EU Plans To Use Supercomputers To Break Encryption, But Also Wants Platforms To 'Create Opportunities' To Snoop On End-To-End Communications
from the there-are-better-ways dept
They say that only two things are certain in life: death and taxes. But here on Techdirt, we have a third certainty: that governments around the world will always seek ways of gaining access to encrypted communications, because they claim that things are "going dark" for them. In the US and elsewhere, the most requested way of doing that is by inserting backdoors into encryption systems. As everyone except certain government officials know, that's a really bad idea. So it's interesting to read a detailed and fascinating report by Matthias Monroy on how the EU has been approaching this problem without asking for backdoors -- so far. The European Commission has been just as vocal as the authorities in other parts of the world in calling for law enforcement to have access to encrypted communications for the purpose of combating crime. But EU countries such as Germany, Finland and Croatia have said they are against prohibiting, limiting or weakening encrypted connections. Because of the way the EU works, that means the region as a whole needs to adopt other methods of gaining access. Monroy explains that the EU is pinning its hopes on its regional police organization:
At EU level, Europol is responsible for reading encrypted communications and storage media. The police agency has set up a "decryption platform" for that. According to Europol's annual report for 2018, a "decryption expert" works there, from whom the competent authorities of the Member States can obtain assistance. The unit is based at the European Centre for Cybercrime (EC3) at Europol in The Hague and received five million euros two years ago for the procurement of appropriate tools.
The Europol group uses the open source password recovery software Hashcat in order to guess passwords used for content and storage media. According to Monroy, the "decryption platform" has managed to obtain passwords for 32 cases out of 91 where it the authorities needed access to an encrypted device or file. A 39% success rate is not too shabby, depending on how strong the passwords were. But the EU wants to do better, and has decided one way to do that is to throw even more number-crunching power at the problem: in the future, supercomputers will be used. Europol is organizing training courses to help investigators gain access to encrypted materials using Hashcat. Another "decryption expert group" has been given the job of coming up with new technical and legal options. Unfortunately, the approaches under consideration are little more than plans to bully Internet companies into doing the dirty work:
Internet service providers such as Google, Facebook and Microsoft are to create opportunities to read end-to-end encrypted communications. If criminal content is found, it should be reported to the relevant law enforcement authorities. To this end, the Commission has initiated an "expert process" with the companies in the framework of the EU Internet Forum, which is to make proposals in a study.
This process could later result in a regulation or directive that would force companies to cooperate.
There's no way to "create opportunities" to read end-to-end encrypted communications without weakening the latter. If threats from the EU and elsewhere force major Internet services to take this step, people will just start using open source solutions that are not controlled by any company. As Techdirt has noted, there are far better ways to gain access to encrypted communications -- ones that don't involve undermining them.
Follow me @glynmoody on Twitter, Diaspora, or Mastodon.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: backdoors, encryption, eu, hacking
Reader Comments
Subscribe: RSS
View by: Time | Thread
Total surveillance results in a stable government, as in East Germany and the USSR. Those governments were so stable that the countries, and their ruling regimes no longer exists.
[ link to this | view in chronology ]
Justified with the same old and tired arguments
Namely child porn. At least, the CSAM neologism didn't catch on yet.
[ link to this | view in chronology ]
i am a bit more concerned about our government "going dark" than I am of the general public.
[ link to this | view in chronology ]
Re:
If people weren't such shitheads on this planet, there would be less reason for all the darkness. But you can't trust ONE person in any government.
[ link to this | view in chronology ]
Encryption workarounds
From Glyn's earlier article about far better ways to gain access to encrypted communications:
Without the cooperation of the subject of the investigation, which is unlikely, this could well involve requiring the installation malware on end devices. Google, Facebook, and Microsoft are in a position to do this, although some would argue these companies' products are malware themselves. Old jokes aside, of all of the presented "workarounds to encryption," this one is most most reminiscent of an all-seeing, authoritarian Big Brother dystopia. I think the root of the problem is lack of good government. Good government wouldn't be suggesting these things to begin with. How to get from here to there is a good question.
[ link to this | view in chronology ]
Re: Encryption workarounds
"Without the cooperation of the subject of the investigation, which is unlikely, this could well involve requiring the installation malware on end devices."
