EU Still Asking For The Impossible (And The Unnecessary): 'Lawful Access' To Encrypted Material That Doesn't Break Encryption
from the security-through-encryption-and-security-despite-encryption dept
A few months ago, Techdirt wrote about a terrible bill in the US that would effectively destroy privacy and security on the Internet by undermining encryption. Sadly, that's nothing new: the authorities have been whining about things "going dark" for years now. Moreover, this latest proposal is not just some US development. In an official document obtained by Statewatch (pdf), the current German Presidency of the Council of the European Union (one of the key organizations in the EU) has announced that it wants to move in the same direction (found via Netzpolitik). It aims to prepare:
an EU statement consolidating a common line on encryption at EU level in the area of internal security to support further developments and the dialogue with service providers. It should seek to find a proper balance between the protection of privacy, intellectual property protection and lawful law enforcement and judicial access, thereby stressing security through encryption as well as security despite encryption
In other words, the EU is still chasing the unicorn of "lawful access" to encrypted material without somehow breaking encryption. An accompanying unofficial "note" from the European Commission services lists some of what it calls "key considerations", but these are still chasing that unicorn without explaining how that can be done (pdf):
Technical solutions constituting a weakening or directly or indirectly banning of encryption will not be supported.
Technical solutions to access encrypted information should be used only where necessary, i.e. where they are effective and where other, less intrusive measures are not available. They must be proportionate, used in a targeted and in the least intrusive way.
Slightly more detail about the options is found in another unofficial note exploring "Technical solutions to detect child sexual abuse in end-to-end encrypted communications" (pdf). Most of the solutions involve installing detection tools on the user's device. That can be circumvented by using devices without the detection software, or using a service that does not install them. Perhaps the most interesting technical approach involves on-device homomorphic encryption with server-side hashing and matching:
In this solution, images are encrypted using a carefully chosen partially homomorphic encryption scheme (this enables an encrypted version of the hash to be computed from the encrypted image). The encrypted images are sent to the [online service provider] server for hashing and matching against an encrypted version of the hash list (the server does not have the homomorphic encryption keys).
But this only works for services that implement such a scheme, and it only applies to existing images, not general messages or even videos. Moreover, the technology to implement such an approach is still under development.
Essentially, the EU, like the US, is telling people to "nerd harder", and come up with a solution that allows lawful access, but does not break encryption. Since hard nerding for many decades has failed to produce a way of doing that, maybe it's time for the authorities to accept that it just can't be done. The good news is that doesn't matter. Techdirt has been explaining why for years: there are encryption workarounds that mean law enforcement and others can get what they need in other ways. Indeed, one of the EU papers mentioned above provides perhaps the best example of this approach (pdf):
The recent dismantling of the EncroChat network in a joint investigation coordinated by Eurojust and Europol shows the degree to which those involved in criminal activity utilise all available technology, such as crypto telephones, which go well beyond publicly available end-to-end encrypted services.
Although it cites the case of EncroChat -- a Europe-based encrypted mobile network widely used by organized crime there -- in an attempt to prove how serious the problem is, it actually does the opposite. As the detailed explanation of how EU police managed to hack into the network and place malware on handsets explains, breaking the encryption proved irrelevant, because the authorities found a workaround.
The EncroChat bust demonstrates something else that is generally overlooked. It is already clear that far from going dark, the authorities today have access to unprecedented quantities of useful information that can be used to track down suspects and prevent crimes. That's from things like social media and e-commerce sites. But as the EncroChat materials show, when criminals use closed, encrypted channels to communicate, they paradoxically open up, speaking freely about their past, present and future crimes, naming names, and giving detailed information about their activities. That means it's actually in the interest of the authorities to allow criminals and terrorists to use encrypted services. When workarounds are found, these hitherto secret channels provide greater quantities of high-quality intelligence than would ever be obtained if people knew their communications had backdoors and were therefore not safe.
Follow me @glynmoody on Twitter, Diaspora, or Mastodon.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: encryption, eu, going dark, law enforcement, lawful access
Reader Comments
Subscribe: RSS
View by: Time | Thread
basically, the seed that the US sowed is still being nurtured by other countries. the whole aim is to remove as much freedom and privacy and as many protections as possible (all of them?) from ordinary people, making the whole planet, basically, a complete fascist dictatorship! i dont think there is a single government in a single country that doesn't want to know everything about everyone, everywhere, while still maintaining absolute secrecy and immunity for themselves and their friends! this is what has been fought against in world wars! it is what freedom is supposed to be about! it's what democracy is supposed to be about! what the fuck is happening to the world? the wealthy 'few' have always wanted their way, to be dictators over a world inhabited by none except slaves. they are closer to achieving that now than ever before! when security services do as these 'few' want instead of protecting and serving the masses, prefering to kill them, what hope have we got?
[ link to this | view in chronology ]
As the basic definition of encryption is to prevent other than intended recipients from decrypting messages, enabling law enforcement access to messages is by definition an weakening of encryption.
