Europe’s top cop has taken to the BBC to once again slam encryption as the biggest threat to counter-terrorism and law enforcement.
Europol Director Rob Wainright said encrypted communications gave plods across the continent the biggest headaches, and his main gripe was with the IT companies that provide them.
“We are disappointed by the position taken by these tech firms and it only adds to our problems in getting to the communications of the most dangerous people that are abusing the internet,” he said.
He told the civil liberties committee of the European Parliament the same thing last November. Now he says there is “a significant capability gap” that must be closed.
“It’s changed the very nature of counter-terrorist work from one that has been traditionally reliant on having good monitoring capability of communications to one that essentially doesn’t provide that anymore,” he told the Beeb.
However, Wainright himself will not get his hands on any of that “capability”. According to Europol’s website, the organisation itself “has neither the technical equipment nor the legal authorisation to wiretap or monitor members of the public by any technological means”.
“Any information being analysed by Europol is provided directly by the co-operating law enforcement agencies. Europol’s principal role is to gather, analyse and re-distribute data,” he said in the interview.
That hasn’t stopped EU countries beefing up Europol with a new European Internet Referral Unit to find, identify and potentially remove websites used by terrorist groups.
National leaders across the EU have been calling for increased access to private communications since the Charlie Hebdo attacks in Paris. The European Council hopes the new unit will be up and running by June.
Meanwhile, tech companies will continue to boost end-to-end encryption after the Snowden revelations created a business case, as consumers demanded their communications be secured.
Dutch MEP Sophie In’t Veld said she found his comments (which echo those of UK PM David Cameron) extremely worrying. “What is next? Having a lock on the front door of your home being a criminal offence? Banning people from protecting their private communications is unacceptable in a democratic society. We are really on a slippery slope here.”
“Not only individual citizens have a right to privacy, but journalists, politicians, lawyers, whistleblowers, NGOs, etc must be able to communicate freely, safely and knowing they are unobserved,” she added.
“There seems to be no limit to the appetite of secret services to know EVERYTHING about us, without being subject to any meaningful kind of oversight or bound by laws,” continued In’t Veld.
“He believes all of this is caused by the ‘revelations’ on NSA mass surveillance. “One would think it was the secret and illegal mass surveillance itself, not the fact it was revealed, that has breached trust,” said In’t Veld.
In a David versus Goliath battle, an Austrian law student may topple the biggest EU-US data sharing deal when he gets his day in court in a couple of weeks’ time.
Max Schrems, who set up the Europe v Facebook group, alleges that Facebook violated the so-called safe harbour agreement which protects EU citizens’ privacy by transferring personal user data to the US National Security Agency (NSA).
The European Court of Justice (ECJ) will hear details of the case on 24 March.
Schrems first appealed to the Irish Data Protection Commissioner to investigate his claims. He was refused on the grounds that Facebook was signed up to the safe harbour agreement and so could transfer data to the US with impunity.
Under European data protection law, companies can only transfer consumer data out of the EU to countries where there is an “adequate” level of privacy protection. As the US does not meet this adequacy standard, the European Commission and the US authorities came up with a workaround and, in 2000, set up the voluntary safe harbour framework whereby companies promise to protect European citizens’ data.
These promises are enforced by the US Federal Trade Commission – but since the Snowden revelations, there has been doubt these promises are worth the paper they’re written on.
European officials are demanding answers and investigations into a joint U.S. and U.K. hack of the world’s largest manufacturer of mobile SIM cards, following a report published by The Intercept Thursday.
The report, based on leaked documents provided by NSA whistleblower Edward Snowden, revealed the U.S. spy agency and its British counterpart Government Communications Headquarters, GCHQ, hacked the Franco-Dutch digital security giant Gemalto in a sophisticated heist of encrypted cell-phone keys.
The European Parliament’s chief negotiator on the European Union’s data protection law, Jan Philipp Albrecht, said the hack was “obviously based on some illegal activities.”
“Member states like the U.K. are frankly not respecting the [law of the] Netherlands and partner states,” Albrecht told the Wall Street Journal.
Sophie in ’t Veld, an EU parliamentarian with D66, the Netherlands’ largest opposition party, added, “Year after year we have heard about cowboy practices of secret services, but governments did nothing and kept quiet […] In fact, those very same governments push for ever-more surveillance capabilities, while it remains unclear how effective these practices are.”
“If the average IT whizzkid breaks into a company system, he’ll end up behind bars,” In ’t Veld added in a tweet Friday.
The EU itself is barred from undertaking such investigations, leaving individual countries responsible for looking into cases that impact their national security matters. “We even get letters from the U.K. government saying we shouldn’t deal with these issues because it’s their own issue of national security,” Albrecht said.
Still, lawmakers in the Netherlands are seeking investigations. Gerard Schouw, a Dutch member of parliament, also with the D66 party, has called on Ronald Plasterk, the Dutch minister of the interior, to answer questions before parliament. On Tuesday, the Dutch parliament will debate Schouw’s request.
Additionally, European legal experts tell The Intercept, public prosecutors in EU member states that are both party to the Cybercrime Convention, which prohibits computer hacking, and home to Gemalto subsidiaries could pursue investigations into the breach of the company’s systems.
According to secret documents from 2010 and 2011, a joint NSA-GCHQ unit penetrated Gemalto’s internal networks and infiltrated the private communications of its employees in order to steal encryption keys, embedded on tiny SIM cards, which are used to protect the privacy of cellphone communications across the world. Gemalto produces some 2 billion SIM cards a year.
The company’s clients include AT&T, T-Mobile, Verizon, Sprint and some 450 wireless network providers. “[We] believe we have their entire network,” GCHQ boasted in a leaked slide, referring to the Gemalto heist.