they have the right to confiscate the device from a suspect and they have it sitting in their evidence room, I can live with them being able to access the data on the device once they’ve got physical hold of the device. It’s a tradeoff which greatly enhances the security of everyone else.

Separating subscriber data from content data – finding a global solution

I already knew that law enforcement’s capacity to make use of digital evidence is very limited, because if you report something to the police, it is very rare for anything to come out of it. Out of dozens of cases I’ve reported, I've never had a single case where it led to a prosecution. And I was really curious about why. I mean, we think we provided good evidence, but the moment it becomes international – and it's almost always international – it no longer really works.

Now that I've learned how bad it actually is in that respect, I did a bit of research: The problem really seems to be that states are not willing to adopt a global standard. While companies might be willing to adapt their policies, states typically have the approach that their judicial system is the only one, and that companies – even from another jurisdiction – should just deliver data to them under their terms and conditions.

There are some jurisdictions like the US that permit this. The large US providers can voluntarily provide subscriber information, but not content – you still need a court order for actual content. However, 99 percent of the requests for data are just that: Asking for subscriber data. In essence, law enforcement agencies just want to know who was behind that address.

The suggestion I made recently at several multinational conferences was to separate the process into two independent access regimes, and to develop a fully automated, purely digital system for subscriber data. Here, because of the sheer volume – several million international requests per year for subscriber data – you cannot run it through a process where everything is individually checked. You just have to compare to what is happening nationally. In most countries, there is already an automated system for releasing subscriber information. Almost anyone in law enforcement can request it, even for minor offenses – and it is used very often, running in the tens of millions annually for Germany alone. While we have an electronic system for subscriber information, you still need a court order if you actually want content or traffic information – as in who talked to whom. And that figure is comparatively low – tens of thousands annually.

My suggestion is that the processes be separated. That we build a fully automated system on a worldwide scale as well, which is also electronically verifiable. This means if I as a provider receive a request, I should be able to verify a digital signature that this is from a genuine agency who is authorized to make the request. Which obviously, when seen from the perspective of an industry player, would be regarded as a normal, everyday procedure. But then you end up with police who say, well, no, it's going to be years before the last police station in country X has that capability. And so the suggestion would be to build a national proxy where this is routed through. I mean, let’s be blunt: we're talking about digital evidence. How will you use and process data we supply to you in a secure, encrypted, and verifiable back channel if you can't even make the request for the information digitally? If you still want to send us a fax requesting that information? 

So in order to expedite the process, to greatly increase the percentage of successful requests for information, countries will have to be willing to adapt. At the very least, they should be able to have secure email addresses where we can send a signed email to or generate a signed request. In 2020, that's really not too much to ask for, is it? And it's funny who will agree to that and who won't. Sometimes you get completely unexpected countries perceived as being backwater that say no problem, we can do that right away. And other countries generally accepted as being “first world” countries are very reluctant.

But this is the whole discussion. Given that we as the industry have to build these systems anyway to combat domestic crime, we're used to having electronic interfaces to do that. So why can't we have a global interface to do that? 

When talking about digital evidence, most of that 99 percent that is missing is subscriber information - which is also very volatile and might be gone after a couple of days. We need a quick, automated system to do deal with this, ideally on a global scale.

To my surprise, this was viewed as a novel approach, even at the UN and the Octopus conferences. The idea that the industry might be willing to work towards this was welcomed. If a global standard to do this were adopted, that would reduce the problem and associated cost for all parties involved. And then for situations where you really need the digital content, we could then have a discussion about a manageable number of requests and we could go on to analyze how much of the remaining missing evidence is actually an encryption problem, and how much is a chain of custody problem. Without actually understanding that, weakening – or even worse outlawing – encryption would really be throwing the baby out with the bathwater.

Klaus Landefeld is Vice-Chair of the Board and Director of Infrastructure & Networks at eco – Association of the Internet Industry.

Since 2013, he serves as Chief Executive Officer of nGENn GmbH, a consultancy for broadband Internet access providers in the field of FTTx, xDSL and BWA. He also serves as network safety and security officer as well as data protection officer for several German ISPs.

Before establishing nGENn, Mr. Landefeld held a number of other management positions, including CEO at Mega Access and CTO at Tiscali and World Online. He was also the CEO and founder of Nacamar, one of the first privately-held Internet providers in Germany.

Mr. Landefeld is a member of a number of high-profile committees, including the Supervisory Board of DE-CIX Group AG, and the ATRT committee of the Bundesnetzagentur (Federal Network Agency).