[ link to this | view in chronology ]
Pining after impossible fantasy solutions is a waste, but still so much better than the security disaster of stupidly trying to ban encryption.
[ link to this | view in chronology ]
Someone needs to tell these idiots that if they can’t install a backdoor in their homes that only “good” people can use, they also can’t do it on phones.
[ link to this | view in chronology ]
"Technical solutions constituting a weakening or directly or indirectly banning of encryption will not be supported."
So... you won't be requiring any kind of backdoor, or mandating that certain encryption providers are used in order to block FOSS solutions? Good to know.
"The recent dismantling of the EncroChat network in a joint investigation coordinated by Eurojust and Europol shows the degree to which those involved in criminal activity utilise all available technology, such as crypto telephones, which go well beyond publicly available end-to-end encrypted services."
So.. since that happened without any need to install backdoors or otherwise change the encryption methods available to the law-abiding general public, the answer is to keep things as they are? Again, good to know.
[ link to this | view in chronology ]
Encryption for dummies:
Hold up a padlock, say "Pretend that this lock is indestructible and unpickable. Only this key will open it. How would you redesign it to allow the police to be able to open it without the key and without making it any weaker?"
[ link to this | view in chronology ]
"For the sake of your protection, we want to remove all of your protection."
[ link to this | view in chronology ]
Anything is easy when you're not the one required to do it
Ah, gotta love the politicians who insist that it's absolutely possible to do the equivalent of, without changing math in any way, make two plus two equal thirty-one thousand, nine-hundred and forty-two if only those mathematicians would nerd harder.
[ link to this | view in chronology ]
Part of the problem is that the two parties (mathematicians and politicians--clueful and clueless, respectively, in the relevant field of knowledge) use different languages. To a politician, "I can't" means "I don't wanna" or "my support would plummet if I did". To a mathematician, "I can't" means "it would go against the whole design of the universe."
Perhaps it would be better to say it this way:
"I have proven that creating a backdoor only the police can use is trivial. However, I need some help from the politicians. My method requires for 2+2 to be equal either 5 or 17. If you can pass a law changing the value of 2+2, we can use that to provide the method you need.
"My associate in the quantum computing research field says he can implement my method, provided only that strange quarks be made lighter than top quarks. This also will require implementing legislation.
"We've gone as far as we can with the tools at our disposal. The ball is in your court. Either option is equally acceptable to us."
(Note to the conscientious lobbyist: a logician will confirm that these statements are all absolutely "true" in the strictest mathematical sense.)
[ link to this | view in chronology ]
Re:
You underestimate the willful stupidity of legislators.
https://en.wikipedia.org/wiki/Indiana_Pi_Bill
[ link to this | view in chronology ]
Re: Re:
"You underestimate the willful stupidity of legislators."
That example shows one crank, nothing like that...
<looks at current crops of US and EU politicians>
...OK, we might be screwed. I'm not sure how future generation will cope with having to use 2+2=5 as the basis of math.
Now I think of it, every year there's some politician falling for (factually correct) health warnings about dihydrogen monoxide or hydroxic acid and tries to have it banned from public consumption and sale...
[ link to this | view in chronology ]
Re: Re: Re:
Judicious banning of DHMO from select politicians would be a (cruel but) efficient way to improve our political situation.
(I might be willing to support any DHMO ban as long as it's applied/enforced on all federal employees, agents/etc for 1 year before the rest of the citizens :p, or '/s' for those who need it to sleep at night)
[ link to this | view in chronology ]
i don't see how this can't conflict with their gdpr.
how about ways to combat child sexual abuse in meatspace, morons?
[ link to this | view in chronology ]
Re:
That would require them to do work, much easier to just dump it all on the tech companies and complain when they don't solve the problem.
[ link to this | view in chronology ]
https://lythamfish.com/
That would expect them to accomplish work, a lot simpler to simply dump everything on the tech organizations and grumble when they don't tackle the issue.
[ link to this | view in chronology ]
curtains and blinds dubai
Founded just a few years ago, we have grown fast to become one of Dubai’s premier curtain making firms. We specialize in making unique blinds and curtains. Our team of designers has worked with a variety of clients all of whom were highly impressed by the bespoke designs and the professionalism of our staff. Our staff work as a team from start to finish, ensuring that we meet your expectations in terms of design and timeliness. Apart from making curtains and blinds, we also provide various soft furnishing services such as sofa, headboard re-upholstery and bedspread supply.
We are an English run business with over 10 years of experience in the textile market. Our team of professionals will make sure that your new blinds or curtains perfectly fit your window and that the design merges perfectly with the surrounding environment.
Our new website has photos and pages describing various types of designs and styles that we specialize in. Feel free to browse and contact us the moment you see something you like. We not only make and install blinds and curtains for residential properties, but also do the same for offices and other work spaces.
to more reviews visit our link :http://curtains-abudhabi.com/
[ link to this | view in chronology ]
Re: curtains and blinds dubai
ironically this is excellent commentary on the EU's position
[ link to this | view in chronology ]