The Article 29 Working Parting has released new guidance on encryption standards
The EU’s General Data Protection Regulation (GDPR) goes into effect in exactly one month on May 25th. That’s in 20 business days. Hopefully you’ve been staying on top of everything by keeping up with our GDPR Compliance series. Today, we’re going to discuss new guidance on Encryption standards that was issued by the Article 29 Data Protection Working Party on April 11.
At issue is request from numerous parties, namely law enforcement in this case, to weaken encryption by including workarounds and backdoors that would enable the authorities to decrypt information more readily. Let’s Hash it out.
The argument for encryption backdoors
This is a topic we’ve covered quite a bit here on Hashed Out. If you’ll remember, just last month the final approval of TLS 1.3 by the IETF was temporarily delayed by an 11th hour request from the financial industry to insert an encryption backdoor for the sake of traffic inspection. That attempt was rebuffed, but it was really just the latest in a long line of requests to undermine encryption.
While the issue predates it, the terrorist attack in San Bernardino, California that killed 14 people kicked off the current iteration of the debate. The FBI fought publicly with Apple over its inability to unlock one of the terrorists’ iPhones. At a December 9, 2015 Senate Judiciary Committee hearing, then-FBI Director James Comey called for a “solution” to allow government access, but that didn’t weaken security.
That was obviously a ridiculous ask, as such a backdoor would definitely weaken encryption. But that hasn’t stopped the leaders of law enforcement, along with political leaders in both the US and the UK from continuing to ask. In the UK, the brain trust in the Conservative Party, which let the encryption on its own website lapse last year, has called for everything from backdoors to an outright ban on encryption.
Fortunately, the Article 29 Data Protection Working Party has said bollocks to that and has come out with guidance on encryption that makes no bones about the fact that it should not be weakened for law enforcement or anyone else.
Article 29 Data Protection Working Party Guidance on Encryption
While WP29 attempted to find a balance between the needs of law enforcement and the rights of individuals to strong security, it came out on the side of the individuals.
“The availability of strong and efficient encryption is a necessity in order to guarantee the protection of individuals with regard to the confidentiality and integrity of their data which are the elementary underpinning of the digital economy. Any obligation aiming at reducing the effectiveness of those techniques in order to allow law enforcement access to encrypted data could seriously harm the privacy of European citizens.”
To that end, the Article 29 Working Party has communicated the following points regarding encryption standards:
Strong encryption is required to ensure a secure, free flow of data between citizens, businesses and governments
WP29 begins by extoling the virtues of encryption, noting that it is necessary to offer a “reasonable guarantee” when performing most online activities such as banking, filing taxes, corresponding via email or making an appointment with a physician. Without encryption in place, any information shared in the process of performing said activities would be vulnerable to eavesdropping.
In the eyes of WP29, and by extension with regard to the GDPR, encryption is viewed as “absolutely necessary and irreplaceable for guaranteeing strong confidentiality and integrity when data are transferred across open networks like the internet, or stored in mobile devices like smartphones.”
“This encryption should ideally always cover the entire communication, from the device of the sender to that of the recipient (end to-end-encryption).”
Additionally, in order for your encryption to be considered dependable WP29 promotes the “broadest public availability of state of the art, strong and reliable encryption… for public scrutiny.” By doing this, it allows researchers to assess and improve its efficiency and robustness, which is good for the entire ecosystem. WP29 also advises that quantum cryptography be considered as it becomes more viable.
Backdoors and master keys deprive encryption of its utility and cannot be used in a secure manner
While WP29 concedes that encryption can be used to conceal the activities of criminals, and that there is a need for law enforcement to have access to suspected criminals’ data, it argues that “the mathematical foundation for cryptology does not provide the basis for a secure backdoor.”
It also provides three high-profile examples that show master keys and backdoors “cannot be kept secure.”
- A high-profile case where a set of physical TSA keys that could purportedly open almost any suitcase ever made were lost.
- The WannaCry Cryptolocker used tools created by a major national security agency, that were then leaked to the public.
- In Iran, a major certificate provider had a private key compromise that resulted in the email accounts of numerous activists being hacked.
The vendors and manufacturers themselves admit that it would be difficult to ensure the security of backdoors or masker keys that would only be accessible to them, and there is plenty of evidence that state governments and agencies aren’t much better at keeping them safe. Additionally, the global scale at which encryption is deployed would require any backdoors or master keys to be shared amongst law enforcement agencies across the world. That, in itself, presents another security risk as it increases the chances that something gets compromised.
Moreover, imposing backdoors and master keys on law abiding citizens and organisations would not be an effective measure against criminals since they would continue to use or adapt the strongest state of the art encryption to protect their data, keeping them safe from law enforcement access. As a result, backdoors and master keys would only harm the honest citizen by making their data vulnerable.
Law enforcement agencies already have number of legal powers and targeted tools to address the challenge of encryption…
Finally, WP29 points out that law enforcement agencies in EU Member States can “be legally empowered in other ways to access data otherwise encrypted.” It then goes on to provide some examples:
- Access to metadata and unencrypted data held by data controllers
- The use of social engineering to infiltrate criminal organizations
- Compelling alleged criminals/persons of interests to provide their encryption key
- Targeted interception tools like IMSI catchers or access to electronic communications providers’ networks
- Tools for guessing or intercepting passwords, accessing documents or recording keystrokes
- Obtaining keys from data controllers or key escrow services
While WP29 admits that these tools and methods carry their own issues and require their own safeguards, it finds them more proportionate and less dangerous than the alternative: master keys and backdoors.
Law enforcement should focus on exercising wholly the powers they already have: in some jurisdictions they may have been granted with some or even all of the powers listed above, but have not yet started to exercise them practically. In numerous cases, investigations could have been successful if only the capability of interpreting the already-existing data was improved.
Final Conclusions and Recommendations from WP29
The Article 29 Working Party offers three final considerations regarding encryption standards and best practices:
- The availability of strong, trusted encryption is necessary in the modern world. Encryption contributes in an “irreplaceable way to our privacy and to the secure and safe functioning of our societies.”
- To that end, encryption needs to remain “standardized, strong and efficient.” That won’t be the case if “providers are compelled to include backdoors or provide master keys.”
- There are already enough tools and procedures available to law enforcement via their existing powers. Law enforcement should focus on improving those capabilities rather than requesting workarounds and backdoors.
Read the Complete Statement from the Article 29 Data Protection Working Party
Cipher suites are groups of algorithms that govern the cryptographic functions in an HTTPS connection. Picking the wrong ones can leave your website at risk. Learn more.
Check out the rest of the Hashed Out GDPR Compliance Series
- GDPR: Introduction to a Series
- GDPR: How it affects the Domain Industry
- GDPR: How it affects Web Hosts
- GDPR: Problems for ICANN/WHOIS?
- GDPR: Complying with EU-US Privacy Shield
- GDPR: What is a Data Protection Officer?
- GDPR: Best Practices for Privacy Notices
- GDPR: What you need to know about Cookies
- GDPR: What is the Right to be Forgotten?
- GDPR: How to perform a Data Audit
- GDPR: Encryption Best Practices
- GDPR: When to report a Personal Data Breach
Don’t Get Breached
91% of cyber attacks start with an email. 60% of SMBs are out of business within six months of a data breach. Not securing your email is like leaving the front door open for hackers.