The Commission proposed 6 concrete non-legislative measures to support law enforcement authorities in overcoming challenges posed by encryption in the context of criminal investigations. These measures respect the safeguarding of strong encryption, required for the functioning of the Digital Single Market and do not in any way prohibit, limit or weaken encryption ("no backdoors").
The Commission is not planning to prepare legislation on encryption in the near future.
The 6 practical measures are:
- strengthen Europol`s (EC3`s) technical capabilities to deal with encryption; pertinent funding for Europol was announced in the 13th Security Union Progress Report in January 2018;
- establish a network of centres of expertise, aimed at linking experts in the existing centres that are already set up in some MSs, and encouraging the participation of experts from Member States who do not have such a set-up using Europol`s experience; there is no intention to substitute those national centres with a supranational structure, but rather the creation of a collaborative space where experts may meet and discuss issues being encountered on the ground and share good practices.
- establish a toolbox of legal and technical instruments: collection of best/good practices provided by Member States, under Europol`s co-ordination;
- provide training to LEAs and the judiciary especially on encryption; all levels, developed jointly by ECTEG and CEPOL and delivered by CEPOL;
- establish a forward-looking observatory to monitor legal and technical developments;
- establish a structured dialogue with industry and with civil society organizations; under the umbrella of the EU Internet Forum.
Progress is underway on all six measures, including a transfer of EUR 5 million to Europol to enhance its existing capability to help law enforcement overcome the challenges posed by encryption in criminal investigations. Furthermore, the Commission is facilitating a structured dialogue to obtain a clearer and more holistic understanding of the issue.
Targeted discussions on possible longer-term strategies take into account the increasing sophistication and wide use of encryption tools in communication, as well as safeguarding user's personal data.
Why does the Commission address encryption in criminal investigations?
Encryption is regarded as an effective way of ensuring the protection of cybersecurity, data protection and privacy. It can help citizens and businesses to defend themselves against the abuse of IT technologies, such as hacking, identity and personal data theft, fraud and the improper disclosure of confidential information. According to a 2017 study by CSIS, around 18% of global communications traffic is end-to-end encrypted, which is expected to rise to 22% by 2019. Moreover, consumer devices increasingly make use of full disk encryption. However, encryption can also be used by criminals, which may complicate competent law enforcement authorities’ criminal investigations.
As technologies are becoming easier to access and use, even without any technical skills can use encryption to avoid detection. According to the 2018 Europol Internet Organised Crime Threat Assessment (iOCTA), law enforcement authorities increasingly encounter encryption in their criminal investigations. It is one of the major challenges to address, as it denies access to essential intelligence and evidence.