EU Plans To Weaken Encrypted Communications Despite Countless Warnings It Can't Be Done Safely
from the even-with-the-necessary-hashtags dept
Last week, the UK's Home Secretary Amber Rudd said that WhatsApp risked becoming a "place for terrorists to hide." Then, like many others that have used this tired old trope, she went on to call for the development of some magic unicorn key to unlock all encrypted communications, one that was somehow available only to those on the side of truth, beauty, law and order, and not to the other lot. In doing so, her cluelessness was particularly evident, as her invocation of the "necessary hashtags" emphasized, but she's not alone in that. Despite the chorus of experts pointing out for the thousandth time why it's not possible, the EU Justice Commissioner has just said that the EU must have magic unicorn keys, too. As EurActiv reports:
The European Commission will propose new measures in June to make it easier for police to access data on internet messaging apps like WhatsApp, EU Justice Commissioner Věra Jourová said yesterday (28 March), heeding calls from national interior ministers.
Jourová said she will announce "three or four options" including binding legislation and voluntary agreements with companies to allow law enforcement authorities to demand information from internet messaging apps "with a swift, reliable response".
...
Jourová said the measures would make it easier for law enforcement authorities to request and access data from online services that are registered outside their jurisdictions.
Jourová went on to complain that law enforcement authorities are currently dependent on service providers to provide voluntary access to encrypted communications. But as Techdirt pointed out recently, that's just not true: there are a number of encryption workarounds available. You might expect politicians to be at sea when it comes to complex digital technologies, but you would hope that their expert advisors would fully understand things. And yet here is what Gilles de Kerchove, the EU's anti-terrorism coordinator, told EurActiv:
the question is, can you open a backdoor for Europol [the EU's law enforcement agency] only, or would that at the same time create a vulnerability and open a backdoor for the Russian mafia or third party state spies?
Hey, Gilles, let a dozen of the world's top security and crypto experts save you time and effort by giving you the answer to that crucial question: "No, you can't." Got it? Can we please move on now?
Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: backdoors, encryption, eu, going dark, vera jourova
Reader Comments
Subscribe: RSS
View by: Time | Thread
"a swift, reliable response"
[ link to this | view in chronology ]
Just Say, "No"
Those "workarounds" all rely on the user's stupidity, ignorance, incompetence, or submission to coercion. There is no current workaround for properly implemented, strong encryption and a steadfast refusal to yield the key.
As for safe backdoors, they exist only in the febrile imaginations of the math-challenged.
[ link to this | view in chronology ]
Re: Just Say, "No"
[ link to this | view in chronology ]
What do you have against magical unicorns?
And you most certainly can keep those keys in the hands of a selected few people, for access in an emergency.
But that's useless for law enforcement. Law enforcement wants a process useful for mass invocation (via warrant or even on bulk communication). There is no way to make an online process for master key based decryption, distributed or not, safe from eventual compromise.
Either it is reserved for emergency use (with some probability that it will stay uncompromised at least until it has been used a few times), or it is intended to be used routinely in which case the probability of timely compromise is 100%.
If one redefines "emergency" as "routine", any master key scheme is bound to fail. And "emergency" is so convenient to wave around that it is done all the time.
[ link to this | view in chronology ]
Re: What do you have against magical unicorns?
[ link to this | view in chronology ]
Re: What do you have against magical unicorns?
You really think that will stay secure? If so you really don't understand how much effort will go into getting those keys. It will quite literally be EVERY BLACKHAT hacker in the world racing to get those keys. (not to mention all the security researchers trying to work it out)
So your basically saying that you think you can make a master key to all locks, wave it in the face of every criminal in the world and then lock it up somewhere they can't get it.
I'm sorry, but any time you have a system like that vs the entire worlds hacker community. I am betting on the hackers.
[ link to this | view in chronology ]
Re: Re: What do you have against magical unicorns?
[ link to this | view in chronology ]
Re: Re: Re: What do you have against magical unicorns?
