Europe to push new laws to access encrypted apps data The European Commission will in June push for access to data stored in the cloud by encrypted apps, according to EU Justice Commissioner Věra Jourová. Speaking publicly, and claiming that she has been pushed by politicians across Europe, Jourová said that she will outline "three or four options" that range from voluntary …
As someone mentioned above, it's much easier to use specific pre-arranged codes, preferably one use only. Something simple like posting an animal picture or video on a certain day, with the choice of animal (or no post at all) giving a traffic light-like status update or selecting from a set of targets, or whatever. Assuming you can meet up in person at least once without being bugged/spied on, it's trivial to pre-arrange this sort of thing and no amount of technology or anti-encryption laws can defeat it.
(Hmm... I didn't see that post that's (now) right above mine, suggesting exactly the same thing)
"Assuming you can meet up in person at least once without being bugged/spied on, it's trivial to pre-arrange this sort of thing and no amount of technology or anti-encryption laws can defeat it."
But as I've mentioned, THERE'S your problem: The First Contact problem. How can you be sure you aren't being moled?
The First Contact problem. How can you be sure you aren't being moled?
How many people in this world? How many are employed to follow other people? How many people are actually targeted for being followed?
Chances are, even if you're high on a watch list, you're not being followed. Going off stuff over recent years it's more likely a cop will kill an innocent civilian than a highly trained "operative" will actually be following someone of consequence. There's just way to many people in the world who're of interest and way too few people doing a decent job following them. Even those nations who employed most of the population in spying on their neighbours and their own families couldn't keep track of those they actually needed to follow.
If you're not on a watch list, then unless you're that innocent civilian about to be shot, you're not being followed anyway. Someone you trust can introduce you to someone they trust, or can provide a way to meet securely. Yes, one in a few thousand might get caught, but the vast majority complete all their meetings and tasks without it being known they even exist. They're out there meeting in plain sight under the watchful eye of a thousand monitored security cameras, and not one watcher gives them a second glance.
What about a COMPUTERIZED Panopticon, with humans reserved for the red flags? Think how casino security works, cranked up to eleven.
What, you mean like the "facial recognition" that doesn't exactly have the greatest abilities?
Ever heard of felt tips? "Sorry officer, I cut myself shaving, I wasn't trying to change my appearance". Etc etc etc etc. A little bit of thought tells you lots of ways to get around this sort of stuff. And if you don't come up with anything, spend some time in some decent books that cover the subject. Don't watch the CSI crap where they can zoom in on a shiny grain of sand from 10,000 miles away and further zoom in to something that happened around the corner 10,000,000,00,000,000,000 miles away - original filmed on a 320x240 webcam, there's laws against that.. Laws of physics, so none of your "but WHAT if the GOVERNMENT makes a LAW that saws CAMERAS must BE able TO do THAT!" please. Computer eyes or human eyes, there's to much movement out there to watch it all. Just a few moments thinking about it.
then why should I be using an 'internet banking app' or a secure sharedealing service or a bitcoin service, shopping app or GP's online app when they have a known backdoor?
Perhaps my mum, who couldn't spot the difference between "those W W dots" and VHS, has actually got it right ... start opening those High Street bank branches again please, and all is forgiven bring back Woolies.
Actually, I was also thinking about Bitcoin. Since the ledger is public, you can encode your "go/no-go" message using a transaction of a certain amount. I assume that wallet IDs are stored in the ledger, although it's impossible to know who they belong to unless you find it on someone's PC, which shouldn't happen if you're doing it right.
There are two distinct problems.
First, it has always been possible to find where a message went or was sent to. If the Police were watching you, they could read the addresses on your mail. On the internet, every packet carries source and destination IP addresses. It has become hugely cheaper to collect this info, the Police-types can learn a great deal from it. It's called Traffic Analysis, and it's data that cannot be encrypted.
I think that needs good warrant-level control, a combination of privacy protection and a legal duty for the providers to follow.
But the contents of a physical envelope, while not absolutely safe, needed significant effort for those Police-types to read without the addressee's knowledge. That was part of our protection, and part of why we didn't have a strong need for laws. So what are the implications of a system that gives those Police-types a cheap method of reading everything.
Laws which make a read-everything approach easy and cheap are dangerous.
How easy, how cheap, that's the question. And it needs to be nearly universal. Some places, such as New Zealand, might not be the man in the middle on a route, but if A and B require warrants, what's to stop the spying being done somewhere on the route between them?
So I can't see how we can walk away from the EU on these issues. What happens if nobody trusts our internet? But there's room for a lot of ignorance and stupidity between "we must do something" and what eventually gets done, and we're already seeing the usual suspects sticking their oars in.
And an EU Commissioner has to keep dealing with the idiots to be sure of having the necessary hashtags at the end of the process
And an EU Commissioner has to keep dealing with the idiots to be sure of having the necessary hashtags at the end of the process
And it is very difficult when said EU Commissioner is likewise an idiot for entertaining such an idea.
We all know that the first requirement to be a politician is complete ignorance of anything technical. All they have to know is how to screw the people.
