Going dark? Analysing the impact of end-to-end encryption on the outcome of Dutch criminal court cases

Page created by Justin Nelson
 
CONTINUE READING
Going dark? Analysing the impact of end-to-end encryption
                                               on the outcome of Dutch criminal court cases
                                                                  Pieter Hartel1                Rolf van Wegberg1
                                                                  1
                                                                      {pieter.hartel,r.s.vanwegberg}@tudelft.nl
arXiv:2104.06444v1 [cs.CR] 13 Apr 2021

                                                                                   April 15, 2021

                                                                                       Abstract
                                                  Former US attorney general William Barr and law enforcement colleagues from other
                                              countries have published a statement on end-to-end encryption from which we quote: “while
                                              encryption is vital and privacy and cybersecurity must be protected, that should not come at
                                              the expense of wholly precluding law enforcement”. The main argument put forward by law
                                              enforcement is that end-to-end encryption (E2EE) hampers authorities prosecuting criminals
                                              who rely on encrypted communication - ranging from drug syndicates to child sexual abuse
                                              material (CSAM) platforms. This statement, however, is not supported by empirical evidence,
                                              and therefore not suitable as the sole basis of policymaking. That is why, in our work, we
                                              analyse public court data from the Netherlands to show to what extent law enforcement
                                              agencies and the public prosecution service are impacted by the use of E2EE in bringing cases
                                              to court and their outcome. Our results show that Dutch law enforcement appears to be as
                                              successful in prosecuting offenders who rely on encrypted communication as those who do
                                              not. In contrast to what the US attorney general wants us to believe, at least the prosecution
                                              of cases does not seem hampered by E2EE.

                                         1    Introduction
                                         Article 19 of the Universal Declaration of Human Rights gives everyone the right to freedom of
                                         opinion and expression. Since 2011, this also covers the journalistic protection of sources [3].
                                         UNESCO recently published two studies describing the influence of the Internet on Article 19.
                                         Both studies make recommendations for the use of End-to-End Encryption (E2EE) to protect
                                         the right to freedom of opinion and expression. The most important recommendation is that
                                         member states must ensure that concerns about national security and crime do not affect the
                                         source protection of journalists [11] and human rights [13]. Pretty-Good-Privacy (PGP) is one of
                                         the technologies that allows tipsters to pass confidential information to journalists. Most quality
                                         newspapers such as the NY Times, LA Times, Washington Post, Wall street journal, Guardian,
                                         and Financial Times use PGP to receive confidential tips. Only two out of the eight quality
                                         newspapers worldwide do not have a PGP key: The Times and the Chicago Tribune.
                                             However, every technology has a bright and a dark side [8]. For example, GPS was designed
                                         to guide missiles to their targets [5]. Civil use was a secondary objective, but now we would be
                                         lost without GPS-based navigation. Mobile phones meet one of the most basic human needs:
                                         the ability to communicate. But drug dealers and their customers also love their phones be-
                                         cause they no longer have to meet in a dark alley to avoid the police. PGP was the first widely
                                         used implementation of E2EE [15], and WhatsApp has been offering E2EE since April 2016 to
                                         over a billion users. PGP has helped human rights organizations and journalists to communi-
                                         cate in hostile environments. PGP has probably saved hundreds of lives in the Kosovo theatre
                                         Letters from human rights groups. But offenders use so-called PGP phones [10] to defeat lawful
                                         interception. A PGP phone is a relatively expensive product on which not only PGP is installed,