[ link to this | view in chronology ]
Re: What do you have against magical unicorns?
The "via warrant" option doesn't apply as a rationale for a backdoor. If law enforcement wants a process useful for a limtied number of specific cases, they already have it (judicially authorized planting of hardware or software bugs). The only reason to want a backdoor is to routinely snoop on bulk communication.
[ link to this | view in chronology ]
Re: What do you have against magical unicorns?
[ link to this | view in chronology ]
A garden hose vs a tsunami
Worse actually, so much worse.
As I understand it with game DRM the people looking to crack it are generally doing it for the prestige, being able to brag about how quickly they cracked the new 'awesome DRM protections'. With a unicorn gate everyone is going to be looking to crack it, from criminal groups up to and including government agencies from other countries, as doing so would give them access to everything it 'protected', and if you've got some idiots in government that want 'no safe spaces' for anyone not them, then that's pretty much everything.
With that kind of opposition any unicorn gate system would be compromised in a matter of days I'd guess, a week at the most. The leprechaun key would be just too valuable to protect.
[ link to this | view in chronology ]
Re: A garden hose vs a tsunami
See, that's what I find fascinating with Americans. They think government agencies from other countries trying to crack U.S. citizens' communications are criminals.
You'd think that U.S. government agencies should be prime candidates for being held to U.S. laws. I mean, they are even paid for it and swear oaths to do so.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
And do the same security agencies that keep reminding us of the dangers of Putin siphoning off any information he can get his hands on to manipulate us really insist on making it easier for Putin & co to spy on us?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
The simple fact is, Encryption is just math. Any terrorist group can get open source software and create their own way to communicate. Even though there's also simple ways to communicate that will also be secret.
The only people you really hurt with these B.S. laws are the 99% normal population users. Those are the only ones screwed in the end. Cracking and reading some text after the fact stops nothing. What does that get you? So that means you would have to be decripting on the fly non-stop on everyone and everything looking for Terrorists key words. That in the end is what they want.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
Well, the government has already shown it's horrible at keeping secrets. The one master key setup they did get put in place has already leaked. What's worse, since the government doesn't pay the penalty for the leak, the government doesn't care.
Food safety, transportation safety, and assorted other regulations are not about security or keeping secrets. In fact, they work better when everything is out in public view. The safety regulations are all about setting minimum standards and then ensuring that those standards are met.
[ link to this | view in chronology ]
Re: Re:
If the Government is horrible at keeping secrets, why in the world would we put them in charge of our privacy?
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
" it simply mandated that companies not violate our privacy without our informed consent"
No it did not, I suggest you educate yourself "moron". It mandated that ISP's not share specific data without our consent. Google, Facebook, and other non-ISP companies had an exception carved out. Even these rules, which were never actually implemented, were not going to protect you from everything.
Using basic tools were expected to have just as good a chance of protecting you as these "rules". These tools also have the added benifit in making it more difficult for the Government to snoop.
"For the changes that have been made today, those tools are going to be effective, because the uses that the ISPs are likely to be interested are, frankly, these tailoring and targeting uses — and so (these tools) for most people are going to be reasonable. They're not going to promise you absolute privacy, but neither would have the FCC rule. .."
http://www.npr.org/sections/alltechconsidered/2017/03/28/521813464/as-congress-repeals-internet-priv acy-rules-putting-your-options-in-perspective
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
You're the moron, moron. You just proved my point trying to refute it. :P :D
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
Privacy rules aren't about preventing the leaks or theft of data (irregular events that organizations don't intentionally cause and don't want to happen), but about restricting what can be done with data (regular processes that organizations do intentionally cause and do want to happen). So skills a privacy aren't logically connected to skills at keeping secrets.
[ link to this | view in chronology ]
The evil me keeps saying 'let them screw it all and make it cost a lot so they will understand the problem'.
