- Europol’s 2025 Internet Organized Crime Threat Assessment (iocta) indicates E2EE (end-to-end encrypted) apps as an obstacle to studies
- The report also requires better rules for metadata -collection and tracking
- This is coming as the EU Commission has revealed a new plan to set up a Roadmap for Legal and Effective Access to Law Enforcement Data
Criminals are increasingly utilizing encrypted apps from end to end to prevent police investigation, according to Europol’s 2025 Internet Organiced Crime Threat Assessment (IOCTA).
The report also warns that the current metadata collection practice is too limited, which further complicates the work on law enforcement. This is why Europol highlights the need to establish legal access by designing encrypted communication along with EU standards for targeted retention and access to metadata.
Europol’s recommendations repeat the EU Commission’s plan to create an encryption back door for law enforcement – something experts are said to be “deeply concerned” about.
The encryption conundrum
Online services, such as the best VPN, email, messaging apps and other apps, deal with end to end encryption (E2EE) to guarantee that your communication remains private between the sender and the recipient end to the end.
“Technically, E2EE is blocking service providers from accessing communication content, providing warrants for legal access unexplained within the EU. This creates a lack of visibility and ability to investigate, criminal activity,” says Europol’s Iocta report.
This is not the first time that Europol has expressed its concern about the use of encrypted technologies. In a speech with the Financial Times in January, the group’s boss, Catherine de Bolle, said anonymity is not a fundamental right and law enforcement should be able to decrypt encrypted messages to combat crime.
However, technologists, cryptographers and other experts have long argued against the risk of undermining encryption protection. According to the industry, an encryption back door for law enforcement will inevitably compromise the security of everyone.
The latest cyber attacks have shown the need for strong encryption protection. For example, last year’s salt typhoon event, targeting all major US telecommunications, led to US authorities warning all citizens to switch to encryption.
This may be one of the reasons why proposed legislation seeking to undermine encryption continues to fail. Most recently, France rejected a new encryption provision in March in March, when Florida did the same in May. The EU legislators continue to disagree that the chat control proposal also after three years of trial.
“When the content is blocked by E2EE, metadata becomes important for mapping networking and identification of suspects. However, the current legislative landscape lacks harmonized rules and this results in fragmented national policies,” says Europol’s Iocta report.
Metadata refers to all pieces of information that is not the content. This includes IP addresses, location, telephone numbers, who you have talked to, and when, but also the size of your data packages, the patterns they move to, time stamps and so on.
Thanks also to AI-driven tools, metadata traps that enable law enforcement (or any other third party with the necessary skills) for getting a rather accurate picture of people’s online behavior, even without accessing the encrypted content.
The authorities know it and that is why they are pushing for new data storage obligations to be enforced. “Crucial metadata, such as subscriber information or IP logs, are often subject to short or inconsistent withholding periods,” said Europol assessment and advocates for clear standards “for targeted retention and/or accelerating access to essential metadata.”
Again, it is something that technologists have long warned against, and it can make work with non-log VPN and other privacy software impossible.
As mentioned, Europol is not the only group pushing for greater access to users’ encrypted data and their identities.
The EU is also working on legal and effective access to data for law enforcement-the so-called Protecteu strategy, which appears to follow recommendations collected as part of the EU’s Dough Dark Initiative.
The plan includes a timetable for encryption along with an evaluation to also extend data storage obligations for service providers. Experts have so far criticized such a plan and have asked to play a key role in this debate.
While taking another approach to encryption back doors, Switzerland is also considering changing its surveillance law to force online providers to retain certain user’s metadata. This has opened a debate in the country about the need for online anonymity, just as Proton and Nymvpn promise to leave Switzerland if the new rules go.