                                                                                            1
but from which also all non-essential hard and software have been removed [6]. So, all these
technologies have two sides, but to what extent does the dark side have the upper hand? We
probably agree that navigation with GPS and communication with a mobile phone has so many
advantages that we accept the disadvantages. But do the advantages of E2EE also outweigh the
disadvantages?
    Here, it is important to note that E2EE only works properly if it is correctly implemented in
a trustworthy execution environment and if the private keys remain secret. However, this is more
easily said than done. In recent law enforcement operations against providers of PGP phones such
as Phantom Secure, IronChat, Ennetcom, Encrochat, and Sky ECC, the police have managed to
obtain messages, whereas the companies claimed that this should be impossible. The police were
legally allowed to take action against all of these service providers since there was a well-founded
suspicion that these companies provided services to criminals. For example, Phantom Secure was
a Canadian company that was infiltrated by FBI employees in 2018. Recorded conversations with
Phantom Secure’s CEO led to a valid allegation that the company’s modified Blackberry phones
were used for drug trafficking [6]. Offenders not only use PGP, but they also use WhatsApp, as
exemplified by the following quotes from Dutch court judgments:
    • “The offender, together with another person, threatened [victim 1] and [victim 2] with death
      using WhatsApp messages” ECLI:NL:RBMNE:2018:4435.
    • “The fact that the offender sold these drugs came to light after four young adults became un-
      well from drugs they had bought after WhatsApp contact with a dealer” ECLI:NL:RBNNE:2018:5197.
    • “Suspect then sends 11 images to [person] via WhatsApp. These are all child pornographic
      images of [victim 2]” ECLI:NL:RBNHO:2018:10646.
However, offenders use PGP and WhatsApp for different reasons. Most users probably know that
WhatsApp offers E2EE, but they do not seem to care about it [1]. WhatsApp is a success because
almost all the people you want to communicate with are already using it - i.e., the network effect.
WhatsApp is easy to use, WhatsApp is free and even ad-free. PGP phones are an expensive
niche product. The users buy such a device because the confidentiality of the messages they
exchange with it is of vital importance to them. Specialised companies sell PGP phones and
service subscriptions at premium prices. Offenders might use WhatsApp to communicate with
clients or victims, but they would prefer a PGP-phone to communicate with co-offenders.
    In the Netherlands, several Ennetcom cases have now been concluded, and some of the court
judgments have been made public as open data. To gain insight into the impact of E2EE on the
outcome of Dutch criminal court cases, we will analyse these and other relevant court judgments.
Our contribution is that we provide the evidence that is needed to help us understand if law
enforcement is going dark due to E2EE [7].

2     Background and research questions
In the Netherlands, law enforcement has a wide range of special powers at their disposal, as
described in Article 126 of the Code of Criminal Procedure. The application of these powers is
subject to strict rules. In particular, special powers may only be used for serious offences, and
permission from the examining magistrate is required. It should also be possible to check afterward
whether the powers have been used correctly. These checks and balances are in place to ensure
a fair trial. The technical special powers that are often used in cases where the offender tries to
evade detection through technology are (1) reading out and analysing confiscated smartphones,
(2) placing telephone or Internet taps, (3) obtaining cell tower data from a telecommunications
operator to trace the location of a mobile phone, and (4) hacking the computer or another device
of the offender. There are other special powers, such as a subpoena for financial data, systematic
observation, and systematic gathering of information, but we will not consider these here because
they are not technical in nature. We will describe in more detail the two often used special powers
that suffer most from E2EE.

                                                 2
Reading out and analysing confiscated smartphones Most modern laptops and smart-
phones have device encryption turned on by default. This means that data on devices seized by
law enforcement can only be read out if the device owner supplies the passcode. Law enforcement
has several options to unlock a seized smartphone with a passcode:
   • The owner may surrender the code to the police. This should not be done under duress be-
     cause, in most countries, the offender should not be obliged to cooperate with his conviction
     (Nemo tenetur) [10].
   • In some countries, the police may force one to give up a fingerprint to unlock a smartphone [6].
   • In some cases, special tools can bypass the passcode. For example, to crack the San
     Bernardino terrorist’s iPhone 5C, the FBI had to pay more than $ 1M to a specialist com-
     pany [4].
   • With the permission of the examining magistrate, the police may install keylogger malware
     on a smartphone. The keylogger reports the passcode without the suspect knowing [2].
   • Law enforcement does not deal with the smartphone directly, but with the company that
     manages the network that the smartphone uses to communicate.
To the best of our knowledge, there are no statistics on cracking locked smartphones, except for
some anecdotal evidence from the US [4].

