Council of the European Union has prepared a questionnaire to map the situation and identify the obstacles faced by law enforcement authorities when gathering or securing encrypted e-evidence for the purposes of criminal proceedings. These are the answers from the Estonian delegation obtained by a public information request:
1. How often do you encounter encryption in your operational activities and while gathering
electronic evidence/evidence in cyber space in the course of criminal procedures?
o often (in many cases)
2. What are the main types of encryption mostly encountered during criminal investigations
in cyberspace?
o HTTPS, TOR, P2P / I2P, e-communications (through applications such as Skype, WhatsApp, Facebook, etc.)
o offline encryption – encrypted digital devices (mobile phone / tablet /computer), encrypting applications (TrueCrypt / VeraCrypt / DiskCryptor, etc)
3. Under your national law, is there an obligation for the suspects or accused, or persons who
are in possession of a device/e-data relevant for the criminal proceedings, or any other person to provide law enforcement authorities with encryption keys/passwords?
o No. Pursuant to Article 215 of the Criminal Procedure Code, investigative authorities and prosecutor’s offices can order the production of data from any person. Suspect and accused person do not have to disclose encyption keys/passwords.
5. Under your national law, is it possible to intercept/monitor encrypted data flow to obtain
decrypted data for the purposes of criminal proceedings? If so, is a judicial order (from a
prosecutor or a judge) required?
o Yes. §126.7. Wire-tapping or covert observation of information.
8. Do you consider that your current national law allows sufficiently effective securing of e-evidence when encrypted?
o Yes. Current legislation to gather evidence can be considered sufficient. The challenges related to encryption as more or less of technical nature.
10. In your view, will measures in this regard need to be adopted at EU level in the future?
o practical (e. g. development of practical tools for police and judicial authorities)
o improve exchange of information and best practices between police and judicial authorities
o create conditions for improving technical expertise at EU level
Basically, Estonian delegation answer can be read as “not interested in EU-level crypto backdoors”. Which is good, but could have been said more explicitly.
There are positive signs on EU-level for opposing legislation for backdoors:
Andrus Ansip, the Commission vice president in charge of the EU’s technology policies, has said he opposes laws that force companies to create backdoors to weaken encryption.
Europol, the EU law enforcement agency, and ENISA, the agency in charge of cybersecurity, signed an agreement in May opposing laws that strongarm firms into providing backdoors.
Links:
https://www.asktheeu.org/en/request/3347/response/11727/attach/5/Encryption%20questionnaire%20ESTONIA.pdf
https://www.techdirt.com/articles/20161127/18352736140/encryption-survey-indicates-law-enforcement-feels-behind-tech-curve-is-willing-to-create-backdoors-to-catch-up.shtml
http://www.euractiv.com/section/social-europe-jobs/news/five-member-states-want-eu-wide-laws-on-encryption/