Top European police officials are asking lawmakers for help in thwarting a privacy-enhancing technology (PET) that they say is hampering criminal investigations. And this time, it’s not end-to-end encryption. Not exactly.
Europol today published a position paper highlighting its concerns about home SMS routing, the technology that allows telecoms operators to continue offering their services when customers visit another country.
Most modern mobile phone users are tied to a network with roaming agreements in other countries. EE customers in the UK will connect to either Telefónica or Xfera when they land in Spain, or T-Mobile in Croatia, for example.
While this generally provides a fairly smooth service for most roamers, Europol is now advising that something needs to be done about the PETs that are often activated in these home routing setups.
According to the police, they stressed that when roaming, a suspect in a criminal case who uses a SIM card from another country will have all his mobile communications processed through its national network.
If a crime is committed by a Briton in Germany, for example, German police could not issue a request for unencrypted data as they would with a national operator like Deutsche Telekom.
Now, it wouldn’t be a law enforcement complaint against technology if encryption wasn’t mentioned at least somewhere, and there’s no need to worry since we’re not deviating from the norm today.
The specific part of home routing that is causing all the fuss is the service-level encryption used when home routing is enabled by the network operator. Law enforcement can see a suspect communicating from a device that may provide evidence of a crime, but as always, encryption hinders their ability to access it in an exploitable manner.
Europol said: “For service level encryption, the subscriber’s (user’s) equipment exchanges session-based encryption keys with the home network service provider. If PET is enabled, the visiting network no longer has access to the keys used by the home network and therefore the plaintext data cannot be recovered.”
An exception to home routing being a cop blocker is when a national service provider has a cooperation agreement with another country’s network provider that prohibits enabling PETs in home routing.
If this cooperation agreement is not in place, the only alternative left to law enforcement is to issue a European Investigation Warrant (EIO), but responses to these requests can take up to 120 days, which is not ideal when you want to catch a drug trafficker who is only in the country for a weekend.
“There is an urgent need to find a solution to the situation described above. In the context of home routing, the current investigative powers of public authorities must be preserved and a solution must be found that allows for the lawful interception of suspects on their territory,” the Europol document reads.
“Furthermore, an optimal solution should not disproportionately hamper secure communications, ensure the confidentiality of criminal investigations and, ultimately, allow Member States to exercise their legal jurisdictional prerogative to exercise their investigatory powers.
“In future, the design and implementation of (new) technologies should be carried out in a way that ensures lawful access to the data necessary for the investigative powers to fulfil their obligations.”
Next steps
Two possible solutions have been suggested, but the wording of the document clearly favours a legal ban on PET (service level encryption) in domestic routing rather than the ability for an EU member state to request another country’s communications.
The first, apparently preferred, option would remove the extra layer of encryption implemented when domestic routing was active and simply maintain the same level of encryption of communications that the suspect would enjoy in his home country.
“This solution is technically feasible and easy to implement,” Europol said. “It maintains the current level of security, including confidentiality, and is the same for roaming and local users.”
“National authorities supervising the telecommunications market can apply European regulations requiring the network to be designed in this way.”
The second suggestion was highlighted by several drawbacks. According to Europol, it is not always operationally desirable for another EU Member State to be informed of the presence of a person of interest on its territory.
She also warned that there is no established method for sharing and interpreting data requested by law enforcement authorities.
There is one that has been developed for EIOs, but police are concerned that this could lead to scenarios where law enforcement efforts are reliant on foreign service providers, which is not ideal.
“With this position, Europol wishes to open the debate on this technical issue which, at present, seriously hampers the ability of law enforcement agencies to access crucial evidence,” he said.
“A solution must be found that allows the authorities of a country to legally intercept the communications of a suspect on their territory, without disproportionately hampering secure communications.
“The paper proposes key elements that should be considered as part of the societal response, examining operational, technical, privacy and policy aspects.” ®
