EU Plans To Weaken Encrypted Communications Despite Countless Warnings It Can't Be Done Safely
from the even-with-the-necessary-hashtags dept
Last week, the UK’s Home Secretary Amber Rudd said that WhatsApp risked becoming a “place for terrorists to hide.” Then, like many others that have used this tired old trope, she went on to call for the development of some magic unicorn key to unlock all encrypted communications, one that was somehow available only to those on the side of truth, beauty, law and order, and not to the other lot. In doing so, her cluelessness was particularly evident, as her invocation of the “necessary hashtags” emphasized, but she’s not alone in that. Despite the chorus of experts pointing out for the thousandth time why it’s not possible, the EU Justice Commissioner has just said that the EU must have magic unicorn keys, too. As EurActiv reports:
The European Commission will propose new measures in June to make it easier for police to access data on internet messaging apps like WhatsApp, EU Justice Commissioner Věra Jourová said yesterday (28 March), heeding calls from national interior ministers.
Jourová said she will announce “three or four options” including binding legislation and voluntary agreements with companies to allow law enforcement authorities to demand information from internet messaging apps “with a swift, reliable response”.
…
Jourová said the measures would make it easier for law enforcement authorities to request and access data from online services that are registered outside their jurisdictions.
Jourová went on to complain that law enforcement authorities are currently dependent on service providers to provide voluntary access to encrypted communications. But as Techdirt pointed out recently, that’s just not true: there are a number of encryption workarounds available. You might expect politicians to be at sea when it comes to complex digital technologies, but you would hope that their expert advisors would fully understand things. And yet here is what Gilles de Kerchove, the EU’s anti-terrorism coordinator, told EurActiv:
the question is, can you open a backdoor for Europol [the EU’s law enforcement agency] only, or would that at the same time create a vulnerability and open a backdoor for the Russian mafia or third party state spies?
Hey, Gilles, let a dozen of the world’s top security and crypto experts save you time and effort by giving you the answer to that crucial question: “No, you can’t.” Got it? Can we please move on now?
Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+
Filed Under: backdoors, encryption, eu, going dark, vera jourova
Comments on “EU Plans To Weaken Encrypted Communications Despite Countless Warnings It Can't Be Done Safely”
"a swift, reliable response"
“No” qualifies, yes?
Just Say, "No"
“…there are a number of encryption workarounds available.”
Those “workarounds” all rely on the user’s stupidity, ignorance, incompetence, or submission to coercion. There is no current workaround for properly implemented, strong encryption and a steadfast refusal to yield the key.
As for safe backdoors, they exist only in the febrile imaginations of the math-challenged.
Re: Just Say, "No"
“workaround” You keep using that word. I do not think it means what you think it means.
What do you have against magical unicorns?
It most certainly is possible to bake a distributed key set into encryption where it requires the concerted action of several separate key owners to unlock a message without the specific key used for encrypting it.
And you most certainly can keep those keys in the hands of a selected few people, for access in an emergency.
But that’s useless for law enforcement. Law enforcement wants a process useful for mass invocation (via warrant or even on bulk communication). There is no way to make an online process for master key based decryption, distributed or not, safe from eventual compromise.
Either it is reserved for emergency use (with some probability that it will stay uncompromised at least until it has been used a few times), or it is intended to be used routinely in which case the probability of timely compromise is 100%.
If one redefines “emergency” as “routine”, any master key scheme is bound to fail. And “emergency” is so convenient to wave around that it is done all the time.
Re: What do you have against magical unicorns?
Don’t forget that government defines unreadable communications amongst it citizens as an emergency..
Re: What do you have against magical unicorns?
You seem to be overlooking one big issue a lot of people miss. That is the fact that once you pass a law about having this “super secret key, or key set”, you have created a holy grail for hackers.
You really think that will stay secure? If so you really don’t understand how much effort will go into getting those keys. It will quite literally be EVERY BLACKHAT hacker in the world racing to get those keys. (not to mention all the security researchers trying to work it out)
So your basically saying that you think you can make a master key to all locks, wave it in the face of every criminal in the world and then lock it up somewhere they can’t get it.
