- Europol’s 2025 Internet Organized Crime Threat Assessment (IOCTA) indicates E2EE (end-to-end encrypted) apps as an obstacle to investigations
- The report also calls for better rules on metadata collection and tracking
- This comes as the EU Commission has unveiled a new plan to create a roadmap for lawful and effective access to data for law enforcement
Criminals are increasingly exploiting end-to-end encrypted apps to impede police investigations, according to Europol’s 2025 Internet Organized Crime Threat Assessment (IOCTA).
The report also warns that current metadata collection practices are too limited, further complicating the work of law enforcement. This is why Europol highlights the need to establish lawful access by design to encrypted communications, alongside EU standards for the targeted retention and access to metadata.
Europol’s recommendations echo the EU Commission’s plan for creating an encryption backdoor for law enforcement – something experts are said to be “deeply concerned” about.
The encryption conundrum
Online services, like the best VPN, email, messaging apps, and other apps, employ end-to-end encryption (E2EE) to guarantee your communications remain private between the sender and the receiver – end-to-end.
“Technically, E2EE blocks service providers from accessing communication content, rendering warrants for lawful access unserviceable within the EU. This creates a lack of visibility of, and ability to investigate, criminal activity,” reads Europol’s IOCTA report.
This isn’t the first time that Europol has expressed its concerns about the use of encrypted technologies. Talking to the Financial Times in January, the group’s chief, Catherine De Bolle, said that anonymity isn’t a fundamental right and law enforcement should be able to decrypt encrypted messages to fight back crime.
Technologists, cryptographers, and other experts, however, have long argued against the risks of undermining encryption protections. According to the industry, an encryption backdoor for law enforcement will inevitably compromise the security of all.
Recent cyberattacks have demonstrated the need for strong encryption protections. For example, last year’s Salt Typhoon incident targeting all major US telecoms led to US authorities warning all citizens to switch to encryption.
This may be one of the reasons why proposed legislations that seek to undermine encryption keep failing. Most recently, France rejected a new encryption backdoor provision in March, with Florida doing the same in May. EU lawmakers keep disagreeing on the Chat Control proposal, too, after three years of trying.
“When content is blocked by E2EE, metadata becomes essential for mapping networks and identifying suspects. However, the current legislative landscape lacks harmonized rules, and this results in fragmented national policies,” reads Europol’s IOCTA report.
Metadata refers to all pieces of information that aren’t the content. This includes IP addresses, location, phone numbers, who you have spoken with, and when, but also the size of your data packets, the patterns they move to, timestamps, and so on.
Thanks also to AI-powered tools, metadata tracking is enabling law enforcement (or any other third party with the necessary skills) to get a pretty accurate picture of people’s online behaviors even without accessing the encrypted content.
Authorities know that, and that’s why they are pushing for new data retention obligations to be enforced. “Crucial metadata, such as subscriber information or IP logs, is often subject to short or inconsistent retention periods,” said the Europol assessment, advocating for clear standards “for the targeted retention and/or expedited access to essential metadata.”
Again, that’s something technologists have long warned against, and that could make the work of no-log VPN and other privacy software impossible.
As mentioned, Europol isn’t the only group pushing for greater access to users’ encrypted data and their identities.
The EU is also working on lawful and effective access to data for law enforcement – the so-called ProtectEU strategy, which seems to follow recommendations collected as part of the EU Going Dark initiative.
The plan includes a roadmap to encryption alongside an evaluation to expand data retention obligations for service providers, as well. Experts have so far criticized such a plan and have asked to play a key role in this debate.
While taking a different approach against encryption backdoors, Switzerland is also considering amending its surveillance law to force online service providers to retain certain users’ metadata. This has opened up a debate in the country over the need for online anonymity, with the likes of Proton and NymVPN vowing to leave Switzerland if the new rules pass.
Leave a comment