European Information Security Advisory Says Mandating Encryption Backdoors Will Just Make Everything Worse

from the solving-little,-breaking-lots dept

More and more entities involved in government work are coming out in support of encryption. (Unfortunately, many governments are still periodically entertaining backdoor legislation...) While recognizing the limits it places on law enforcement and surveillance agencies, they're not quite willing to sacrifice the security of everyone to make work easier for certain areas of the government.

The European Union for Network and Information Security (ENISA) has just released its report [PDF] on encryption and finds it to be pretty much essential for everyone's security. Any efforts to undermine this harms the public more than it helps them. (h/t Tom's Hardware)

There is a legitimate need to protect communications among individuals and between individuals and public and private organisations. Cryptography provides the electronic equivalent of letter cover, seal or rubber stamp and signature. In the light of terror attacks and organised crime, law enforcement and intelligence services have requested to create means to circumvent these protection measures. While their aims are legitimate, limiting the use of cryptographic tools will create vulnerabilities that can in turn be used by terrorists and criminals, and lower trust in electronic services, which will eventually damage industry and civil society in the EU.

Mandating backdoors will hurt the countries where they're implemented, sending customers in search of secure computer equipment and services elsewhere. Beyond that, there's the fact that all backdoors can be exploited. Thousands or millions of device users could be negatively affected while very few criminals will suffer adverse effects. If a backdoor exists, it can be exploited by either "side," but only the criminal side will be able to protect itself from unwanted intrusion. Because if you're going to break a few laws, why not break one that forbids you from owning or operating devices with non-backdoored encryption?

Or you could just roll your own...

Technology is changing at a very fast pace. It is questionable if solutions such as backdoors will be effective given that criminals can develop their own encryption technologies.

As ENISA points out, it's not just exploitation by criminals that's the problem. It's also exploitation by government agencies, which may use the handy backdoors to collect/intercept far more than they're legally allowed to.

Judicial oversight may not be a perfect solution as different interpretations of the legislation may occur.

One agent's facially-invalid search warrant is the same agent's legally-unassailable judicial order. This is enough of a problem in the US, where multiple federal districts have resulted in contradictory opinions on identical legal arguments. In the European Union, the problem is only exacerbated. Not only are there multiple courts, but also multiple nations, all with their own laws. Sure, there's an attempt to unify guidance on technical/legal issues under the EU, but only so much can be done. Deciding what is or isn't abusive use of government-mandated backdoors is going to be far from consistent. And that, of course, requires a unified European stance on encryption backdoors, which isn't likely to happen either.

Ultimately, ENISA concludes that tech advancements do pose legitimate challenges to law enforcement/national security efforts, but backdoors are no way to solve the problem. But the solution it does suggest isn't much better. Here in the US, courts routinely defer to Congress when the remedy sought isn't within their power. Over in the EU, ENISA suggests legislative measures are the wrong approach.

Other procedural approaches should be explored that focus on the power of the judicial process to find solutions.

Unfortunately, ENISA does not drop any hints about how EU courts might be able to address government agencies' complaints about encryption. This suggests some sort of All Writs Ordering might be the way around being locked out of devices and computers -- blanket court orders that compel assistance from service providers and manufacturers under the threat of whatever the court can come up with. While this would cause less damage to security than mandated backdoors, a court-ordered backdoor is still a backdoor, and judicial oversight wouldn't be enough to prevent government abuse of these "one time only," purposefully-induced security holes.

Filed Under: backdoors, encryption, enisa, eu, europe, security

EU Report: The 'Right To Be Forgotten' Is Technically Impossible... So Let's Do It Anyway

from the just-forget-it dept

Every few months, it seems, we hear about yet another attempt in Europe to implement the absolutely ridiculous idea of the "right to be forgotten." We wrote about it in 2010, 2011 and again earlier this year. It's a silly idea for a variety of reasons. The general idea is that someone, say, who has committed a crime, but is then rehabilitated / served his time / whatever, deserves a "fresh start" and the stories of the crime and punishment should be erased from publications. Europeans who support this wacky idea argue that it's a form of a privacy right. But that's ridiculous. It has nothing to do with "privacy" at all, as the fact that someone committed and convicted of a crime is a public fact, not private info. Telling people (and publishers) that they can't talk about factual information, or even leave available factual stories written at the time just seems completely offensive to anyone who believes in the basic idea of free speech.

And, of course, there's an even bigger problem. The whole idea isn't just silly and complex, but it's totally impossible. And it's not just me saying that. As Stewart Baker points out, the European Network and Information Security Agency (ENISA) has put out a report making the basic impossibility of a "right to be forgotten" quite clear:

Consider Alice viewing Bob’s personal information on a computer screen, while she is allowed to do so (i.e., before Bob has invoked his right to be forgotten). Alice can take a picture of the screen using a camera, take notes or memorize the information. It is technically impossible to prevent Alice from doing so, or even to recognize that she has obtained a copy of Bob’s personal data.

They seem to make that clear just by the image they chose to put on the cover of the report: That said... given the very admission that this is impossible, you'd think the recommendation would be (perhaps) to find something a little more productive to work on. But, no, that would be wishful thinking. Instead, despite the admission that the whole endeavor is doomed to be a failure for the simple fact that it's impossible, they still discuss ways that it might be implemented. And their ideas? Well, to double down on the impossible with crazy regulations. Take for example, the following two "recommendations" in the final section, one right after the other:

• For any reasonable interpretation of the right to be forgotten, a purely technical and comprehensive solution to enforce the right in the open Internet is generally impossible.
• A possible pragmatic approach to assist with the enforcement of the right to be forgotten is to require search engine operators and sharing services within the EU to filter references to forgotten information stored inside and outside the EU region.

Got that? So it's impossible, but let's regulate the hell out of search engines and tell them what they can't link to. Perhaps if they'd stopped after the point at which they determined it was "impossible" we'd all have been better off.

Filed Under: enisa, europe, free speech, impossible, privacy, public information, reporting, right to be forgotten