Governments appear determined to end online banking and shopping. I find that strange; but, oh well...
Look who's joined the anti-encryption posse: Germany, come on down
Germany has joined an increasing number of countries looking to introduce anti-encryption laws. Speaking on Wednesday, German interior minister Thomas de Maizière said the government was preparing a new law that would give the authorities the right to decipher and read private encrypted messages, specifically citing encrypted …
COMMENTS
-
-
Friday 16th June 2017 06:10 GMT Voland's right hand
Do not think so.
If it is "via access to device" that is only on individual subjects and most likely authorized by court order or an equivalent procedure as required by the local legal intercept laws. This is not breaking encryption in general and mass surveillance. So it does not do anything to Internet banking, etc.
It is what it is: mandate phone vendors to support legal intercept. It also makes technical sense - the phones now are so smart that they are a component of the network in itself. If implemented correctly it can be locked down so it can be accessed only via the carrier device provisioning system.
It is also fairly easy to circumvent - just get a foreign phone and enjoy the abolishment of roaming fees in the Eu.
-
Friday 16th June 2017 07:06 GMT Baldrickk
accessed only via the carrier device provisioning system.
Yeah sure. This is no better than adding remote access to my device - that I have no control over.
What happens if there is a flaw in whatever method they use to implement this? What if someone gets into the carier's sytem and gets access to the key/s? What about a rogue technician in the carrier? Suddenly everyone's device is wide open.
No no no no no. None of this is good.
They want / need access to my device? fine. They can get a court order, and come take it. I'll even unlock it for them, I have nothing to hide. But to force remote access tools onto user devices that can't be controlled by the user? No.
-
-
Friday 16th June 2017 10:16 GMT Dazed and Confused
Re: accessed only via the carrier device provisioning system.
> What happens if when there is a flaw in whatever method they use to implement this?
You mean when the civil servant leaves the documentation, including the keys, on the train or when the minister is photographed walking into a office holding a piece of paper with all the details on it?
No things like that never happen, never not even once.
-
-
-
Friday 16th June 2017 10:15 GMT Loyal Commenter
If it is "via access to device" that is only on individual subjects and most likely authorized by court order or an equivalent procedure as required by the local legal intercept laws. This is not breaking encryption in general and mass surveillance. So it does not do anything to Internet banking, etc.
In practice, law enforcement agencies won't know what devices a 'terrorist' is using until after the fact, so what they must want, in order to be able to do this, is to install this software on all phones, and then have a court order to use it (or to use the evidence gathered by it). There are myriad technical and practical reasons why this is fundamentally insecure, not least of which is the fact that if there is a 'master' key that allows access to unencrypted data, the most efficient way to obtain that key is not by hacking, but by repeated application of a short length of rubber hose tot eh right person until the key is obtained. In other words, there is always a weakest link, and criminals tend to have a much lower threshold of what is considered acceptable in order to break that link.
-
-
Friday 16th June 2017 11:31 GMT Nattrash
Sorry to point the finger at your click-bait headlining, Kieren, but maybe you shouldn't rely so much on Google Translate...
After reading some material of your German cousins (heise.de) and some respected German news sources (Frankfurter Allgemeine Zeitung, Süddeutsche Zeitung, dpa), it turns out you didn't get your facts straight. On top of that you made it all a bit more juicy. Just like Mr. Spock said: “I didn't lie, I implied.”
https://www.heise.de/newsticker/meldung/May-und-Macron-wollen-Zugang-zu-verschluesselter-Kommunikation-3743918.html
https://www.heise.de/newsticker/meldung/Innenminister-wollen-Messenger-wie-WhatsApp-ueberwachen-3743669.html
https://www.swr.de/swraktuell/ausdehnung-der-ueberwachungsstrategie-wenn-ermittler-bei-whatsapp-co/-/id=396/did=18724184/nid=396/1nsqi22/index.html
http://www.sueddeutsche.de/news/politik/innere-sicherheit-mit-musterpolizeigesetz-gegen-terror-und-kriminalitaet-dpa.urn-newsml-dpa-com-20090101-170614-99-849430
http://www.faz.net/aktuell/politik/inland/innenminister-de-maiziere-will-zugang-zu-whatsapp-nachrichten-15055364.html
According to these, Thomas de Maizière never spoke of making encryption illegal, breaking encryption, backdoors, or something similar. In addition, it's also probably stretching it, to suggest that the UK, France, and Germany now stand side-by-side, acting similarly.
