The EU is often at the forefront of consumer protection when it comes to privacy laws like the GDPR. But now it looks like the Council of the European Union might undermine all of this with a move to cancel secure end-to-end encryption as we know it, the ORF (Austrian Broadcasting Corporation) reports.
The ORF obtained an internal draft in which the Council argues that the motion is meant as a counteract against terrorism, pointing to last week’s Vienna shooting. However, it’s becoming increasingly clear that the terror attack could’ve been prevented without further surveillance powers if it wasn’t for egregious mistakes in the Austrian counterterrorism office. It seems like the attack is used as a pretense to gain public support.
Throwing babies out with the bathwater under nebulous claims of “but terrorism!” isn’t just an American thing. For now, this is just a proposal by one cog in the EU government machine and it’s unlikely to go anywhere (for now!), but wheels are definitely in motion, and just like our friends in the US, we have to remain vigilant for politicians abusing terrorist attacks to erode our rights and freedoms.
That they’d want to flag keywords to waste money instead of just doing good old detective work is pretty nuts.
The chance of them catching a single person, considering how much its been tried on non-encrypted mediums in USA like skype, facebook and basically every social media messaging application has been incredibly low if any.
They’re usually dumb criminals to begin with posting it on public forums or known extremist forums already being tracked, and if there were any big operation, they’d be using their own encryption anyways, which literally bypasses any of this.
Flagging keywords works wonders for censorship though, just as Facebook and Twitter. I’m thinking that supposedly preventing attacks isn’t the real reason for this proposal.
I wonder how this kind of backdoor for end-to-end encryption would work on Matrix? Provided that users have reasonable security practices of course…
AS I understand, the implementation of Element+Synapse (most popular Matrix client and server) is built so that only endpoints have the keys. Even the keys that are backed up at your homeserver, are encrypted by your recovery key (and only you should control it). Its distributed and federated nature adds additional complexity to this as well.
Backdooring the endpoints? Breaking the protocol itself?
Can anyone with detailed knowledge explain this?
(Matrix is in use by one government (France) and two others are evaluating/using it in limited capacity, one is Germany)
As I understand it you can create your own home server, just like email. So in that case even if they change the protocol to store the keys unencrypted (or similar) on the server only you still have the keys (assuming the authorities don’t get access to your machine).
And they are working on making it peer2peer, so users can migrate between servers, basically the account you have isn’t tied to the home server anymore. And could in theory even keep working without a server if you have a transport protocol directly between clients.
For example: you are on the same WiFi networking and you are using multicast DNS to find each other.
Anything to prevent thoughtcrime among the people. Anyone is potentially dangerous, better to follow everyone so we can make sure they practise crimestop themselves. If you oppose you are a terrorist and a pedophile or at least endorsing them.
Slowly as Internet protocols get more mature, providing better security and privacy looks like governments want to prevent it.
Here is an other example, where the IETF is working on better bulk surveillance prevention:
https://www.zdnet.com/article/russia-wants-to-ban-the-use-of-secure-protocols-such-as-tls-1-3-doh-dot-esni/
https://www.zdnet.com/article/china-is-now-blocking-all-encrypted-https-traffic-using-tls-1-3-and-esni/
Anyone else been around long enough to remember when Debian had a non-US repo that had all the encryption stuff in it? Yup, that used to be a thing…
leech,
I don’t think the US government is inherently less prone to take away privacy rights. We have a history of government interfering with cryptographically effective privacy, particularly in the 90s. However regulating crypto algorithms doesn’t work and I think US politicians only backed down because they became fearful of loosing relevancy in the tech world. If one insists on having regressive policies in place, it’s just going to discourage tech development and summits from happening in your country.
From the article: “There isn’t any language revolving around abolishing end-to-end encryption“. They’re not trying to ban the crypto outright, they’re trying to mandate backdoors in crytpo communications services. Some services may just uproot their EU locations and operate from outside the EU, This way the service can be run securely outside the EU’s legal jurisdiction. But it may be much more difficult to reach EU customers this way especially if they cut off payments. There have been times when the US took a similar approach and cut off the money flow to foreign services they disapprove of.
The non-US repo was because the US government didn’t allow the export of crypto.
So not because the US allowed more.
Lennie,
Well, I know what you are talking about, but it wasn’t just about exports. They were also involved in weakening crypto standards everywhere including domestically. I’m thinking back to the so called crypto wars where governments where pushing backdoors and intentionally limiting the strength of cryptographic standards.
https://en.wikipedia.org/wiki/Crypto_Wars
I’m not sure how much success they’ve had in recent years, but the political agendas are ongoing, even in the US:
I think it’s totally pointless, neither export restrictions nor domestic restrictions work because software transcends geopolitical boundaries and to the extent that laws could be successfully passed it would merely render domestic security products inferior to foreign ones.
https://www.helpnetsecurity.com/2016/02/12/government-mandated-crypto-backdoors-are-pointless-says-report/
Without a government firewall in place to enforce backdoors or weakened crypto, there’s just no way to stop strong crypto for those who seek it out.
Ohh, yeah, I very much remember those days and before that the days of Netscape with less strong cryptography..
Looks like Facebook is behind this.
Something like this would be perfect for nefarious people looking to bypass the app itself. https://appzaza.com/encrypt-text
“But who will think of the children?”
They are using the latest crisis to boost their political agenda. You know FBI actually helped with the case. Not only that they seemed to have received warnings from other countries. So it is not like they lacked information.
https://www.urdupoint.com/en/world/austria-received-important-data-from-fbi-on-v-1077594.html
Plain old police work actually goes a long way. You do not need to infringe on basic human rights and civil liberties.
I do not know a single case that has been solved by breaking encryption. I am sure there would be some, but if it was high profile all these politicians would have advertised that non stop, day and night, all 24 hours.
Not only that they could not stop the terrorist despite having data that warned about the danger, they want to collect even more data that needs to be analysed continously to get any advantage out of it. Also knowing that whatsapp and signal are watched, terrorist organisations would just move on to different services or even a selfrun xmpp server with gpg encryption on top to hide their communication from the authorities. The only ones that would loose something here would be us normal users whose privacy would be rendered breakable by anyone with enough skills or tools…
Couldn’t you make a simple messaging app that uses something like RCS as the communication medium but then uses E2EE on the payload? There would be no “service” or platform that manages anything, strictly endpoints that use all the existing infrastructure on the device.