Europe to push new laws to access encrypted apps data The European Commission will in June push for access to data stored in the cloud by encrypted apps, according to EU Justice Commissioner Věra Jourová. Speaking publicly, and claiming that she has been pushed by politicians across Europe, Jourová said that she will outline "three or four options" that range from voluntary …
Thing is, with rubberhose cryptanalysis, you run the risk of encountering a wimp or a masochist. Wimps are too soft and faint at the mere threat; you can't keep them coherent enough to talk. Meanwhile, masochists get off on pain so just beg for more.
As for threatening family, they could also be estranged or black sheep, meaning they counter, "Never liked them anyway."
This is the European Commission speaking, largely a mouthpiece for the various EU governments. As such the tech companies should call their bluff and force it to a vote on a law (with explanations of how such a back door won't be discovered and abused) to the European Parliament. Many MEPs don't share the same authoritarian streak and it might just get kicked back when the public realise how their own privacy is being screwed over.
You don't seem to understand how the EU works.
The EU is not a democracy; in fact it's deliberately designed to bypass and nullify democracy.
The Commission is the only body that can propose laws, and if it does, the Parliament can do no more than discuss, object, and (slightly) delay.
This is not a Parliament in the normally understood meaning of the word, it's just a bit of window-dressing; what the Commission wants, the Commission gets.
Funny. You describe (modulo the Commission being a different word) the process that happens between our government and parliament, then say it's not a parliament.
Our parliament doesn't propose laws either. It just does what it's told by government. Or it misbehaves and makes it all the easier for Sir Humphrey to play them off against his minister.
what the Commission wants, the Commission gets.
The EU Parliament can stop legislation it does not agree to. The European Council also can. I'm sorry if it does not fit your view of the Big Bad Evil Tyrannical EU, but that's how it's been deliberately designed, in order to not repeat the mistakes of the past. A never-seen-before 60 years of peace seem to indicate it doesn't work so badly.
https://europa.eu/european-union/eu-law/decision-making/procedures_en
they will have to make the transmission and storage of any information in an encrypted format illegal. Thats if they want to make a law without loopholes. but in actuality it will be unworkable and swiss cheese and differently interpreted in all the countries.
so no encrypted chat programs, or email and no whole disk encryption
so more govt laptops with state secrets left on a train or back of a cab.
> they will have to make the transmission and storage of any information in an
> encrypted format illegal
Trouble is, what is encrypted data. I can see a lot of conversation like:
Gov: Why are you sending encrypted data?
Me: WTF? I'm not
Gov: Explain this then...
Me: It's the install keys for a bunch of products on our shared MSDN account
Gov: (eyes glaze over, understood some of those words) Rubbish, it's encrypted, decrypt it
Me: It's not encrypted
(Rinse and repeat)
Of course it would also ban SSL and WPA encryption on wifi. It would be the end of e-commerce, at least on wireless networks.
Was optimistic.
Case in point, everyone over here recently had to upgrade their ccards because the encryption wasn't strong enough.
What happens when lawyers find out that their £1,000,000+ legal case is basically worthless because the opposing lawyers got hold of the case files and email correspondence because someone leaked the key(s)?
That horse has bolted. The worms are out of the can. There is absolutely nothing that any .gov can do to change this. It's not going to stop them trying, though. My advice? Point your collective fingers and laugh at the idiots early and often. Send snail mail to your elected officials. Vote, and explain why you voted the way you did.. Be vocal. Let them know that some spills are far to massive to cover up. It probably won't do any good (politicians are immune to free technical advice; they require money, lots & lots of money), but along the way you'll undoubtedly inform a few more people as to the reality of the situation. Maybe, just maybe, eventually someone in power will see sense ... but I'm not holding my breath.
"There is absolutely nothing that any .gov can do to change this."
Yes, there is. Simply ban the use of any and all encryption that cannot be cracked by the state. Declare it an act of TERRORISM or whatever that means if you're caught, you and anything associated with you are basically ruined forever.
Then you just have to deal with stego, which has its own limitations, especially for improvised messages. mandating media mangling would probably be a good start there.