Do governments really believe that the terrorists are stupid? Do they think that the terrorists don't have even semi skilled programmers?
If you want to send secret messages and guarantee their security all you need to do with spend a few hours programming and you have your own instant messenger, using encryption you implemented yourself, sent though a server you control.
With all this attention on WhatsApp, Facebook and other popular instant messengers why would you use them for mission critical communication?
First, do you really think the Westminster Bridge attacker would have been able to do that? That's what Whatsapp does: it brings the expertise to the masses for free.
Second, I guarantee your system would take more than a few hours and if you implemented the encryption yourself it would be crackable by the security services. Encryption is really hard to get right. One bug and it becomes crackable.
Well... Firstly, the Westminster Bridge attacker was just an angry random. Had he been an actual ISIS soldier and probably would have been better outfitted (software and hardware).
Secondly, Yeah i may have underestimated the time taken to write an encryption implementation but they could use one of the many open source implementations that have been security checked by hundreds of people. However creating their own IM that make use of dark networks like Tor (for that additional layer of security) would not be much of a challenge for an intermediate programmer.
Encryption is NOT EASY, and implementing it properly is NOT the domain of an "intermediate programmer".
In order to properly implement encryption into a home-grown product, you have to have a programmer that is bloody good. Not Torvalds-level good, I agree, but better than "intermediate" for sure.
After Swiss cheesing encryption for legit users, the bad ppl will just create their own messaging apps which are secure. The threat of jail time isn't going to be much of a deterrent to these types of people, especially those willing to commit mass murder...
No, you just encrypt before using WhatsApp or similar. Unless they decrypt and check EVERY WhatsApp message then they won't see your message as having any unusual characteristics. By time they do it probably too late anyway.
Depending on how any back door is implemented the cost of decryption could be made very high, for example to thwart mass surveillance but keep to the letter of the law, so they would need to have prior knowledge of suspects to check and then you are back to square one - to crack the 2nd level of encryption you need to arrest them and so on to obtain the key, so its no longer usable for surveillance as the suspects know they are being followed.
"The European Commission will in June push for backdoor access to encryption used by apps, according to EU Justice Commissioner Věra Jourová"
Could you please provide the source of that statement (date and place), and if possible a link to an official copy, such as a press release in the europa.eu domain?
It's not that I do not trust you, but it would seem advisable to double check, plus I would like to be appraised of the context in which the aforementioned statement might have been made. Cheers!
by adding a large chunk of false data to an email.
&^BTITRB*TVFGYTVFFhgv jhgbhjv ghjgbigKJBJ Hgkh gigV JHG Vjh GFBHGO giuyytoiuyobiutoi7BOIygOguiytbigyOuINYI vkjhGybgUYgnkJHGOHgBgFnjhon h kjHgnjGngK&^BTITRB*TVFGYTVFFhgv jhgbhjv ghjgbigKJBJ Hgkh gigV JHG Vjh GFBHGO giuyytoiuyobiutoi7BOIygOguiytbigyOuINYI vkjhGybgUYgnkJHGOHgBgFnjhon h kjHgnjGngK&^BTITRB*TVFGYTVFFhgv jhgbhjv ghjgbigKJBJ Hgkh gigV JHG Vjh GFBHGO giuyytoiuyobiutoi7BOIygOguiytbigyOuINYI vkjhGybgUYgnkJHGOHgBgFnjhon h kjHgnjGngK&^BTITRB*TVFGYTVFFhgv jhgbhjv ghjgbigKJBJ Hgkh gigV JHG Vjh GFBHGO giuyytoiuyobiutoi7BOIygOguiytbigyOuINYI vkjhGybgUYgnkJHGOHgBgFnjhon h kjHgnjGngK&^BTITRB*TVFGYTVFFhgv jhgbhjv ghjgbigKJBJ Hgkh gigV JHG Vjh GFBHGO giuyytoiuyobiutoi7BOIygOguiytbigyOuINYI vkjhGybgUYgnkJHGOHgBgFnjhon h kjHgnjGngK&^BTITRB*TVFGYTVFFhgv jhgbhjv ghjgbigKJBJ Hgkh gigV JHG Vjh GFBHGO giuyytoiuyobiutoi7BOIygOguiytbigyOuINYI vkjhGybgUYgnkJHGOHgBgFnjhon h kjHgnjGngK
For example. Make it LOOK like encryption, watch as they drown in a sea of falsehoods and misdirection.
So the reasoning goes like this:
1. People encrypt their communication to enforce their privacy from the government. Since the government has no business in their communications and expresses interest in protecting the privacy of people that should be perfectly well.
2. People expect that encryption will protect them from a government who stops expressing interest in their privacy.
3. Government who likes privacy can't check up on the groups who don't like privacy (and use violence to impose their will).
4. Groups who don't like privacy use the privacy shield of encryption to undermine the privacy-loving government.
5. The anti-privacy groups take power one way or another. They then use violence to make everybody who uses encryption to go to jail or die.
6. Groups who like privacy have no means of undermining the privacy-hating government.
With privacy the bad guys who want to subjugate you can't be spied on - people have to risk their lives infiltrating their circles, but you know that if the bad guys are in government they can't spy on you. Without privacy you don't know if the bad guys are in government and spying on you, and people "get disappeared" all the time without a trace and no indication of who did it.
The only solution then is to strengthen democracy and make government as transparent as possible so that when shit gets around to point 5 they get dealt with quickly and a proper government elected back in.
What the EU, May, and other national governments say is that they're not bad guys and promise they'll never be. Strong democracy would on the other hand mean that getting to point 5 is a possibility, but after a small period of tribulations point 6 is averted rather than set in stone. Human nature says that there's no way to ensure the people in power will never be bad guys.
I know.
That's as plausible a strategy as "Win Game"
I did give fleeting thought to starting up a petition along the lines of criminalising uninformed authoritarian comment on matters they know nothing about but that eliminates virtually all political discussion, which, while desirable, is even more unrealistic.
Public education is, in my view, the only realistic way to defeat the bastards in the long term. It does not require that every voter understands the fundamental ethics, let alone the fundamental mechanics of secure communications. All it requires is moral comprehension by a significant minority, say 20% or so, of the implications of criminalising secure communications. That's enough to ensure, when the relevant test cases come before a jury, that the case is dismissed with the same finality as we've seen (in the UK) with certain infamous attempts to use the Official Secrets Act. (eg Peter Wright)
This could work in the UK and Commonwealth countries which use the UK legal model. Not much use in those European countries which don't use juries and not much use in the USA, where jury-rigging is standard, but we can't let the perfect be the enemy of the good.
As to how we educate the masses, I think we need to start with the lowest common denominator - the Daily Mail - and persuade an appropriate hack to write the story from the angle that those nasty civil servants are trying to curtail their liberty. Writing the more balanced and rational version for the broadsheets would be relatively trivial as half of them are already on side.
Ive not read the rest of the comments yet but it seems to me that there isnt a way to enforce this.
You can compel companies to give you access to their services but anyone wanting to communicate privately will find ways to do so.
I mean whats to stop me going on twitter and tweeting a lump of 140 characters of encrypted text with a #TodaysBigNewsStory hash tag?
Potentially thousands will see it and disregard it - only the one guy that I have previously shared the key with can decrypt it...
Actually Im pretty sure I could patent this in the US :)
Or you know.. we could go back to the 70s and start posting hidden messages in the lonely hearts section of the local paper..
The fact you'll stand out like a sore thumb since your tweet has no legible text in it...
You not only have to prevent the plods from decrypting your message, but most of the time you also have to hide the fact you're communicating at all, or the plods simply track the tweet activity to nail you down.
The only way to enforce a ban would be make it illegal to run non-approved software on any device. Otherwise if you can side-load or install an executable then it could be an end-to-end encryption application or contain hidden somewhere in the interface the possibility of end-to-end encrypted communication.
The only "walled garden" where this is remotely achievable is on locked down Apple devices (iOS) - where even developers are required to acquire special certificates to test their own software.
In such a world, software development would be a potentially illegal and dangerous activity - especially if not being done for a "legitimate" approved organisation. Even then it would be difficult because any software application that supports a scriptable interface (including Javascript) is a potential encryption device. Spreadsheets would also be banned. Javascript would be ditched. Only "approved" code can be executed. All OS's would be locked down, Linux would be frozen. Open Source would be restricted.
Basically running or controlling software would be licensed under the sole auspices of the "authorities". In this dark world all developers would be vetted and regularly checked up on.
And all for what? So we can see the last "goodbye world" message sent by a deranged individual.
If I was an app writer and I lived outside the EU, my solution would be to put up a disclaimer notice pointing out that the app did not comply with the legal requirements to weaken encryption in EU countries and so people in those countries shouldn't install the app and that I took no responsibility for anyone caught doing so. No idea whether it would hold up in law, but given that a good part of what we do is illegal somewhere in the world, the concept is not unreasonable.
Isn't Telegram open-source? If so, you'll just get a 'Eurocrypt' module written that gets compiled in or not as needed, and if you accidentally use the strong version by mistake then 'oops'.
Let the EU render encryption useless for protecting data and then after Brexit, offer the UK as a safe data haven just off-shore with proxies and protected services readily accessible through our fine infrastructure, slimline business regulation and privacy laws protecting the rights of the consumer.
Oh, hang on, that's not going to work, is it?
I really hope if this does come to pass then tech companies refuse to comply.
Politicians rely on the fact that not enough of the general public know the nuances of why E2E encryption (or any encryption) is needed.
So let's see them deal with the public reaction if Facebook/Twitter etc. threaten to pull services, who do you think the public will side with, the sites who they basically spend their entire life of or 'The Government'?
You'll have to put the riot police on standby if you threaten to take away people's beloved Facebook.
If they ban iPhones when Apple inevitably tells them to go pound sand, will I have mine confiscated at the border? It would annoy me to no end to have to leave it at home when I visit, and bring some buggy piece of crap that the EU and everyone else can easily snoop just because they have idiots in charge who don't understand shit about technology!
Plus it would piss me off as a shareholder that Apple couldn't sell phones in the EU anymore.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