No, according to the local language sources I read, de Maizière, during a local meeting, spoke at a gathering of Ministers of the Interior of the German Bundeslander (states with their own full government, budgets, elections, and independence, which make up the Federal Republic of Germany – https://en.wikipedia.org/wiki/States_of_Germany). Here, he stated that in order to fight heavy crime, security services should have access to all communication, including services encrypted services like Whatsapp and Telegram. This statement is another statement in an already old issue, which involves the legality, and potential legislation of the "digital/ online search (warrant)" (TKÜ - Telekommunikationsüberwachung).
That's all. Nothing about making encryption illegal. Or banning the use of encrytion. Actually, de Maizière is reported to have said:
„Wir wollen, dass Messenger-Dienste eine Ende-zu-Ende-Verschlüsselung haben, damit die Kommunikation unbescholtener Bürger ungestört und sicher ist.“ (FAZ)
which translates as “We want that messenger services have an end-to-end encryption, ensuring that the communication of respectable citizens is undisturbed and secure.”
Also, as reported by ElReg:
"Speaking on Wednesday, German interior minister Thomas de Maizière said the government was preparing a new law that would give the authorities the right to decipher and read private encrypted messages, specifically citing encrypted messaging apps such as WhatsApp and Signal."
seems a rather rubbish quote.
First, the Germans are not putting their money on breaking encryption, making it illegal, or forcing backdoors.
"Software die laufende Kommunikation eines Verdächtigen auf einem Gerät mitlesen, bevor sie verschlüsselt wird. Beide Instrumente sollen bald in der Strafprozessordnung geregelt werden. - FAZ"
Actually, as they have done before, they are talking about the approach where they can introduce software on the device of suspect, which will give insight before encryption happens. From this one can also read that this does not imply a mass surveillance approach (US, UK), but a targeted one, most likely after the issuing of a search warrant.
I'm sorry I've to point this out. Your piece stuck out like a sore thumb, especially since I work here for a while and by now am familiar with the pretty strict, generally cherished, and completely different from the UK, Datenschutzgesetz (https://en.wikipedia.org/wiki/Bundesdatenschutzgesetz). I suppose that those fundamental legal and social differences make the number of CCTV cameras between the UK and Germany so illustrative, and the discussion about blurred properties on Google Streetview so interesting...
-
Friday 16th June 2017 12:29 GMT Anonymous Coward
Japan has just passed a 5-eyes law
from slashdot
"someone in Japan can now catch a terrorism-related charge for even planning or discussing on social media the acts of: Copying music; Conducting sit-ins to protest against the construction of apartment buildings; Using forged stamps; Competing in a motor boat race without a license; Mushroom picking in conservation forests; Avoiding paying consumption tax. " (lots more random stuff)
potentially as the profits might be used to fund terrrr
-
-
Thursday 15th June 2017 19:08 GMT Snowy
Hahahahah
[quote]Force the companies providing the encryption to introduce backdoors.[/quote]
A backdoor in encryption is an open door making encryption less than worthless. Look at how NSA failed to keep their tools locked up.
Mandating encryption backdoors is like making all knives sold (including cutlery and letter openers) to be sold blunt with a large ball welded on the end, with a large fine or jail time for anyone who sharpens or removes the ball.
-
Thursday 15th June 2017 19:09 GMT Anonymous Coward
1 Force the companies providing the encryption to introduce backdoors.
2 Focus huge computing resources on a specific set of encrypted messages in order to crack the encryption.
3 Force the operating system and mobile phone companies to come up with a way to grant third-party access to someone's device so they can pose as the user and bypass encryption.
Well, the cheapest one for governments is option 3, and that's the closest to the system used for telephone networks. They'll go with that.
Enforcement against OTT services based outside jurisdiction is harder, but it's easy to go after the advertisers and assets.
And if we're to pick up ideas from the USA, extra-territoriality of law isn't such a big problem. The Americans seem to have no problem with the concept...
-
Friday 16th June 2017 02:36 GMT Mark 65
It is clear from the German interior minister's comments that it is focusing on the third, most pragmatic solution: gaining access to someone's phone or other device.
It is also clear that such behaviour will rapidly lead to wide availability of a Qubes style OS for smartphones in order to prevent said pricks from installing shit on everyone's phone because, as we all know, they just simply cannot help themselves when it comes to mass rather than targeted surveillance.
-
Tuesday 20th June 2017 21:07 GMT Anonymous Coward
When you finally wake up its going to be too late!!!
Today's "government-approved" encryption systems were designed to allow for the efficient collection and brute-force cryptanalysis. The security paradigm was DESIGNED to be a big back door.