I’m sorry, but any time you have a system like that vs the entire worlds hacker community. I am betting on the hackers.
Re: Re: What do you have against magical unicorns?
Hackers nothing. The moment that there’s a master key to unlock all encryption in a country, the #1 priority of the spies of every other country will be stealing that key. Not only will they be hacking, they’ll be bribing and blackmailing to get it.
Re: Re: Re: What do you have against magical unicorns?
Point is you have created something every bad actor in the world wants and they will do anything necessary to get it. It would not even take a state level attacker to get into bribing, blackmailing, kidnapping or even “enhanced interrogation techniques”. Not like the cartels really shy away from any of that.
Re: What do you have against magical unicorns?
The "via warrant" option doesn’t apply as a rationale for a backdoor. If law enforcement wants a process useful for a limtied number of specific cases, they already have it (judicially authorized planting of hardware or software bugs). The only reason to want a backdoor is to routinely snoop on bulk communication.
Re: What do you have against magical unicorns?
It would be like video game DRM. Every new unbreakable system is hacked with hours of release.
Re: Re: A garden hose vs a tsunami
Worse actually, so much worse.
As I understand it with game DRM the people looking to crack it are generally doing it for the prestige, being able to brag about how quickly they cracked the new ‘awesome DRM protections’. With a unicorn gate everyone is going to be looking to crack it, from criminal groups up to and including government agencies from other countries, as doing so would give them access to everything it ‘protected’, and if you’ve got some idiots in government that want ‘no safe spaces’ for anyone not them, then that’s pretty much everything.
With that kind of opposition any unicorn gate system would be compromised in a matter of days I’d guess, a week at the most. The leprechaun key would be just too valuable to protect.
Re: Re: Re: A garden hose vs a tsunami
See, that’s what I find fascinating with Americans. They think government agencies from other countries trying to crack U.S. citizens’ communications are criminals.
You’d think that U.S. government agencies should be prime candidates for being held to U.S. laws. I mean, they are even paid for it and swear oaths to do so.
and when it all goes tits up, the ones that get the blame will be the companies that this and the rest of the fucking idiots are forcing to do their bidding! on top of that, when any ordinary person loses their bank accounts or any other personal details, information, data or financial amounts, it will be their fault and again, nothing to do with those forcing these stupid changes! when will the ‘do gooders’ learn that if they can access something, so can all the naughty boys as well??
Re: Re:
If the government accepted that they were responsible, guess who get to pay to repair the damage, thats right the very taxpayers that got hurt.
Well even with backdoors some people might just add their own layer of ‘cipher’… so *obviously* we just need to invent a human brain reader… since those things have not been shown to be HSMs/TRSMs, so whatever info is probably still there. This would be so much simpler than this “fairy tail magic” that some people keep begging for.
Would that be the same commission that insists on keeping pretty much all information on ongoing negotiations secret even from governments and elected politicians? On the grounds that some private space is needed because it is impossible to conduct your business everything is known to everybody?
And do the same security agencies that keep reminding us of the dangers of Putin siphoning off any information he can get his hands on to manipulate us really insist on making it easier for Putin & co to spy on us?
I would hop[e I have the right to be remembered, as well as forgotten.
How much you want to bet there will be exemptions in the law for politicians and enterprise level encryption for corporations.
The problem is whether or not they know it is bullshit, they keep peddling it, so they can keep pushing the envelope. Eventually the envelope is big enough and in the right place that they get what they want.
Re: Re:
Considering this last terrorist was a lone wolf and wasn’t chatting to other terrorists in any message app, that’s exactly what they are doing. Some people get killed, and there goes some more of everyone’s rights. Unless there’s something you care about and by then it’s to late.
The simple fact is, Encryption is just math. Any terrorist group can get open source software and create their own way to communicate. Even though there’s also simple ways to communicate that will also be secret.
The only people you really hurt with these B.S. laws are the 99% normal population users. Those are the only ones screwed in the end. Cracking and reading some text after the fact stops nothing. What does that get you? So that means you would have to be decripting on the fly non-stop on everyone and everything looking for Terrorists key words. That in the end is what they want.
