Euro police chiefs rekindle end-to-end encryption battle amid continued rollouts
End-to-end encryption plans are putting users in danger and making it harder to fight crime, police claim, but tech industry stakeholders disagree
European police chiefs have warned the increasing use of end-to-end encryption (E2EE) is making it harder for them to investigate crime and keep people safe.
Graeme Biggar, director general of the UK’s National Crime Agency said that encryption can be hugely beneficial, protecting users from a range of crimes.
However, the “blunt and increasingly widespread rollout” by major tech companies is putting users in danger due to a lack of sufficient consideration for public safety, he argued.
“These changes are also making it harder for us to investigate serious crime and protect the public, as the companies are less able to act on a warrant and provide us with the data of suspected criminals,” Biggar said.
The statement was issued by international policing agency Europol and backed by 32 European police chiefs.
E2EE means that a message is encrypted when it is sent, and only unscrambled when it arrives at the recipient’s device. It cannot be read by anyone in between.
While this means that sensitive messages can be securely sent over the internet, it also means that neither the tech companies themselves, nor police and other law enforcement agencies, are able to intercept these messages and – for example – uncover a criminal plot.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
“Our homes are becoming more dangerous than our streets as crime is moving online. To keep our society and people safe, we need this digital environment to be secured,” said Europol executive director Catherine de Bole.
The authorities argue that moves like this will mean their ability to tackle serious crime threats will be hampered, as tech companies cannot respond to a warrant because the information has been encrypted.
The NCA pointed out that “one stream of data” provided by tech companies in response to warrants led to 327 arrests, the seizure of 3.5 tonnes of Class A drugs, the recovery of £4.8m, the identification of 29 previously unknown threats to life, and a further 100 threats to harm, between January and March this year.
For their part, the tech companies argue that by providing E2EE they are delivering the security that their customers want - and need - to keep them protected from crooks and scammers. They say the net result of strong encryption is to make most people more safe.
Europol noted that its declaration comes as Meta has started to roll out E2EE across its Messenger platform.
Meta told ITPro the overwhelming majority of Brits already rely on apps that use encryption to keep them safe from hackers, fraudsters, and criminals.
“We don’t think people want us reading their private messages so have spent the last five years developing robust safety measures to prevent, detect and combat abuse while maintaining online security,” a spokesperson said.
“As we roll out end-to-end encryption, we expect to continue providing more reports to law enforcement than our peers due to our industry leading work on keeping people safe.”
End-to-end encryption goals still unclear
While the police chiefs said industry and governments should “take action against end-to-end encryption roll-out” it’s not entirely clear what they want done instead.
“We do not accept that there need be a binary choice between cyber security or privacy on the one hand and public safety on the other. Absolutism on either side is not helpful,” the statement said.
“Our view is that technical solutions do exist; they simply require flexibility from industry as well as from governments. We recognize that the solutions will be different for each capability, and also differ between platforms,” it added.
But finding those technical solutions may be hard. Governments and tech companies have consistently struggled to find some form of compromise when it comes to E2EE. It’s a standoff that is unresolved and probably unresolvable. Data is either encrypted end-to-end or it is not.
Governments can ban E2EE but the most likely impact would be that big tech companies would simply stop offering services in any countries that did so. That would make the average user there much less secure, while crooks would just buy their encryption tools on the black market.
The UK government’s recent Online Safety Bill illustrated the bind that governments find themselves in. While the legislation theoretically gives the government the power to ask for encrypted messages, it also acknowledges that – at least for now – there is no technical way of doing it.
Pam Cowburn, head of communications and campaigns at The Open Rights Group, said E2EE keeps messages safe and secure, and helps to protect users from fraud, scams, and other criminal behaviour.
“Preventing Meta from following out end-to-end encryption could deny billions of users this security,” she told ITPro.
"While the UK government adopted powers that could allow the private messages of everyone in the UK to be scanned, it did concede that this could not be put into practice without jeopardizing people’s security and privacy.
"Open Rights Group has called for Ofcom to publish regulations that make clear that there is no available technology that can allow for scanning of user data to co-exist with strong encryption and privacy. “
Steve Ranger is an award-winning reporter and editor who writes about technology and business. Previously he was the editorial director at ZDNET and the editor of silicon.com.