Consider this:
1. Most commercial encryption today is standards based and "government-approved". Today, knowledge is power. You really think that those in the intelligence services would allow a major strategic advantage to disappear just like that? You're a greater idiot than you thought. There's no better way to get intelligence than to make someone believe that they are safe. That's how one creates a killing field. Mass processing.
2. Security in the cloud - good joke - this is just the solution to ensure that your data is easily accessible - collecting vast amounts of data requires storage. Why not get the masses to pay for the privilege of storing their own easily accessible data - kill two birds with one stone.
3. All commercial encryption systems have a natural back door - its called the equivocation depletion problem. Its how Turing knew that he could break Enigma, just today we haver far more powerful processing systems. That's why keys are kept a fixed length. Despite equivocation being defined by Shannon, all academic cryptanalysts avoid it like the plague - it shows that their security solutions have no security - no equivocation. Todays commercially available crypto solutions have no scientific basis for their security. It's mathematical bullshit. As mentioned, the techniques used by Turing to break Enigma are equally applicable to AES-256 or whatever cipher you use.
4. Our random number generators are pseudo-random, therefore our encryption is pseudo-secure.
5. Then there's the blatant joke of security being based on assumptions of mathematical complexity!!. We shower the inventors with accolades - despite the solutions having no scientific merit. Its an assumption of security - goes against basic logic, one must assume insecurity until security is established scientifically.
6. Standards are there not to ensure security, but to allow for cryptographic "killing fields" to be created. They ensure that the cryptographic solutions have fixed dimensions. Fixed keys, fixed operations, fixed code pages, fixed message preambles - get the picture?
7. More mathematical bullshit about how factoring prime products will take millions of years - Can we be so sure that a rapid solution wasn't invented before asymmetric encryption appeared? Note there are more than 9 rapid solutions for factoring primes existed even before the concept became public.
8. Ever wonder why no security company guarantees the security of their encryption algorithms? Its because they know that they are crap. They do not even satisfy Shannon's requirements for practical secrecy systems - the worst kind.
9. Despite the one-time pad being absolutely secure, scientifically secure - are we to believe that no-one in almost 100 years has fixed its issues so that it can be practically implemented in a digital framework?
Someone has gone to considerable lengths to bullshit the general public, because todays encryption systems do not even satisfy basic security - its merely safety. We're being electronically enslaved, and we don't even know it, for without out privacy, we are merely slaves. And now A.I. promises to be our saviour - yeah, right.
As for current security breaches, its amazing how the implementations get blamed. An now no-one wants our insecure security systems to be fixed - there's massive revenue generation cash cows out there. Now, even the software companies create their own back doors - hey, blame the implementation.
Even perfect implementations are insecure.
Here's the good news... equivocation augmentation has been invented and is patent pending internationally at the moment - practical scientifically verifiable encryption is here. It is provably secure against any future machine brute-force attack, has no back doors, and is the first encryption algorithm to break the "equivocation-barrier". A whole entire field of cryptographic security research - has just opened up.
It will be used to protect humanity.
-
-
Thursday 15th June 2017 22:59 GMT Daggerchild
The Irony Curtain
Do you know what Putin could do now to *really* *REALLY* piss off the West? Go straight!
The crown of Freedom and Justice is rolling around the floor right now as Trump stuffs his face in the trough and May shrieks from behind her barred door.
If I remember my history lessons correctly, proper law and order was only established after the elites started getting annoyed at the murders/corruption etc mucking up their neat empires, and began forcing it down from on high.
Putin could do that if he wanted to, he has the power and the personality. To steal the West's glorious name, their reputation - that would so horribly fitting right now.
-
-
Thursday 15th June 2017 19:14 GMT Bloodbeastterror
"The privacy of a terrorist...
...can never be more important than public safety"
A cack premise.
"The privacy of a terrorist can never be more important than the privacy of the entire populace" is the correct comparison. Or vice-versa.
Stupid soundbite-led politicians. Unfortunately followed by stupid soundbite-led voters.
-
Thursday 15th June 2017 19:15 GMT Duncan Macdonald
Offline encryption ?
If you encrypt/decrypt the messages on an offline system with no internet connection and use a good encryption package (eg OpenPGP) then there is NO way that the messages can be decrypted in real time. (The only decryption that can be done depends on forcing the the key from the recipient - for example by torture.)
-
Friday 16th June 2017 03:57 GMT Yet Another Anonymous coward
Re: Offline encryption ?