Placing telephone or Internet taps Lawful interception allows authorised law enforcement
agencies to obtain communication network data from individual subscribers. The signalling and
network management information will be cleartext, for example, IP addresses. The contents of the
data can be encrypted, for example, when HTTPS or E2EE is used. In almost all implementations
of E2EE, devices communicate with each other through a server, which is also the Achilles heel of
these systems. There are several options to eavesdrop on encrypted messages, such as:
   • If the implementation contains a bug, an exploit can be deployed to eavesdrop on the con-
     versation. This has happened to WhatsApp.
   • If the administrators of the server make mistakes, the server can be hacked. That has
     happened to Encrochat.
   • If the administrators of the server are issued a subpoena by the court to hand over data
     from specific customers, they will have to comply. This has happened to HushMail.
   • If law enforcement can pose as a reseller of handsets, they can insert a backdoor into the
     handset before delivering them to the customer. This has allegedly happened to Sky ECC.
   • The judiciary can also take the servers down and arrest the owners. This has happened to
     Phantom secure.
In all cases mentioned above, the servers probably provided more valuable evidence to law en-
forcement than phone or Internet taps.

Research questions The law ensures that an offender is only convicted if all evidence is legally
obtained and conclusive. Suppose that the content of a message from an offender is encrypted.
The court may still be able to see to whom the offender has sent the message, but the court does
not learn the content of the message. Then the message could be legal evidence, but the court will
probably deem it inconclusive. Also, assume that there is no other evidence, just the encrypted
message. Then, all cases where the offender has used E2EE will lack conclusive evidence and are
either not brought to court or lead to an acquittal by the court. This is a hypothetical situation,
as there should be enough other evidence to convict the offender, for example, location data. It
does not matter whether the offender has used a PGP phone or WhatsApp because in both cases,

                                                 3
the phone must communicate regularly with a cell tower. The location of the phone in question is
therefore known to the telco. And with the location data obtained from the telco, the court may
decide that the evidence is conclusive. Because E2EE may reduce the number of options that law
enforcement has to collect legal and convincing evidence, our first research question is: To what
extent does law enforcement use its special powers when offenders resort to E2EE? (RQ1)
    Cases for which the police cannot obtain sufficient evidence are normally not tried in court.
We have made inquiries at the Netherlands Forensic Institute, but unfortunately, no public data
or statistics are available on these types of cases. Our analysis is therefore limited to cases brought
in front of the courts. Because acquittal can be a consequence of the use of E2EE, our second
research question is: To what extent are offenders using E2EE acquitted? (RQ2)

3     Method
In six years (2015 - 2020), the Dutch district courts published 25,366 anonymized court judgments
on rechtspraak.nl. This represents about 5% of the total number of court judgments in that period.
The courts publish all judgments with a crime against life, where the maximum sentence is at least
four years, or when the court expects interest from the public or journalists. Therefore, judgments
of the most serious cases are likely to be included in our data set.
    To answer RQ1, we will compare court judgments in which the offender has used PGP to court
judgments from a precision-matched control group. For each PGP case, our precision matching
algorithm searches for another judgment where (a) E2EE has not been used, and (b) the set of
offences of the matching judgment includes the set of offences of the PGP case. For example,
a drug-related offence matches a drug-related offence combined with money laundering. The
matching algorithm ensures that each matching case represents a set of offences that is at least as
serious as the offences of the PGP case. Therefore, we expect law enforcement to use at least the
same number of special powers for the matching case as for the PGP case.
    To answer RQ2, we will investigate the conviction rates of three groups: PGP cases, WhatsApp
cases, and the control. If indeed, as claimed by advocates of E2EE restrictions, that E2EE perverts
the course of justice, we would expect the conviction rates for E2EE groups to be lower than for
the control.
    To support the statistical analysis of the court judgments, we define an independent variable
and two dependent variables as follows:
    • The first dependent variable special power encodes the special powers used by law enforce-
      ment in reaction to the offender using E2EE.
    • The second dependent variable decision encodes whether the offender is convicted or acquit-
      ted.
    • The independent variable technology encodes whether the offender used PGP, WhatsApp,
      or neither (control). A case with both WhatsApp and PGP is considered a PGP case.