Re: Re: Re:
Really fun part is they keep doing this they might just push the terrorist to truly unbreakable encryption. The good old “one time pad” when done properly cannot be broken and it doesn’t even require all the fancy math or anything, just some time and some dice would do just fine.
It’s not about answering the question. The problem is, they’re looking for a specific response. They’re just going to keep asking until someone gives them the answer they’re looking for.
I can’t help but notice that when articles like this pop up, the typical pro-gov, pro-regulation regulars are as quiet as a mouse. If the Government is here to help us, why not give them a key? Can’t we trust them? We trust them to protect our food, drugs, borders, privacy, why not our data? Why draw the line here?
Re: Re:
Well, the government has already shown it’s horrible at keeping secrets. The one master key setup they did get put in place has already leaked.
What’s worse, since the government doesn’t pay the penalty for the leak, the government doesn’t care.
Food safety, transportation safety, and assorted other regulations are not about security or keeping secrets. In fact, they work better when everything is out in public view.
The safety regulations are all about setting minimum standards and then ensuring that those standards are met.
Re: Re: Re:
Sounds to me like your saying we can’t trust our Government with anything regarding security or secrets. That seems counter to all the arguments I’m seeing regarding privacy protections in the other stories this week.
If the Government is horrible at keeping secrets, why in the world would we put them in charge of our privacy?
Re: Re: Re: Re:
What are you, a moron? The old privacy regs DIDN’T put the government IN CHARGE of privacy, it simply mandated that companies not violate our privacy without our informed consent. Said privacy was still handled by the companies, only kept PRIVATE unless we gave them permission to do something with the data.
Re: Re: Re:2 Re:
Perhaps “in charge” is a bit strong of a word. But I can’t help but think of how many people didn’t concern themselves with privacy because of these regulations. Perfect example is how many new subscribers are flocking to VPN’s right now. Trump is to the VPN industry what Obama was to the gun industry. Ironic in a way.
” it simply mandated that companies not violate our privacy without our informed consent”
No it did not, I suggest you educate yourself “moron”. It mandated that ISP’s not share specific data without our consent. Google, Facebook, and other non-ISP companies had an exception carved out. Even these rules, which were never actually implemented, were not going to protect you from everything.
Using basic tools were expected to have just as good a chance of protecting you as these “rules”. These tools also have the added benifit in making it more difficult for the Government to snoop.
“For the changes that have been made today, those tools are going to be effective, because the uses that the ISPs are likely to be interested are, frankly, these tailoring and targeting uses — and so (these tools) for most people are going to be reasonable. They’re not going to promise you absolute privacy, but neither would have the FCC rule. ..”
http://www.npr.org/sections/alltechconsidered/2017/03/28/521813464/as-congress-repeals-internet-privacy-rules-putting-your-options-in-perspective
Re: Re: Re:3 Re:
You’re the moron, moron. You just proved my point trying to refute it. 😛 😀
Re: Re: Re:4 Re:
You have no idea what your talking about do you? You haven’t actually read the regulations your claiming would have “protected your privacy” have you? I suggest you stop commenting until you do, you sound silly.
Re: Re: Re: Re:
Privacy rules aren’t about preventing the leaks or theft of data (irregular events that organizations don’t intentionally cause and don’t want to happen), but about restricting what can be done with data (regular processes that organizations do intentionally cause and do want to happen). So skills a privacy aren’t logically connected to skills at keeping secrets.
It seems we will end up rolling out that pseudo-encryption (with backdoors) and will only learn it’s a terrible idea subsequently banning its implementation ever again when things naturally go wrong and billions are lost to crooks who will eventually find the key.
The evil me keeps saying ‘let them screw it all and make it cost a lot so they will understand the problem’.
A place for terrorists to hide
“WhatsApp is becoming a place for terrorists to hide.”
Try replacing WhatsApp with:
* private homes
* private gatherings
* basements
* motel rooms
* aircraft lavatories
* automobiles
Re: A place for terrorists to hide
Exactly – they want access to all these places. We’ve got smart meters on our house gathering all types of info (its a start).
