The Ministry of Interior wants law enforcement organs given backdoor access to encrypted messaging applications in criminal proceedings. The ministry also wants to ban impersonalized SIM cards.
Estonia will have to adopt the European Electronic Communications Code by the end of this year. It has been agreed on the EU level that communication taking place outside traditional phone services must also be regulated. That is why all manner of messaging apps, such as Skype, WhatsApp and Viber will be qualified as communications services. The aim of the change is to subject them to the same data protection rules that are in place for ISPs.
The Ministry of Internal Affairs hopes to remedy a problem of law enforcement organs with the amendment. The ministry's deputy secretary general Veiko Kommusaar says that law enforcement should receive the kind of data they currently get from mobile operators also from these apps.
"Who is behind these applications, who or what have initiated these communication seances and what is their contents? Of course, all such inquiries would be subject to control and require relevant permits," Kommusaar said.
Several messaging apps advertise themselves as encrypted communication channels. For example, WhatsApp messages are encrypted before they leave the user's device and decrypted by the receiving device. The ministry wants to add a rule that would force applications to give data to the police in unencrypted form or at least the keys necessary to access the communication.
"It is in the regulator's power to send a signal or stipulate on the level of legislation that if one wants to be active on the market, one needs to comply with certain criteria," Kommusaar said.
The deputy secretary general said that while the confidentiality of messages is an important principle, it cannot stand in the way of law enforcement work. "Talking about organized crime, terrorism or other serious threats, it is clear states need that information."
Kommusaar admits that a Europe-wide approach would be in order. "Perhaps this kind of a common approach would help us work together with these app-creators, so they could offer their solutions while countries could address the dark side of what they facilitate."
How to command foreign applications?
Therefore, communication would ideally remain encrypted, while the police could access both sides' messages in unencrypted form if necessary. Professor Rain Ottis of the TalTech Institute of Software Engineering said that you cannot have your cake and eat it too. Once such a backdoor is created, it renders the application unsecure in essence.
"As the same weakness can then be exploited by criminals and other countries' intelligence services. Let us imagine a well-timed data leak involving a political party's in-house correspondence. The end result would see citizens who care about their privacy, including criminals move to alternative channels, with the real effect of the amendment reduced security and privacy for law-abiding citizens," Ottis said.
There are dozens if not hundreds of applications promising encrypted messaging. What to do should some companies choose to simply ignore the police's request? Kommusaar hopes that the majority of companies are responsible and want to keep criminals off their platform.
"The other side of it includes sanctions for those who fail to comply. These possibilities exist," the deputy secretary general added.
Asked how Estonia could effectively punish a company registered, for example, in Congo, Kommusaar said it would require analysis. Estonian law enforcement is not the only one having trouble with encrypted messaging apps. Various initiatives for so-called backdoor access have been launched in several countries, including those in Europe. More authoritarian countries are simply trying to block the applications, while democratic ones try to negotiate or turn to court.
"I cannot think of any country where all such matters have good solutions, where the applications work and law enforcement has access when it needs to. Everyone has had successes and failures."
Veiko Kommusaar admits that solving this complicated problem could take quite a bit of time.
Solution for SIM card concern expected sooner
The police have also been having trouble with impersonalized SIM cards for years. Everyone is free to buy a prepaid SIM card from a supermarket.
"The user who bought the card and will be using the service is not registered as far as the state is concerned," Kommusaar said.
Impersonalized SIM cards largely pose the same problem as encrypted messaging apps. According to Kommusaar, such cards are often used by thieves, robbers, blackmailers and drug dealers.
"They are interested in flying below the radar as much as possible, to be difficult to identify and eavesdrop on. Our interest is to put these criminals out of business," he added.
That is why the Ministry of Internal Affairs has made another proposal to amend to the Electronic Communications Act. The ministry believes the rules should be changed and use of such SIM cards allowed only if they have been registered in the user's name or, in other words, personalized.
"One option would be to write down the person's information and enter it into a corresponding database when they purchase the SIM card. Another option that seems less invasive would be to have people register the cards online or at self-service kiosks before they can be used," Kommusaar said.
Executive manager of the Estonian Association of Information Technology and Telecommunications Jüri Jõemaa says that the popularity of such burner sims is falling. He adds that criminals nevertheless do not make up a significant part of customers. Jõemaa says that prepaid SIM cards are bought for children, for example. They are also used by foreigners coming from outside the EU. "It is cheaper than using your own phone in roaming mode in another country that is bound to cost several times more than using the local service."
Jõemaa said that it would be difficult to organize online personalization of SIM cards in the case of foreigners as they lack the Estonian ID-card. "It would add to administrative burden of companies, create the need to store additional data, while personalization would also require man-hours."
Jõemaa added that the problem of anonymous SIM cards has been discussed on and off for 10-15 years. Kommusaar says there are countries one can emulate. It is impossible to use impersonalized SIM cards in Germany, Italy and Spain, among others.
"And we can see this measure being entirely justified to disrupt such communication and get the necessary leads in time," the ministry official added.
Editor: Marcus Turovski