Descriptive statistics The total number of court judgments for the three groups is N=3,214.
This is about 1% of the total number of criminal judgments processed by the Dutch district courts
in the given 6-year period. In 439 judgments (13.7%) PGP was used, WhatsApp was used in 2,382
judgments (74.1%), and the control consists of 393 (12.2%) judgments.
    Of the 3214 cases, 20.3% were drugs-related, and 20.3% were violence-related, including Child
Sexual Abuse Material (CSAM) and terrorism. These percentages are higher than the national
averages of 9.7% and 9.2% respectively [9, Table 6.2 and 6.12] because the courts mainly publish
judgments of serious crimes.
    The offender is female in 9.3% of judgments. The average age of the offender at the time
of the court ruling is 34.1 (SD = 12.6) years. Of the offenders, 38.1% are first-time offenders,
and 34.8% are repeat offenders. These demographics are consistent with the demographics of the
whole population of Dutch criminal offenders convicted for serious crime [14].

                                                  4
Of the 3,214 judgments, 83.0% have resulted in incarceration, including involuntary commit-
        ment, imprisonment, and military detention. The average length of incarceration is 33.6 (SD =
        44.3) months, which is more than eight times the national average of 4 months [9, Table 6.11],
        again because of the focus on serious crime. Community service represents 8.0%, acquittal 5.4%,
        and a fine 1.3%. The remaining 2.3% of the judgments are procedural, such as an extradition
        request and pre-trial hearings.
            The police have used their technical special powers as follows: in 50.5% of cases, a phone or
        Internet connection was tapped; in 16.9% of cases, a seized mobile phone was read out; in 6.9%
        of cases, cell tower data was requested. The Dutch police have hacked into the offender’s systems
        eight times in 2019, just after passing the relevant law that made this possible. However, none of
        those judgments are public (yet), so that we have no data on police hacks.

        Table 1: Contingency table of court cases using specific technology (left) versus offence type (top)
          Property Violent Public General             Road      Drug Weapon            Other (Proce-        Total
            offence offence      order     provi-    traffic related      related criminal       dural)
                               offence      sions offence offence         offence     offence
WhatsApp        656      996       224         17        27        216         53         126        67      2382
cases        27.5%     41.8%     9.4%       0.7%      1.1%       9.1%       2.2%        5.3%      2.8% 100.0%
PGP cases        30        60       50         14          1       233         12          39         0       439
              6.8%     13.7%    11.4%       3.2%      0.2%     53.1%        2.7%        8.9%      0.0% 100.0%
Control          62        57       43          0          3       202         12          14         0       393
             15.8%     14.5%    10.9%       0.0%      0.8%     51.4%        3.1%        3.6%      0.0% 100.0%
Total           748     1113       317         31        31        651         77         179        67      3214
             23.3%     34.6%     9.9%       1.0%      1.0%     20.3%        2.4%        5.6%      2.1% 100.0%

        Table 2: Contingency table of court cases using specific technology (left) versus special power used
        by law enforcement (top)
                         No special Tapped Tapped Tapped Tapped /                      Total
                             power                and/or     and/or readout /
                                                  located readout         located
         WhatsApp cases         982        879         80        404           37      2382
                             41.2%      36.9%       3.4%      17.0%         1.6% 100.0%
         PGP cases               87        145         38        123           46        439
                             19.8%      33.0%       8.7%      28.0%        10.5% 100.0%
         Control                263         83         17          27            3       393
                             66.9%      21.1%       4.3%        6.9%        0.8% 100.0%
         Total                 1332      1107         135        554           86      3214
                             41.4%      34.4%       4.2%      17.2%         2.7% 100.0%

        4     Results
        Table 1 tabulates the crime rates for the eight main offence types defined by Statistics Netherlands
        cbs.nl. Other criminal offence tallies offences not covered by any of the other categories, for
        example, environmental crime or economic crime. Sometimes procedural judgments are not tied
        to a specific offence, for instance, extraditions. These are tallied in a separate column to be able
        to account for all 3,214 judgments. An offender may commit more than one crime, but we have
        counted only the offence with the most severe maximum sentence. A χ2 test of association between
        technology and offence type was found to be statistically significant (χ2 (16) = 854.7, p < 0.0005).
        This means that the different crime rates for offenders using a PGP phone or WhatsApp are