But as an effective means of communication that is up there with using a one time pad and leaving messages under stones in the park for George Smiley.
If you have a regular commercial phone or computer that is ever connected to the internet or GSM it could be logging any key you enter and sending it to the MMB
-
-
Friday 16th June 2017 11:38 GMT DropBear
Re: Offline encryption ?
The point is that it wouldn't be too hard to syphon off still encrypted content to a separate device (can be a smartwatch, PDA or even a small DIY gadget) that handles decryption / encryption, that would be presumed free of tampering by The Powers That Be. You couldn't "backdoor" that...
-
-
Tuesday 20th June 2017 21:12 GMT Helder
Re: Offline encryption ?
Please don't equate OpenPGP to security - it's safety, merely pseudo-security. Show me the scientific proof, not the assumptions of mathematical complexity and I'll believe you. It can be broken using the same techniques Alan Turing used in 1945. It does not even satisfy Shannon's basic requirements for practical secrecy. It's about 3 seconds of computing time. The NSA spends 2 Billion USD per year on computer chips alone. I wonder why. We need something better, something secure.
-
-
Thursday 15th June 2017 19:32 GMT Nolveys
BS
Any terrorist with even a modicum of competence could figure out how to communicate in a cryptographically secure way. A one-time pad, a pencil, a piece of paper and a grade-four education would be enough. Adding voyeur software to phones and breaking secure software isn't going to help catch terrorists.
The Five Eyes Neo-Stasi are pushing for this anti-encryption nonsense so they can spy on law abiding citizens, not to catch terrorists. Theresa Hymenolepis May is proof of this, if she actually gave a shit about terrorism then she wouldn't have made cuts to the one group that can actually do something against terrorism, the police.
I'm beginning to wonder if any politicians actually want to stop or even reduce terrorism. Terrorism has proven itself time and time again to provide our wonderful rulers with carte blanch to do pretty much anything they want. A few dozen people getting blown to pieces in exchange for a golden ticket is pretty cheap, yes? Especially since it isn't directly attributable to the politicians, it's not like starting a farce of a war or burning billions on blatantly idiotic projects.
The notion that any of these policies have anything to do with the public good is laughable.
-
Thursday 15th June 2017 21:26 GMT John Smith 19
"Any terrorist with even a modicum of competence could figure"
Again, what makes you think this really has anything to do with terrorism?
<gollum>
We wants it.
We musts have it.
The preciousssss.
</gollum>
Sounds like a mania to covet something beyond any rational need?
That's a data fetishist. *
*Icon not meant to disparage any other types of fetishists, who are generally quite nice people and don't want to spy on everybody else 24/7/365.
-
-
Thursday 15th June 2017 22:54 GMT Tom 38
Re: BS
Any terrorist with even a modicum of competence
Well thats the thing isn't it. Read the trials of the people caught preparing an attack; these are not competent people. I remember one trial where they were using an single letter substitution cipher for "encryption"! Look at the aftermath of the ones they didn't catch; competent people.
Counter terrorism relies on that most people who are disposed to terrorism are not usually particularly sound. The rest is just security theatre.
Encryption backdoors won't stop competent terrorists, just the incompetent ones, and we're already stopping them.
-
Friday 16th June 2017 07:38 GMT Spud
Re: BS
I'm still of the belief that the powers on high seem to think that the computers will be able to catch all the terrorists so they can reduce the number of real people doing real work. Of course once the cat's out the bag that you can be watched via your phone, you'll suddenly notice sales of beer and ice cream go up while people go into the real world and talk face to face like in the old days. Only they'll be nobody to watch them.
The more you tighten your grip ... the more things will slip through your fingers.
-
Friday 16th June 2017 12:25 GMT DropBear
Re: BS
" I remember one trial where they were using an single letter substitution cipher for "encryption"!"
Gee, I don't know - a scheme where you substitute every single letter with the same single letter sounds like pretty hard to crack (or decrypt). I'd say it's pretty widely used too - for instance, every password I've ever seen is encrypted like this - converted to the single symbol * right as you type it...
-
-
Friday 16th June 2017 08:47 GMT Tim 11
Re: "Any terrorist with even a modicum of competence"
Yes this is exactly the point.
There are arguments for and against of enforcing backdoors for use in extreme circumstances, just like there are for other government security powers, but with encryption it's too late to do it because the horse has already bolted - strong encryption has been invented and is in the public domain. Any debate about banning encryption is pointless because criminals already have it and we can never take it away from them.
