Europol’s head is asking lawmakers for help in weakening privacy-enhancing technologies (PETs), which he says hinder criminal investigations, and this time he’s not targeting end-to-end encryption. Well, not exactly.
Europol today released a position statement highlighting its concerns about SMS Home Routing, a technology that allows telecommunications operators to continue providing services to customers when they visit another country.
Most modern mobile phone users connect to networks that have roaming agreements in other countries: for example, an EE customer in the UK connects to Telefónica or Xfera when they arrive in Spain, or to T-Mobile in Croatia.
This typically provides a fairly smooth service for most roaming users, but Europol is now saying something needs to be done about PET, which is often enabled in these home routing setups.
Police noted that while roaming, all mobile communications of criminal suspects using SIM cards from another country will be processed through the home country’s network.
For example, if a British person commits a crime in Germany, German police cannot ask for unencrypted data, as is the case with domestic telecommunications operators such as Deutsche Telekom.
Now, if encryption wasn’t at least mentioned somewhere, it wouldn’t be a law enforcement complaint against the technology, and there’s nothing to worry about since it’s not a departure from today’s standards.
The fuss over home routing is the service-level encryption that network operators use when they enable it. Law enforcement can see suspects communicating from devices that could be evidence of a crime, but as always, encryption prevents them from accessing it in a usable way.
Europol states: “In service-level encryption, subscriber (user) equipment exchanges session-based encryption keys with the service provider in the home network. If PET is enabled, the visited network no longer has access to the keys used by the home network and therefore cannot retrieve unencrypted data.”
The exception to home routing being a COP blocker is when a domestic service provider has a cooperative agreement with a network provider in another country that prohibits enabling PET on home routing.
Without this cooperation agreement in place, law enforcement’s only option is to issue a European Investigation Order (EIO), which can take up to 120 days to respond to – not ideal if you’re trying to catch a drug dealer who’s only in the country for the weekend.
“A solution to the above situation is urgently needed. Under domestic routing, the current investigative powers of public authorities should be retained and a solution must be found that allows them to lawfully intercept suspects within their territory,” the Europol document said.
“Moreover, an optimal solution must not unduly impede secure communications, ensure the confidentiality of criminal investigations and ultimately enable Member States to exercise their jurisdictional prerogative to exercise investigative powers.”
“Going forward, (new) technologies should be designed and implemented in a way that guarantees lawful access to the data that law enforcement agencies need to carry out their duties.”
Next steps
Two solutions were proposed, but the wording of the document clearly prioritizes a legal ban on PET (Service Level Encryption) for in-home routing over allowing EU member states to request communications from other countries.
The first, and seemingly preferable, option would be to remove the additional encryption layer implemented when home routing is active and maintain the same level of communications encryption that the suspect enjoys in his home country.
“The solution is technically feasible and easy to implement,” Europol said. “It maintains current levels of security, including privacy, and provides equal protection for roaming and local users.”
“National authorities overseeing telecommunications markets can enforce EU regulations requiring networks to be designed in this way.”
The second proposal had a number of drawbacks, with Europol saying that other EU member states knowing that a person under investigation was walking through their borders “may not necessarily be desirable” from an investigative perspective.
They also warned that there is no established way to share and interpret the data requested by law enforcement authorities.
Some have been developed for EIOs, but police are concerned that this could lead to a situation where law enforcement activities become dependent on foreign service providers, which is not ideal.
“With this position statement, Europol hopes to open a discussion on this technical issue, which currently severely impedes law enforcement agencies’ ability to access important evidence,” the statement said.
“A solution must be found that allows national authorities to lawfully intercept the communications of suspects within their own borders without unduly interfering with secure communications.”
“The paper considers operational, technical, privacy and policy aspects and presents key elements that should be considered as part of a societal response.”®