                                                         5
Table 3: Contingency table of technology (left) versus decision (top)
               Convicted Acquitted (Procedural)          Total
 WhatsApp cases     2220         117              45      2382
                  93.2%        4.9%            1.9% 100.0%
 PGP cases           397          28              14        439
                  90.4%        6.4%            3.2% 100.0%
 Control             351          28              14        393
                  89.3%        7.1%            3.6% 100.0%
 Total              2968         173              73      3214
                  92.3%        5.4%            2.3% 100.0%

unlikely to exist due to chance. As expected, the statistics of the precision-matched control group
closely resemble those of the PGP cases.
    Table 2 shows the relationship between the variables technology and special power. A χ2
test of association between technology and special power was found to be statistically significant
(χ2 (8) = 331.3, p < 0.0005). Therefore, we may conclude that the police (a) uses its special
powers more for PGP and WhatsApp cases than for the control group, (b) prefers the tap over
other special powers (34.4%), (c) uses the tap often in combination with other special powers
(24.1%), and (d) has not used its special powers in all cases and therefore still has powers to
deploy.
    Table 3 shows the relationship between the variables technology and decision. In a procedural
judgment, the offender is neither acquitted nor convicted. This column is included to account for
all 3,214 judgments. A χ2 test of association did not reveal a significant difference between the
conviction rates of the three groups. This means that there is no evidence that the outcome of a
trial depends on whether the offender used E2EE.

5     Discussion
Research questions The answer to RQ1 is that law enforcement uses more special powers in
cases where offenders use EE2E than where they do not. This places a burden on law enforcement
and ultimately on the taxpayer. However, law enforcement does not use all its special powers, and
it does not use special powers for all cases either. More specifically, we have shown that taps, cell
tower data requests, and seized phone readouts are more frequent for PGP cases than other cases.
This can be explained by assuming that in a PGP case, a mere Internet tap would not provide
enough data to create conclusive evidence. We have also shown that law enforcement does not
use all its special power for all cases. This suggests that law enforcement has sufficient options to
fight crime while the use of E2EE is not restricted.
    Some courts seem to hint towards legislative action against ‘criminal use’ of E2EE, as evidenced
by phrases from court judgments such as:
    • “Encryption telephones can be used to commit similar crimes, and their uncontrolled pos-
      session is contrary to the public interest, now that this type of telephone is often used in
      criminal circles.” ECLI:NL:RBAMS:2020:2075.
    • “This crypto phone belongs to the accused and is of such a nature that its uncontrolled
      possession is contrary to the law or the public interest.” ECLI:NL:RBZWB:2020:1216.
    • “The court is officially aware that such telephones are mainly used in criminal circles to hide
      conversations from the judicial authorities.” ECLI:NL:RBAMS:2019:2541.
The operational phrase in these citations is “uncontrolled possession” with which the judge indi-
cates that PGP phones should not be used by just anyone. What the courts have probably not
considered is whether controlling possession is feasible. The courts also did not consider the fact

                                                  6
that the same technology is used by WhatsApp. If the legislator restricts the use of EE2E, the
authorities would have to verify that all service providers duly implement the restrictions. We
think that this would be a heavier burden on governments (and on the taxpayer) than the status
quo.
    The US attorney general claims that CSAM platforms and their actors who use encrypted
messaging to communicate should be combatted by mandating a backdoor into all uses of E2EE.
Naturally, we also want to see the successful prosecution of CSAM cases but wonder whether a
backdoor is appropriate [12]. We have shown that in the Netherlands, the police have sufficient
resources at their disposal to act effectively, even if offenders use E2EE. There is no question that
E2EE without back doors makes the work of the police more difficult. But it is also not true that
offenders in CSAM or terrorism cases who use E2EE go free.
    The answer to RQ2 is that there is no evidence in our dataset that the conviction rate of
offenders who use EE2E differs from the conviction rate of offenders who do not use EE2E.
Moreover, it behooves us to assure that the 28 offenders in the dataset who used PGP and were
acquitted were not terrorists or child abusers - as 20 out of the 28 cases are drugs-related. A
further 3 are money laundering cases, 3 are murder cases, and 3 are extortion cases. There were
no CSAM or terrorism cases amongst the 28. In 18 out of the 28 judgments, there was insufficient
evidence to convict the offender, but there was enough evidence to convict a co-offender. This
means that in the remaining 10 out of 439 cases (2.7%), a crime was committed while the offender
was acquitted for lack of legal and convincing evidence.