-
-
Thursday 15th June 2017 20:01 GMT Paul Crawford
Short memories
Funny that Germany should come down in this way, given the still living memories of the Stasi and their love of spying on everyone. Maybe this is just election talk? Sadly there are enough stupid people around to buy the politicians bullshit.
As many have pointed out it is only the dumb one, and the mass majority of innocent public, who will be caught as so many options exist. It also remains to be seen how far Google & Apple are willing to bend over to support device compromise. Admittedly though so many Android devices are vulnerable anyway that installing backdoors should be simple enough without help from the USA end of things.
-
Thursday 15th June 2017 22:11 GMT Anonymous Coward
Re: Short memories
You are seriously deluded if you think this gets anywhere near as bad as the STASI were. Read your history.
In fact the reason for this kind of thing is precisely to avoid using the techniques of coercion, torture, secret detention and blackmail so beloved by the STASI. It is to give normal policing a chance of actually tracking down paedophiles, people who convince young men to become terrorists, drugs dealers, financial fraudsters, etc, before they cause too much harm to others, or at least make it considerably harder for them to carry out their acts unidentified or undetected.
People such as this make good use of the near guaranteed anonymity and privacy and convenient services offered by the likes of Facebook, Apple, Google, etc. Just because such people haven't come knocking on your door doesn't mean they don't exist.
-
Thursday 15th June 2017 22:29 GMT John Smith 19
"is precisely to avoid using the techniques of coercion, torture, secret detention "
You're not really getting this "freedom and privacy" idea are you?
A "nice" police state, where everything you say and do can be monitored at will 24/7/365 is still a police state.
It's a difference in methods, not in the philosophy that the individual is nothing and the state is everything, and must be protected (at all costs) from these dangerous (what's the word? Terrorists? Criminals?) citizens.
-
Thursday 15th June 2017 23:06 GMT Anonymous Coward
Re: "is precisely to avoid using the techniques of coercion, torture, secret detention "
You're not really getting this "freedom and privacy" idea are you?
You're not really getting this crime and policing thing, are you? Ever heard of policing by consent?
And you don't seem to realise that in a democracy the state is the people. If you don't like what a democracy is doing, either change it or put up with it. The reason why ideas like strong policing persist in democracies is because politicians found out a long time ago what happens to their jobs when the crime statistics go up dramatically during their term, or if they fail to respond to new trends in criminality.
So whilst there's headlines like "Google, the Terrorist's Friend" in the papers you'll have a very hard job persuading a majority of MPs that something like this new development shouldn't happen.
-
Friday 16th June 2017 08:39 GMT John Smith 19
"Ever heard of policing by consent?"
There is no consent in a police state.
The "consent" is the one you provided by being born there.
"The reason why ideas like strong policing persist in democracies is because politicians.. "
Are not "leaders" but being lead by opinion polls, which may well be manipulated to give them the answer they want.
I'm aware of the justification that all authoritarian politicians have. Tony Blair trotted it out. Roughly "People will complain if we have not been repressive enough."
But "terrorism" in the UK has killed 36 extra people in 12 years, equal to slightly over 4 hours of deaths due to smoking related deaths in NHS hospitals.
Incidentally you don't seem to get the irony you're posting as AC when such legislation would strip you of the privilege of anonymity. Why is that? Would a check of your other posts expose something about you that you would not like others to know? Perhaps your "unconventional" views on other subjects?
This is the secret terror of all authoritarians.
"Someone" could (not are, just could) be saying something I wouldn't like (not doing something, saying it) and I wouldn't know about it. I must know everything about everybody.
Does that not sound quite infantile to you? That's 3 "I"s in 2 short sentences. Can you not see this is not about "the greater good" but personal insecurity?
-
Friday 16th June 2017 11:00 GMT Marcus Fil
Re: "is precisely to avoid using the techniques of coercion, torture, secret detention "
I do so, so wish politicians were forced to read "The Lost Honour of Keterina Blum" before being allowed anywhere near the terrorist issue. Outlaw everything and we all become outlaws - and once we are all outlaws we might as well be hanged for a sheep as a lamb. Government by tabloid is not the way to go.
-
-
Friday 16th June 2017 10:26 GMT Loyal Commenter
Re: Short memories
You are seriously deluded if you think this gets anywhere near as bad as the STASI were. Read your history.
Unlike you (I suspect), I have actually been to the museum in Berlin built in the headquarters of the Stasi, and seen the equipment they used en-masse for steaming open envelopes and reading the contents. If you are unable to see the parallel, I can draw you a picture.
It was very enlightening, you should go.
-
-