It wasn't that long ago encryption was considered a munition, but those days are long gone.
This whole thing is a farce. Apps like WhatsApp moved over to encryption *because* of the amount of snooping governments want over their (mostly) law-abiding citizens. You reap what you sow. Don't complain when your poorly thought-out, ill-conceived and utterly ridiculous plans back-fire. And don't make things worse with a knee-jerk, even more poorly thought-out and more ridiculous reaction.
Even if you could change the laws of mathematics and they get their super-safe backdoor into otherwise (practically) unbreakable encryption, what then? I would imagine terrorists and -- worse -- copyright infringers will just use non-crippled encryption, leaving LEAs across the globe spending all their time decrypting peoples' cat pictures and messages about what they had for dinner.
"Declare it an act of TERRORISM or whatever that means if you're caught, you and anything associated with you are basically ruined forever."
In the England that law already exists. For T & P investigations - if you fail to provide a key for your encrypted files then it's 2 years in prison. On release it can be repeated indefinitely if you still don't provide the key.
Which allows the perfect blackmail. Slip a block of pure random data into a user's computer and then tell Scotland Yard the victim is a pedo. No way to prove the block isn't his, absolutely impossible to decrypt (because it was never encrypted to begin with), you tell the news about it, and it's Game Over.
It still requires that the accuser proves that you know the key. If you genuinely don't know the key it would be torture to detain you for something you do not have or have not done.
For example:
(A) you refuse to give them a key >> go to jail, do not pass go, do not collect £200. with this you have let them know you have the key and that you just simply refuse to provide it.
(B) someone plants a random encrypted file on your computer. you do not know the file exists and you do not know the key. The accuser also cannot prove you have the key, you get off but might still get monitored to be sure.
On my computer I have a swap file because certain programs don't like it disabled. So for good measure it is configured to re-key every time I reboot. The key used is simply the input from /dev/urandom or /dev/random so not even I know the key.
IIRC in the book "Worm" by Mark Bowden there's a section where he talks of computer forensics, especially in a case just like this. There are ways to detect if a file has been planted or not.
There's whole lots of other procedures in place that would quickly show that a case like the one you proposed is rubbish and it would be unlikely to ever go beyond the initial investigation. The person who made the accusation, however, could find themselves up on charges quite quickly. Cops are aware that people try to plant files and make allegations, but a false allegation needs a lot more than just planted files to make it stick.
But please, go ahead and try it on someone. See how long it is before you meet your new bestest friend Bubba.
It's worth noting that this is the much maligned commission acting as it often does at the behest of the member states. Speculation about what exactly will be proposed should be avoided but the wonks at the commission will be aware of the impossibility of getting backdoors for true end-to-end encryption. And the ECJ has already ruled in favour of individual's right to privacy. So this sounds like a stick to beat the tech companies with for better cooperation: get those AIs to do something useful like monitoring phones and reporting any "suspicious" activity.
If end-to-end encryption becomes illegal, which I very much doubt, it's hardly likely to stop anyone who is already breaking, or considering to break, the law…
Back-doors into encryption will have no effect on savvy criminals, terrorists and those engaging in espionage. It only opens the door tor state sponsored intrusion into commercial and personal messaging. There is no secret how to ensure secrecy; it just requires a little preparation. Pre-arranged messages in clear have always been preferred if you want to hide your true meaning - "How's your father" could easily mean "attack is go/no-go" or just what is says. One-time pads properly used are uncrackable. In reality is is often not what is said as to whom and when, that is required to track, detain and convict a suspect (yes back to metadata again). Whatsapp and their like are just a convenience for lazy perpetrators. If you are a really serious terrorist a back-door will only be a minor inconvenience.
Exactly, anyone who is legitimately worried that a government may be surveilling them (ie terrorists, political campaigners, spies), already knows that their electronic communication is compromised, and will fall back to the 1950's era techniques that still work (eg dead drops, book codes).
And of course, all the communications surveillance in the world is unlikely to catch the lone nutters like Breivik or Masood.
Oh, sort of like the messages, intended for the French Underground/Resistance, transmitted in the clear by the BBC, just prior to the D-Day landings, during World War II?
Everything old is new again?
Dave
P.S. I'll get my coat. It's the one with a pocket full of message slips, with phrases such as "John has a brown cow.", "Becky has a large garden."
Even if you do meet in person, that's no guarantee that you can trust them to keep your secrets. Internal betrayal is always a problem.
Hopefully, if the security services are throwing resources at ELINT, they won't be spending as much on HUMINT, so your new pal is less likely to be an undercover police officer come to cheat on his wife with an activist or two.
As someone who has worked both sides of the coin (Government/Public vs Private), the one thing that terrifies me is how often Government (though unintentionally and bumbling ) get it wrong, they get the wrong John Smith or the wrong address or the Telephone/ mobile / Email etc.
A good example of this here....http://www.bbc.co.uk/news/technology-37048521
Now they are advocating back doors, it's almost as if none of them understand the Risks or implications of their legislation - Whether it's applications of Cipher-Block-Chaining (currently a massive area of growth and R&D) , or Post-Quantum Cryptography.
The fear of Terrorism (or as I call it, Criminal Violence) is disproportionate to the Risk, it's irrational and it has to stop.
[...] under the procedure, the Commission presents a proposal to Parliament and the Council which can only become law if both agree on a text, which they do (or not) through successive readings up to a maximum of three. In its first reading, Parliament may send amendments to the Council which can either adopt the text with those amendments or send back a "common position". That position may either be approved by Parliament, or it may reject the text by an absolute majority, causing it to fail, or it may adopt further amendments, also by an absolute majority.
With such an ignorance towards EU, there's no surprise Brexit happened.
It depends on the kind of legislation. Parliament can propose changes or may be limited to just accepting or rejecting.
There are other kinds of legislation which do not involve Parliament, i.e. Commission only or Commission + Council.
Parliament doesn't have initiative, i.e. it can't propose laws, the Commission has that.
I don't see why I got downvoted. The Euro parliament has no legislative authority. It's in the same position as the House of Lords. It can reject or accept legislation and suggest modifications, but it has no power to enforce them. It can't legislate. That means it has no legislative authority.
Legislative authority rests with the Commission and the Council. If the Parliament rejects the Commission's legislative proposal or proposes amendments that the Commission or the Council aren't interested in, the two bodies can turn around and say "we're passing it anyway."
Ok so you install back doors on all the companies you can in the west.
Terrorist start using apps from the east.
Where does this leave you? Block or ban those apps? Good luck with that as you don't understand how the internet works because for every app you block 10 new ones could pop up.
They know this which makes it even worse because they can't all be that stupid. Someone must have pointed this out at some point.
You may think tin foil hat but I'm seeing this differently in that there is something else going on here and it points to totalitarian regimes.
..because steganography? OFFS when will these turd brains realize they are backing the wrong horse. The internet has already out-smarted them and it is at a lazy trot, just wait till they turn up the heat and it breaks into a canter. Meanwhile lawyers get richer, consumers and IT suppliers get billed, Police get even more frustrated, and MPs show themselves to be even greater nitwits than we already knew they were.
Steg can be detected!? Some forms can, and, at best, some images can be highly suspect because of noise characteristics. Go for busy, moody, grainy shots to best leave them guessing.
Even steg found does not equate to means broken. Message is encrypted anyway so even if you separate the message from the carrier you are now into round two. Which for a halfway decent encryption scheme means the next new challenge for a cow shed full of qbits* and some very, very brainy people - plus a HUGE bill per message.
Yeah pass the law to stop the tide coming in - I'll stand on the beach with popcorn and laugh while you drown. Then we will need a new law to seize your assets and pensions to (part) compensate the companies and tax payers for this debacle.
Four people died recently because of the actions of one lone nutter (also dead). How many people died in the UK on the same day as a result of accidents and incidents not related to misguided nutters? The excuse does not add up - so what, or who†, are 'they' really afraid of?
*allegedly, in the best spirit of Eye and HIGNFY.
† I do so hope the answer is 'us' - because ... icon.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