Public-policy debate The former U.S. Attorney General and his law enforcement colleagues
bring up the burden of additional police costs to work around E2EE. But there are other interests
too. For example, national security agencies will never use backdoor encryption because of the
risk of the key to the back door ending up in the wrong hands. And confidentiality is crucial for
national security agencies. Also, the commercial use of E2EE with a back door would probably
not be viable because of the risk that a competitor would get hold of the keys. This means
that many legitimate users of E2EE will find alternative means of secure communication that law
enforcement will not be able to tap, thus aggravating the problem for law enforcement rather than
ameliorating it.
    The European Council, in its draft resolution on encryption of 6 Nov 2020, proposes to follow
the lead of the US attorney general. One of the triggers for this initiative is the recent Vienna
terrorist attack. What we know about this attack is that the gunman who was shot dead by the
police was imprisoned in April 2019 to serve a 22-month term for terrorist activities. Unfortunately,
he managed to persuade the Austrian deradicalization program that he was no longer a threat and
he was therefore released on parole in December 2019. It is unlikely that banning E2EE would
have prevented this error. When making decisions, the justice system has an unenviably difficult
task of (1) protecting society, (2) punishing offenders, and (3) not overwhelming the resources of
the criminal justice system. Sentencing decisions must be made in a limited amount of time and
based on limited information. This can lead to errors, but we believe that the likelihood of such
errors can be reduced by providing appropriate resources to the criminal justice system.
    If E2EE is weakened by policies that demand a back door, an infrastructure is needed to manage
those backdoors. Every nation-state will need to access these backdoors to prosecute its nationals,
including states on the EU sanctions list. We believe that this is a recipe for disaster. Banning
E2EE will simply force terrorists, drug dealers, and pedophile rings to use alternative technologies.
Well-funded offenders are already starting to develop their encryption platforms MPC. Initially,
such tools will have many issues, but over time they will get better and will create a formidable
obstacle to law enforcement.
    Law enforcement currently does an excellent job of taking down dubious companies like Phan-
tom Secure. Recent law enforcement operations against these dubious companies show that there
are sufficient opportunities to monitor them and to act upon information that shows their involve-
ment in illegal activity. Our recommendation is therefore not to build a back door into every
application of E2EE, but to keep a watchful eye on relevant, ’criminal’ service providers.

                                                 7
Limitations Our analysis is focused on PGP and WhatsApp, as only nine cases mention Signal
and two mention Telegram. We do not know when special powers have proven insufficient for
law enforcement to build a case because such information is confidential. Instead, we have used
acquittal by the courts as an indication of inconclusive evidence. The data we have used stems
from the Dutch government and is not necessarily representative of other countries. The dataset
also represents about 1% of all criminal judgments in the Netherlands.

6    Conclusions
The information position of technology companies and governments today is vastly superior to
that of the nineties due to massive surveillance from online and offline sources. Encryption is
one of the few technologies available to law-abiding citizens, corporations, and national security
agencies that protect privacy. Criminals use that same technology, but does this give governments
the right to take that last protection away from us? We believe that this would be akin to throwing
the baby away with the bathwater. We have shown that law enforcement in a democracy with
sufficient checks and balances can do its work without legislation that breaks encryption. And
more specifically, an offender using E2EE does not necessarily influence the outcome of a criminal
court case.

