The availability of strong and trustworthy cryptographic tools is an important building block of a society and economy that is more than ever depending on electronic services. The legitimate need to protect communication among individuals and public and private organizations has often been depicted as threat to business models or even public security. At the same time, the lack of trust in digital services has been identifi
ed as an inhibiting factor for the digital market. This has a particular weight in view of the new agreements on the NIS directive and General data protection regulation, which foster the trust of public and private sector to digital networks and services at a national and EU level. However, in the light of terrorism and crime prevention, opinions have been voiced that cryptographic tools need to be regulated.
ENISA’s paper on the subject looks into several aspects of crypto regulation and their difficulties from a technical perspective. Key points ENISA focuses on are:
The use of cryptography might make lawful interception harder and by this less efficient or even ineffective. While key recovery and escrow might enable lawful interception, it introduces new technological risks to IT infrastructure and it might even damage the gathered evidence.
It is easy to bypass systems that allow key escrow or recovery; evidence for bypassing will only be found during investigation.
Vulnerabilities that where left from legacy policy have been abused to attack systems. Further, policy that limits the use of cryptography in commercial products can damage IT industry.
Cryptography provides the tools necessary to protect assets in a highly computerised world. In the light of terror attacks and organized crime, law enforcement and intelligence services have requested to create means to circumvent these protection measures. While their aims are legitimate, limiting the use of cryptographic tools will create vulnerabilities that can in turn be used by criminals and terrorists, and lower the trust in electronic services, which eventually will damage industry and civil society in the EU.
The issues mentioned are mere examples of currently widely used protection measures. Emerging privacy enhancing technologies might introduce even more challenges. To overcome these issues, ENISA is eager to support the Member States and competent EU bodies to perform further analyses and to define a balanced approach to move forward.