Europol says mobile roaming tech is making its job too hard
- Reference: 1720167969
- News link: https://www.theregister.co.uk/2024/07/05/europol_home_routing_complaint/
- Source link:
Europol published a position paper today highlighting its concerns around SMS home routing – the technology that allows telcos to continue offering their services when customers visit another country.
Most modern mobile phone users are tied to a network with roaming arrangements in other countries. EE customers in the UK will connect to either Telefónica or Xfera when they land in Spain, or T-Mobile in Croatia, for example.
[1]
While this usually provides a fairly smooth service for most roamers, Europol is now saying something needs to be done about the PETs that are often enabled in these home routing setups.
[2]
[3]
According to the cops, they pointed out that when roaming, a suspect in a criminal case who's using a SIM from another country will have all of their mobile communications processed through their home network.
If a crime is committed by a Brit in Germany, for example, then German police couldn't issue a request for unencrypted data as they could with a domestic operator such as Deutsche Telekom.
[4]
Now, it wouldn't be a law enforcement complaint against tech if encryption wasn't mentioned at least somewhere, and there's no need to worry since we're not deviating from the norm today.
The specific part of home routing that's causing all the fuss is the service-level encryption used when enabling home routing by the network operator. Law enforcement can see a suspect communicating from a device that may provide evidence of a crime being committed, but as ever, [5]encryption stymies their ability to access it in a usable way.
Europol said: "For service-level encryption, the subscriber (user) equipment exchanges session-based encryption keys with the service provider in the home network. If PET is enabled, the visiting network no longer has access to the keys used by the home network and therefore data in the clear cannot be retrieved."
[6]
One exception to home routing being a cop blocker is when a domestic service provider has a cooperation agreement with the network provider of another country that forbids the enabling of PETs in home routing.
If this cooperation agreement isn't in place, the only alternative left for law enforcement is to issue a European Investigation Order (EIO), but responses for these can take up to 120 days, which isn't ideal when you want to catch a drug dealer who's only in the country for a weekend.
"A solution to the situation described above is urgently necessary. Under home routing, the current investigatory powers of public authorities should be retained and a solution must be found that enables lawful interception of suspects within their territory," reads [7]Europol's paper .
"In addition, an optimal solution should not impede secure communications disproportionately, ensure the confidentiality of criminal investigations, and ultimately enable member states to execute their legal jurisdictional prerogative to execute investigatory powers.
[8]Europol nukes nearly 600 IP addresses in Cobalt Strike crackdown
[9]Snowflake breach snowballs as more victims, perps, come forward
[10]Dark-web kingpin puts 'stolen' internal AMD databases, source code up for sale
[11]Ukrainian cops collar Kyiv programmer believed to be Conti, LockBit linchpin
"Moving forward, the design and implementation of (new) technologies should be done in the manner that ensure lawful access to data necessary for investigatory powers to carry out their obligations."
Next steps
Two possible solutions were suggested, but the wording of the paper clearly favored a legal ban on PETs (service-level encryption) in home routing over making it possible for one [12]EU member state to request the comms from another country.
The first, seemingly preferred option would remove the additional encryption layer implemented when home routing was active and simply keep the same level of comms encryption as the suspect would enjoy in their home country.
"This solution is technically feasible and easily implemented," Europol said. "This solution maintains the current level of security, including privacy, and is equal for [13]roamers and local users.
"National authorities supervising the telecommunication market can enforce an EU regulation mandating the design of the network in this manner."
Various drawbacks were highlighted with the second suggestion. Having another EU member state aware that a person of interest is walking within their borders "might not always be desirable" from an operation perspective, Europol said.
It also warned that there is no established method for sharing and interpreting the data requested by law enforcement authorities.
There is one that was developed for EIOs but cops are concerned this could lead to scenarios where law enforcement efforts are dependent on foreign service providers, which isn't ideal.
"With this position paper, Europol wishes to open the debate on this technical issue, which at present is severely hampering law enforcement's ability to access crucial evidence," it said.
"A solution must be found that enables a country's authorities to lawfully intercept the communications of a suspect within their territory, while not impeding secure communications disproportionately.
"The paper offers key elements which should be considered as part of the societal response, looking at operational, technical, privacy and policy aspects." ®
Get our [14]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ZofEQVhF5loWgU5MVhchbAAAAJA&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZofEQVhF5loWgU5MVhchbAAAAJA&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZofEQVhF5loWgU5MVhchbAAAAJA&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZofEQVhF5loWgU5MVhchbAAAAJA&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://www.theregister.com/2023/03/13/column/
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZofEQVhF5loWgU5MVhchbAAAAJA&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[7] https://www.europol.europa.eu/media-press/newsroom/news/home-routing-limiting-law-enforcement-evidence-gathering-warns-europol
[8] https://www.theregister.com/2024/07/04/europol_cobalt_strike_crackdown/
[9] https://www.theregister.com/2024/06/24/snowflake_breach_accelerating_into_snowball/
[10] https://www.theregister.com/2024/06/18/amd_intelbroker_breachforums/
[11] https://www.theregister.com/2024/06/13/conti_lockbit_ukraine_arrest/
[12] https://www.theregister.com/2024/06/18/signal_eu_upload_moderation/
[13] https://www.theregister.com/2024/06/27/international_roaming_outage_north_america/
[14] https://whitepapers.theregister.com/
Re: Breaking the law for convenience is never a good idea
But that's not what they're asking for. They're saying if the person is in their jurisdiction they should be able to apply their laws on that person and that includes being able to intercept their telecommuncations. There preferred option is literally just to give the user in their country the same level of encryption and protection they'd get if they were in their own country. When it comes to law enforcement and their demands that seems pretty timid and reasonable.
Anybody got a loupe?
I'm sure I left that box of microscopic-sized violins here somewhere...
"while not impeding secure communications disproportionately"
But it's okay to impede secure comms a little bit - just enough to avoid either putting boots on the ground or, worse, more paperwork like, oh I don't know, a warrant ?
You want to hear what some suspect is saying ? Here's an idea : directional microphone. I hear they work very well.
Of course, that's less easy to put in place than clicking on a keyboard from a thousand kilometers away.
Re: "while not impeding secure communications disproportionately"
Fully agree,
They could do some actual policework and not rely on voice / text etc. intercepts being able to do their whole job for them - nobody said police work was supposed to be easy, and the well behaved majority should not lose their privacy rights just because it makes catching the odd crim easier.
Although it does not currently apply in European countries, a gay person in a country where homosexuality was a criminal offence would definitely want their calls home to their same sex partner to not be easily available in an unencrypted form.
"In addition, an optimal solution should not impede secure communications disproportionately"
Whne working out what might be disproportionate it should be presumed that most communications will be innocent as this is, indeed, the case.
"the only alternative ... is to issue a European Investigation Order but responses for these can take up to 120 days"
So the appropriate solution is to straighten out existing procedures.
Snail mail
Soon to be banned: encrypted snail mail.
It is a terrible sin to use end-to-end encrypted snail mail. The police everywhere are pulling out their hairs and holding their hands in the air because they cannot see the actual content and are unable to identify any written kiddie porn. The newly proposed legislation is to ban all automatic and manual OCR capabilities, including letter and pattern recognition, and a general ban on any and all manual cryptological transformative thoughts and operations.
Also, stamps will only be sold if you can show and prove that any and all content is readable by you nearest national and international secret service organisation.
Breaking the law for convenience is never a good idea
There's no way the suggestions are compatible with existing contracts or law where roaming is defined as using another network to provide the contracted services. Can't see the courts approving other jurisdictions being given permission to snoop on their citizens.