Re: Re: A place for terrorists to hide
Maybe future smart meters could also keep track of the comings and goings of each residence. For your safety. Think of the children.
Government vs Terrorism
Last week, the UK’s Home Secretary Amber Rudd said that WhatsApp risked becoming a "place for terrorists to hide."
The criminals in government are able to hide in broad daylight thanks to their enablers in the mass media who use lies of omission and outright propaganda that serve to keep the public in a state of ignorance.
Who should the people be more wary of?
"Official" state sanctioned murderers espousing specious fantastical unicorn solutions to problems wholly created by governments that are collectively responsible for the death of over 200 million human beings in the 20th century.
Or
Terrorism, unfortunately there are only very spotty records available that track deaths attributed to terrorism in the 20th century but if we use the most recent data available for the year 2015 (approximately 50,000 worldwide terror deaths) and double it to 100,000 persons killed per year every year and then multiply that by 100 years the terrorist pikers (in comparison to government) were responsible for the death of 10 million human beings.
It is clear the greater danger to humanity is from government.
Highlighted text below was excerpted from the website National Center for Policy Analysis a report titled – Murder by the State by Gerald W. Scully:
At least 170 million people — and perhaps as many as 360 million — have been murdered by their own governments in this century. This is more than four times the 42 million deaths from civil and international war.
http://www.ncpa.org/pdfs/st211.pdf
Highlighted text below was excerpted from a Cornell University peace studies program report titled – Deaths in Wars and Conflicts in the 20th Century by Milton Leitenberg:
“A Beastly Century”: It was a phrase used by Margaret Drabble, a British novelist, in an address to the Royal Society of Literature in London, on December 14, 2000.1 But of course it was no more than a human century. In 1994, the historian Eric Hobsbawm wrote that 187 million people were “killed or allowed to die by human decision” in what he called the “short century”–a period of about 75 years from 1914 to 1991.2 The period chosen by Hobsbawm spanned the beginning of World War I to the dissolution of the Soviet Union and the end of the Soviet occupation of its Eastern European “allies.” Given that Hobsbawm is a Marxist historian, his choice of the category “by human decision” was particularly significant.3
However, the sum that he provided was low by just about 44 million people for the full twentieth century, during which approximately 231 million people died in wars and conflict and, in very large numbers, “by human decision."
http://www.clingendael.nl/sites/default/files/20060800_cdsp_occ_leitenberg.pdf
Link to deaths attributed to terrorism 1970 to 2015:
http://www.datagraver.com/case/worldwide-terrorism-1970-2015
Say it with me: 'You first'
As always when this particular brand of world-class stupid is brought up every single person pushing for it should be faced with an ultimatum:
Either have their own personal data ‘protected’ by the very thing they’re calling for, or shut up and admit that it’s a colossally stupid idea.
If they really think that it’s possible to magic up a unicorn gate and leprechaun key then great, they can put their money(and email, and medical records, and records of who they’ve talked to…) where their mouths are and show the public how safe it is themselves.
They’d never agree to something like this of course, because they’re special people, and as such not just need but deserve special protection, but it would certainly be nice if people they talked to were willing to call them out on their incredibly stupid, insanely dangerous ideas.
mandatory education clearly is too much to ask.
I believe there must be a transitive property of stupidity that needs to come into play. If lawmakers make irrational demands ignoring all experts everywhere. I think the equally unreasonable demand that the lawmakers in question must take and pass a post-grad course on the subject matter that they are attempting to make stupid laws regarding.
Penalties for failing the course should include 6 months of being followed around by someone with a directional sound cannon playing Rick Astleys greatest hits directly at them at all times.
Re: mandatory education clearly is too much to ask.
On the one hand, good ghandi is that brutal. On the other hand, given in this case we’re talking about something that would make everyone less safe and there is no good reason not to know this by now, I can’t help but think that it would be suffering well earned.
Re: mandatory education clearly is too much to ask.
I’d be happier if they had a THIRD GRADE education on the subject!
Planet Earth, a “place for terrorists to hide”.