Ah, this is where we bring the not that old project of the Germany police force "Bundestrojaner" to the table. The semantic translation of which would be "Federal Trojans". Fortunately something the German constitutional court struck down with bolts of thunder, but which I would be very surprised not to see showing up as suggestions by the EU commission at some point.
[ link to this | view in chronology ]
Re: Re: Encryption workarounds
What does a bolt of thunder look like, exactly? It sounds scary.
[ link to this | view in chronology ]
Re: Re: Re: Encryption workarounds
In this context it would look like a big hammer shaped like a judge's gavel, i think.
[ link to this | view in chronology ]
Anyone else see the EU Big Tech Payday coming?
The EU eventually passes rules that require tech companies to compromise the security of their user's information or they will likely face hefty fines. The GDPR currently requires that companies protect customer information or face hefty fines.
Sure looks like the EU wants big tech to pay them in a big way no matter what.
[ link to this | view in chronology ]
Pointless
Let's be a little realistic here. The claim of using of super computers to break encryption is a publicity stunt/negotiating point (mostly). The remainder of mostly is about the increasingly vicious VIP crowd (of all political flavors) feeling increasingly vulnerable to being obligated to account for their mis-deeds or worse being replaced.
For ordinary crime, the cost of super computer time is sufficient that it is cheaper for any government to fabricate false evidence and railroad the accused than actually break into encrypted communications.
The VIP crowd is very afraid of the technical community. The know that they are not smarter, or more ruthless than (part) of the technical community. Thus there is reason to believe that the current crop of VIP's are on the chopping block. Should any significant portion of the technical community seek to usurp the VIP crowd, then the VIP crowd is in a world of hurt. The VIP crowd NEEDS the technical community to keep their way of life and privileges going. The technical community doesn't need the VIP crowd similarly. Ergo, the lets break encryption rhetoric is to control the technical community (or techno-rabble as the VIP crowd likely sees them).
[ link to this | view in chronology ]
Re: Pointless
I'm sure what is new about that. It has always been cheaper to fabricate false evidence than to actually find proof. Kipling wrote about an India where for a few rupees you could purchase a murder accusation against anyone (complete with corpse). The only question is: do the ethics matter? And that's a decision each person always has to make for himself. (Having made an unethical decision, one typically assumes everyone else will make the same one. But that's never been true.)
[ link to this | view in chronology ]
theres alot of surveillance in russia ,china has total surveillance,
unfortunately their governments are pretty stable.
We see more countrys like poland and hungary going to extreme right wing governments .
Many western tech companys sell apps and software to countrys like saudia arabia where they are used to clamp down on dissenters or people who might be potential protestors .
Most people use apps and browsers on laptops or phones, its easy to get a court order to get any persons browsing data and data on messaging apps or sms texts .
Look at australia its a western liberal country , it brought in laws to acess
data on any person or company server even its encrypted or not.
They can ask any person or employee to hand over data to the police
at any time .
Companys have to hold on to data in a form that is ready to be acessed by the police in the future .
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
That's why the EU loves China.
[ link to this | view in chronology ]
Re:
Didn't the US have the same thing in Utah doing the same thing?
https://en.wikipedia.org/wiki/Utah_Data_Center
Ok, well, it's an "storage facility", though it's precise mission is "classified".
I'm sure it's for porn.
[ link to this | view in chronology ]
Just listening to Barr on TV yesterday I realized 'It's over.' These people - all of them - Republicans, Democrats, are lawyers and salesmen, an occasional doctor, and an assortment of whatever.
They have absolutely no understanding of actual encryption. they have never encrypted or decrypted anything - not even as an amusement. Talking to them about symmetric vs. asymmetric processes would be like trying to train my neighbor's labradoodle to read. Explaining that good vs. bad is meaningless in a mathematical process is futile.
The have no clue about the math behind encryption, the history of it, or its direction and likely future value. They see no good value because 'bad people can use it'?
They WILL force either back doors or a weakening in their efforts to light up what they see as a dark place - whatever the hell they think that means. And they will be proud to have done it. Thinking themselves brilliant, they'll probably make open-source algorithms illegal - why not? Think not? Research Romania and typewriters... It was illegal to own one without registering the typed printout from it with the authorities.
When they are so foolish and successful, they'll simply kill off internet transactions as encryption will become worthless. If they escape that fate, then whichever sovereign country still allows encryption without training wheels will own commerce over the internet.