Acknowledgment
Conversations with Phil Zimmermann have been a great source of inspiration for this work. We
thank Roel Wieringa for his comments on the paper.

References
 [1] Ruba Abu-Salma, M. Angela Sasse, Joseph Bonneau, Anastasia Danilova, Alena Naiak-
     shina, and Matthew Smith. Obstacles to the adoption of secure communication tools. In
     IEEE Symp. on Security & Privacy (S&P), pages 137–153, San Jose, CA, May 2017. IEEE.
     DOI:10.1109/SP.2017.65.
 [2] Steven David Brown. Hacking for evidence: the risks and rewards of deploying malware in
     pursuit of justice. ERA Forum: J. of the Academy of European Law, 20:423–438, Feb 2020.
     DOI:10.1007/s12027-019-00571-z.
 [3] Edward L. Carter. ”not to disclose information sources”: Journalistic privilege un-
     der article 19 of iccpr.  Communication Law and Policy, 22(4):399–426, Oct 2017.
     DOI:10.1080/10811680.2017.1364912.
 [4] Fred H. Cate, Dan Boneh, Frederick R. Chang, Scott Charney, Shafrira Goldwasser, David A.
     Hoffman, Seny Kamara, David Kris, Susan Landau, Steven B. Lipner, Richard Littlehale,
     Kate Martin, Harvey Rishikof, and Peter J. Weinberger. Decrypting the encryption debate:
     A framework for decision makers. Consensus study report, The National Academies Press,
     Washinton DC, 2018. DOI:10.17226/25010.
 [5] Per Enge and Pratap Misra. Special issue on global positioning system. Proceedings of the
     IEEE, 87(1):3–15, Jan 1999. DOI:10.1109/JPROC.1999.736338.
 [6] Europol. Second report of the observatory function on encryption. Joint reports, EuroPol
     and EuroJust public information, Feb 2020. https://www.europol.europa.eu/publications-
     documents/second-report-of-observatory-function-encryption.
 [7] Joan Feigenbaum. Why the law-enforcement access question will not just go away. Commun.
     ACM, 62(5):27–29, May 2019. DOI:10.1145/3319079.

                                                8
[8] Marcus Felson and Mary Eckert. Crime and everyday life. Sage publishing, London, sixth
     edition, 2019.
 [9] Ronald F. Meijer, Susan W. van den Braak, and Sunil Choenni.        Crimi-
     naliteit en rechtshandhaving 2019 ontwikkelingen en samenhangen.   Cahier
     2020-16, Wetenschappelijk Onderzoek- en Documentatiecentrum (WODC), 2020.
     https://repository.wodc.nl/handle/20.500.12832/254.
[10] Catherine O’Rourke. Is this the end for ’encro’ phones? Computer Fraud & Security,
     2020(11):8–10, Nov 2020. DOI:10.1016/S1361-3723(20)30118-4.
[11] Julie Posetti. Protecting journalism sources in the digital age. Unesco series on Internet
     freedom, United Nations Educational, Scientific and Cultural Organization, Paris, France,
     2017. https://unesdoc.unesco.org/ark:/48223/pf0000248054.
[12] Ronald L. Rivest. The case against regulating encryption technology. Scientific American,
     279(4):116–117, Oct 1998. DOI:10.1038/scientificamerican1098-116.
[13] Wolfgang Schulz and Joris van Hoboken. Human rights and encryption. Unesco series on
     Internet freedom, United Nations Educational, Scientific and Cultural Organization, Paris,
     France, 2016. https://unesdoc.unesco.org/ark:/48223/pf0000246527.
[14] Sigrid van Wingerden, Johan van Wilsem, and Brian D. Johnson. Offender’s personal cir-
     cumstances and punishment: Toward a more refined model for the explanation of sentencing
     disparities. Justice Quarterly, 33(1):100–133, 2016. DOI:10.1080/07418825.2014.902091.
[15] Philip R. Zimmermann. The Official PGP User’s Guide.          The MIT Press, Jan 1996.
     https://dl.acm.org/doi/book/10.5555/202735.

                                              9
You can also read