THE HAGUE - A new report by the EU Innovation Hub for Internal Security looks into how to uphold citizens’ privacy while enabling criminal investigation and prosecution.

Encryption represents an important means of securing private communications. However, at the same time, it also enables threat actors to manage their malicious activities below the radar of law enforcement. Understanding the needs and challenges of stakeholders in the Justice and Home Affairs (JHA) community is the foundation of adopting the necessary measures to keep Europe safe, while safeguarding fundamental rights.

Cite this publication: EU Innovation Hub (2024), First Report on Encryption by the EU Innovation Hub for Internal Security, Publications Office of the European Union, Luxembourg.

Executive summary

The first report on encryption created by the EU Innovation Hub
for Internal Security presents an analysis on the topic of encryption from
a legislative, technical and developmental viewpoint. It also touches upon
certain specific judicial process and court rulings about overcoming
encryption in cases where it represents an obstacle for criminal investigations,
especially in relation to evidence admissibility.

In the last few years, the debate between data privacy and lawful interception
(LI) has evolved into a more constructive discussion. While police and judicial
authorities acting within their power can be prevented from accessing digital
evidence by modern privacy-enhancing technologies like end-to-end encryption
(E2EE) and Rich Communication Services (RCS) systems, different international
initiatives are calling for a balanced approach, where LI can coexist with
encryption without undermining cybersecurity and/or privacy.

At the same time, a framework to access encrypted communications is steadily taking shape in the EU. As technology advances, finding a balance between individual privacy
and collective security remains an ongoing challenge. The key to success is to
foster dialogue, cooperation and innovation to ensure that fundamental rights
(including protection of personal data), as well as the security and integrity of
the person, are equally respected.

The newly adopted e-evidence package can be seen as a step in the right
direction for enhancing law enforcement access to electronic evidence.
However, the package does not specifically address the challenges related
to encryption outlined in this report because the regulation does not include
obligations for service providers to make data in the clear available.

The admissibility of evidence gathered from encrypted communication
channels has been legally questioned in a number of countries. However,
several courts have dismissed such challenges, thereby setting precedents
in favour of using evidence gathered in this manner (for instance, the
French Court of Cassation accepts the use of evidence from the EncroChat
cryptophone service).

Court rulings in Germany, Italy and the Netherlands have also established that evidence gathered through authorised interception by other nations (e.g. France, Canada) is valid and usable in domestic criminal proceedings. In other words, courts in these countries have concluded, in several instances, that data gathered in this manner is obtained lawfully and in a proportional manner. In its ruling of 30 April 2024, the Court of Justice of the European Union clarified conditions under which intercepted data from encrypted communication channels can be requested and transmitted between EU Member States, and used in criminal proceedings as evidence.

Technologies using encryption present many challenges but also opportunities
for law enforcement and security practitioners. In this paper, we will look at
encryption challenges and opportunities in relation to various technologies,
i.e.: quantum computing, cryptocurrencies, biometric data, the Domain Name
System (DNS), telecommunication technologies, artificial intelligence (AI) and
large language models (LLMs).

For example, cryptocurrencies are widely used for laundering criminal proceeds
and there are concerns that tracing funds will become more complicated if
zero-knowledge proofs and layer 2 applications are more widely deployed in the
blockchain. On the other hand, the use of custodial wallets, where the user does not hold their own private key, create opportunities for cooperation between
law enforcement authorities, exchanges and service providers to seize crypto
assets that are suspected to be of criminal nature.

In the realm of DNS encryption, two competing approaches have surfaced,
DoT/DoQ and DoH/DoHTTP3. In both cases, the content of the DNS messages
is encrypted, hindering the lawful access to suspects’ DNS traffic contents. In
practice, it means that law enforcement will become more dependant of DNS
service providers’ cooperation.

Similarly, the use of encryption in 4G (VoLTE) and 5G (Standalone 5G)
telecommunication technologies complicates law enforcement and judicial
authorities’ ability to carry out investigations. These standards introduce endto-end encryption (E2EE) for voice calls over the network, which complicates
lawful interception of criminal communications in roaming scenarios. For this
reason, it is important for the communication service providers to disable
privacy-enhancing technologies in home routing scenarios. Looking into the
future, it is vital that law enforcement needs are taken into account when
designing standards for the next generation telecommunication services (e.g.
6G) and that the architecture introduced has innate features that enable law
enforcement to carry out their criminal investigations.

The use of biometric recognition is predicated on being able to safely store and
use biometric data, which can be enabled by biometric template protection
(BTP) technologies. These technologies enable citizens to, for example,
use national ID cards, passports or conduct banking transactions through
biometric verification, while recognition comparison operations take place
in the encrypted domain. The security and privacy of current biometric
recognition systems still need to be enhanced before they become fully
deployable in public services.

Artificial intelligence (AI) and large language models (LLMs) continue to play
an important role in cryptography. These technologies can be used for both
strengthening encryption algorithms as well as for analysing cryptographic
security systems, which in some cases helps break the encryption by
scrutinising its mathematical properties.

The same goes for the advancements that are being made in the field of
quantum computing, which can be used for breaking cryptographic protocols in
the future. This ties in with the well-known concept of ’store now, decrypt later’
that could create opportunities for law enforcement to decrypt stored criminal
communications, but also creates risks as malicious actors might also be
gathering encrypted data with the same prospect in mind. In addition, quantum
computing will likely also support the creation of new digital forensic techniques
that help with the retrieval of electronic evidence in investigations.

The main future research areas relevant for policymakers in the areas of
law enforcement and justice will most likely be the use of “user-controlled”
encryption (and its effect on digital forensics and decryption capabilities),
the development of quantum computing, and the use of encrypted data for
development of machine learning (ML) algorithms. The EU has different funding
schemes that can be leveraged to develop research projects to address the
challenges related to these technologies.

To download the full report, visit: