Europol says Home Routing mobile encryption feature aids criminals

Europol is proposing solutions to avoid challenges posed by privacy-enhancing technologies in Home Routing that hinder law enforcement’s ability to intercept communications during criminal investigations.

The agency has previously highlighted in its Digital Challenges series that law enforcement problem of end-to-end encryption on communication platforms is a hurdle when it comes to collecting admissible evidence.

The case with Home Routing

Home Routing is a system in telecommunication services that allows customers to route traffic (calls, messages, internet data) through their home network even when traveling abroad.

When privacy-enhancing technologies (PET) are enabled in Home Routing, data is encrypted at the service level and subscribers' devices exchange session-based keys with the provider in the home network.

With the home network provider using PET, the keys remain inaccessible to the visiting network, which acts as a forwarder, and all traffic remains encrypted.

This setup prevents authorities from gathering evidence with the help of local ISPs through lawful interception activity.

“Once Home Routing is deployed, any suspect using a foreign SIM card can no longer be intercepted,” the European agency explains.

In such cases, police forces have to rely on voluntary cooperation of service providers abroad or issue an European Investigation Order (EIO), which could take longer than required for an investigation, especially when emergency interceptions are needed; for instance, a reply to an EIO could take as much as four months.

The European agency notes that criminals know about this loophole and taking advantage of it to evade law enforcement in the countries they reside.

Proposed solutions

Europol calls for stakeholders to consider two potential solutions that would remove delays and procedural friction from lawful communication interception requests.

The first proposed variant is the enforcement of an EU regulation to disable PET in Home Routing. This would allow domestic service providers to intercept communications from individuals using foreign SIM cards without disclosing information about the person of interest with parties from other countries.

The agency says that "this solution is technically feasible and easily implemented" because both roaming and local subscribers benefit from encryption that is at the same level as communication through national SIM cards. Subscribers abroad, though, do not benefit from the added encryption of the home country.

A second proposal is to implement a cross-border mechanism that allows law enforcement to issue within the European Union interception requests that are quickly processed by service providers.

While this means that PET can be enabled for all users, a service provider in another member state would learn about the person(s) of interest in an investigation, which may not be desirable.

The second solution is to establish a mechanism for quickly processing interception requests from service providers in other EU member states.

The two solutions from Europol are just "possible avenues for safeguarding and maintaining current investigatory powers" and the agency aims to call attention to the impact Home Routing has on investigations so that national authorities, legislatures, and telco service providers can work together to come up with an answer to the problem.