[ link to this | view in chronology ]
A place for terrorists to hide
Try replacing WhatsApp with:
* private homes
* private gatherings
* basements
* motel rooms
* aircraft lavatories
* automobiles
[ link to this | view in chronology ]
Re: A place for terrorists to hide
[ link to this | view in chronology ]
Re: Re: A place for terrorists to hide
[ link to this | view in chronology ]
Government vs Terrorism
Last week, the UK's Home Secretary Amber Rudd said that WhatsApp risked becoming a "place for terrorists to hide."
The criminals in government are able to hide in broad daylight thanks to their enablers in the mass media who use lies of omission and outright propaganda that serve to keep the public in a state of ignorance.
Who should the people be more wary of?
"Official" state sanctioned murderers espousing specious fantastical unicorn solutions to problems wholly created by governments that are collectively responsible for the death of over 200 million human beings in the 20th century.
Or
Terrorism, unfortunately there are only very spotty records available that track deaths attributed to terrorism in the 20th century but if we use the most recent data available for the year 2015 (approximately 50,000 worldwide terror deaths) and double it to 100,000 persons killed per year every year and then multiply that by 100 years the terrorist pikers (in comparison to government) were responsible for the death of 10 million human beings.
It is clear the greater danger to humanity is from government.
Highlighted text below was excerpted from the website National Center for Policy Analysis a report titled - Murder by the State by Gerald W. Scully:
At least 170 million people — and perhaps as many as 360 million — have been murdered by their own governments in this century. This is more than four times the 42 million deaths from civil and international war.
http://www.ncpa.org/pdfs/st211.pdf
Highlighted text below was excerpted from a Cornell University peace studies program report titled - Deaths in Wars and Conflicts in the 20th Century by Milton Leitenberg:
“A Beastly Century”: It was a phrase used by Margaret Drabble, a British novelist, in an address to the Royal Society of Literature in London, on December 14, 2000.1 But of course it was no more than a human century. In 1994, the historian Eric Hobsbawm wrote that 187 million people were “killed or allowed to die by human decision” in what he called the “short century”–a period of about 75 years from 1914 to 1991.2 The period chosen by Hobsbawm spanned the beginning of World War I to the dissolution of the Soviet Union and the end of the Soviet occupation of its Eastern European “allies.” Given that Hobsbawm is a Marxist historian, his choice of the category “by human decision” was particularly significant.3 However, the sum that he provided was low by just about 44 million people for the full twentieth century, during which approximately 231 million people died in wars and conflict and, in very large numbers, “by human decision."
http://www.clingendael.nl/sites/default/files/20060800_cdsp_occ_leitenberg.pdf
Link to deaths attributed to terrorism 1970 to 2015:
http://www.datagraver.com/case/worldwide-terrorism-1970-2015
[ link to this | view in chronology ]
Say it with me: 'You first'
As always when this particular brand of world-class stupid is brought up every single person pushing for it should be faced with an ultimatum:
Either have their own personal data 'protected' by the very thing they're calling for, or shut up and admit that it's a colossally stupid idea.
If they really think that it's possible to magic up a unicorn gate and leprechaun key then great, they can put their money(and email, and medical records, and records of who they've talked to...) where their mouths are and show the public how safe it is themselves.
They'd never agree to something like this of course, because they're special people, and as such not just need but deserve special protection, but it would certainly be nice if people they talked to were willing to call them out on their incredibly stupid, insanely dangerous ideas.
[ link to this | view in chronology ]
mandatory education clearly is too much to ask.
Penalties for failing the course should include 6 months of being followed around by someone with a directional sound cannon playing Rick Astleys greatest hits directly at them at all times.
[ link to this | view in chronology ]
Re: mandatory education clearly is too much to ask.
On the one hand, good ghandi is that brutal. On the other hand, given in this case we're talking about something that would make everyone less safe and there is no good reason not to know this by now, I can't help but think that it would be suffering well earned.
[ link to this | view in chronology ]
Re: mandatory education clearly is too much to ask.
I'd be happier if they had a THIRD GRADE education on the subject!
[ link to this | view in chronology ]
[ link to this | view in chronology ]