We live in such stupid times.
[ link to this | view in chronology ]
Re:
Why did the above comment that i submitted appear under someone else's name?
[ link to this | view in chronology ]
Re: Re:
You weren't logged in. Anonymous Coward is the name of everyone who has not logged in. You will notice that your icon is the same, however.
[ link to this | view in chronology ]
Re:
Some of our esteemed leaders, aka politicians, lawyers, salespeople employ staff members who have acquired knowledge and experience in the real world. Clearly, not enough of them however.
[ link to this | view in chronology ]
Government types think (well, no, they don't "think" at all) everyone is a criminal... they just need to find out what crime it is exactly that everyone has committed, all in an effort to make their own existence have a purpose (which it doesn't really have). In their own case, anyway, they're right. They steal our tax dollars in order to find ways to make themselves feel justified in not actually doing the job they're supposed to be doing. Nothing is more essential to them than their own self-importance. They don't know that they meet "the enemy" every time they look in the mirror... and they probably never will.
[ link to this | view in chronology ]
I dont know..
I really dont think the gov. has any understanding of What will happen.
I really get this strange idea that either a corp is backing all of this idea, or its a great way to Backdoor Every country in the world.
The only thing I see happening, is that Encrypted sales and Computers will be open to ANY, company, Corp, nation, that wished to spy on our data.. And there are only a few groups that would really want this.
It would also add something STUPID.. Prof of Identity. More Proving who you are. Perfect ID is ridiculous. Unless you wish to Bag and tag everyone with a Scan code.
If you are into the 1 world, conspiracy... this can be the big jump.
[ link to this | view in chronology ]
Re: I dont know..
Actually, proof of identity becomes impossible on the internet without good encryption.
The best you could hope for would be using a dedicated and air gapped pin-code generator for every request. Why? Because without good encryption the passwords we use today would be exposed the second we tried to use them. Therefore a replacement that would change after each use is needed. Rendering any capture by prying eyes irrelevant as the codes couldn't be reused.
Of course, no-one would want to do nor fund the deployment of such generators. Why? We have them today but few places use them due to the risk of losing them, and the cost of deployment. Of course both issues are irrelevant if everyone must have one for everything, but that also creates an opportunity for prying eyes to try and "backdoor" the generators as well.
Also, session ids would become useless without someway to protect them from prying eyes. Be they the eyes of criminals or not. A server would therefore need to validate every request sent to it, and that would mean full re-authentication for every request. No-user would accept that, so web pages would have to be drastically altered to account for it. (Especially e-commerce sites, the entire order submission would have to be done on one page, and a code for both your bank and the site itself would need to be sent at the same time.)
In reality, it would mean the death of most of the internet as we know it. As most AD supported sites (which includes all social media sites and places like YouTube) would no-longer be getting funds that way. (AD trackers need to identify you as well.) As well as e-commerce sites. (The cost of making the transition to code generators and getting people to use them would drive away investors and users alike.) The only sites that would still be around are the ones funded by donations / subscriptions and their owners.
[ link to this | view in chronology ]
Re: Re: I dont know..
and you have the correct point.
Who would benefit?
Every company NOT on the net. back to local sales.
But something you may not know.
If you ordered from a Book from out of state, it was not taxed, until recently. Taxes were only from internal companies Inside the state. because of the internet.. it was changed.
If they open the internet, and decrypt everything, it May die. or go back to what it was 30+ years ago.
[ link to this | view in chronology ]
As always
This is a "just the tip" conversation.
[ link to this | view in chronology ]
Superc9mputers arw no match for what i.like to call "booby trap" mide.
This setting on android makes rhe phone wioe and reset after 16 failed password attempts
This plis enceyption rulo make yiur phine cop proof
Whenever i take road trips anywhete in.the Constition Free Zone i disl. up ky phones settings to theae imdane cop proof levels so that if my.phone is ever seized they will be able to access the content
This inccludes trips to disneyland, which is in that zone.
This also includes trips to canadas wonderland because there is no way to get to toromto from.the west coast without going through michigan.
[ link to this | view in chronology ]
Re:
Spellcheckers are no match for the dedicated individual.
[ link to this | view in chronology ]
Re: Re:
No one pays a spellchecker and dedicated individuals are being replaced for just that reason.
[ link to this | view in chronology ]