back to article Backdoor backlash: European Parliament wants better privacy

A committee of the European Parliament is pushing back against the anti-encryption sentiment infesting governments around the world, with a report saying citizens need more protection, not less. In a draft report that landed last week, the parliament's Committee on Civil Liberties, Justice and Home Affairs says data protection …

  1. Yes Me Silver badge
    Thumb Up

    Excellent

    Excellent (and another example of why the EU is a good thing, of course). As has been pointed out repeatedly for 20+ years, the only impact of anti-crypto laws is to encourage bad people into using unbreakable private end to end encryption instead of at least leaving a meta-data trail on the public services.

    1. Mark 85

      Re: Excellent

      While I agree this is excellent, I believe it will be ignored overall. There's just too many "leaders" screaming for backdoors, etc. because of, you know... terrorism. Pity that logic and sound reasoning gets shouted down by those either in power or seeking to be in power.

      1. DropBear

        Re: Excellent

        I share the concern that this might not amount to much but you know what, in this anti-crypto climate - I'll take it!

      2. Doctor Syntax Silver badge

        Re: Excellent

        " I believe it will be ignored overall."

        If it gets through into EU law then it can't be ignored. That's a pretty big if, however.

        I'd like to see the EU Parliament get this through in less than 2 years. Her Ladyship won't like it but then I think her tenure won't stretch anything like so far ahead.

    2. bombastic bob Silver badge
      Devil

      Re: Excellent

      "The only impact of anti-crypto laws is to encourage bad people into using unbreakable private end to end encryption"

      ok - let me substitute 'gun' for 'crypto' or 'encryption' and see if the EU keeps the same attitude...

      This is an example of ONE thing the EU is getting right. Sorta like when Demo-Rats here in the USA get something right. it's rare, it's notable, and worthy of a thumbs up etc.. I sometimes have to give Diane Feinstein a slow-clap because of that. Even Obaka got one from me on rare occasions...

      Keep in mind 99% of everything ELSE they're doing is NOT in your best interest. But this ONE thing, sure, they're getting it right.

      /me slow claps

      1. Eguro
        Paris Hilton

        Re: Excellent

        "The only impact of anti-gun laws is to encourage bad people into using unbreakable private end to end gun"

        I don't get it.

        1. This post has been deleted by its author

        2. Trigonoceps occipitalis

          Re: Excellent

          "private end to end gun"

          It's not the bullet with your name on it that you have to worry about - it's the one that says "To whom it may concern."

  2. Meph

    Big Banks

    I don't know how things stand outside Australia, but I know that here if your money vanishes from your bank account, it's up to the bank to recover the missing money. On that basis, the big four at least will generally return your money to you and then go hunting for the perpetrators.

    In order to both minimize loss as well as risk, the banks rely heavily on encrypted transmissions to secure your money.

    Unless the politicians add a specific bypass clause for banks (and probably Government themselves), then the pro-privacy cause may well get some backing from some very wealthy organisations with a serious interest in secure encrypted comms.

    1. Youngone Silver badge

      Re: Big Banks

      The same four Aussie Banks run things here in NZ, and your point about online banking had occurred to me also.

      I'm pretty sure it has occurred to the banks, and as you say they have an awful lot of money to use to oppose this idea.

      Not that the NZ Govt. has made any noises about this exact issue, I imagine whichever party is running things after our election will do what the US tells them to do.

      1. Christopher Reeve's Horse

        Re: Big Banks

        And you can't have a two tier system of proper encryption for banking and lesser encryption for everything else, because you could feasibly communicate using financial transfers by ciphering values into coded messages.

        If people are determined enough they will find a way to communicate in secrecy. The bluster about back-doors into messaging services is more political than real. Unless, of course, there already are backdoors in all the common messaging services and we're being gamed.

    2. Anonymous Coward
      Anonymous Coward

      Re: Big Banks

      I don't think this applies to bank communications as it's the communications of citizens they want so they can monitor and control the population. They don't even have to monitor them to be fair because the fear of having everything you say or do monitored is enough to control.

    3. Doctor Syntax Silver badge

      Re: Big Banks

      Not just banks. Any business that relies on VPNs to connect branches and/or home workers also relies on end-to-end encryption.

  3. Long John Brass

    π = 3.0

    Damn; Now you have to know some muppet in parliament is going to try that one on.

    Stop giving them ideas dammit!

    1. Kevin Johnston

      Re: π = 3.0

      BS Johnson beat them to it when he developed the Sorting Machine

  4. Anonymous Coward
    Anonymous Coward

    shame the UK opted out

    That UK bloke, "web inventor" (who I I am still ignoring) said that having a single authority with access to all your data was a bad idea as you only have a single target to win access to everything

    How long before GCHQ gets hacked once we loose the protection of Europe and our status as US voice in the same?

    I hope this country invested in decent hardware and software because once we are out we are likely to be more alone than we imagined.

    1. gnasher729 Silver badge

      Re: shame the UK opted out

      "How long before GCHQ gets hacked once we loose the protection of Europe and our status as US voice in the same?"

      Since the NSA has been hacked, with disastrous consequences for the NHS, for example, maybe the correct question would start with "How long since".

  5. veti Silver badge

    Unintended consequences

    Does this mean that unsecured http:// websites would be banned? So in order to own a website, you have to register with a certification authority? That's a step backward for privacy, right there.

    What about Usenet, or plain old-fashioned email? Are those still allowed at all?

    It seems to me that mandating encryption is every bit as bad as banning it.

    1. frank ly

      Re: Unintended consequences

      You make a good point.

      "The providers of electronic communications services shall ensure that ..."

      Perhaps your local football club newsletter and forum will need to apply for and register an exemption to the rules.

    2. Ole Juul

      Re: Unintended consequences

      The providers of electronic communications services

      I'm never sure who is a "provider". The internet being what it is, I often provide for myself, as it were.

    3. Anonymous Coward
      Anonymous Coward

      Re: Unintended consequences

      You could always just create your own certificate, sure it's going to throw up a warning box but when did that ever stop the average web user?

    4. Voland's right hand Silver badge

      Re: Unintended consequences

      Indeed. Frankly, the "we promote https" crusade for plain old content by the ones like Google is mostly about ad revenue preservation and prevention of injecting/removing ads. Privacy? Security? Who cares.

      In any case, IMHO both the parliamentarians and the Eu ministers are in the wrong here. The issue is very plain, simple and it has been known for nearly a century - long before the days of the internet. It is called legal intercept.

      If you are running a revenue generating communications service, you have to provide legal intercept facilities. So the law says in pretty much all countries. What has been happening is that Internet companies have been skipping on this in the USA for a while by using an old SCOTUS decision that they are running information services, not communication services. That is bollocks. It is used to communicate. They have also transplanted the same services worldwide (and other copied the designs from them).

      Legal intercept != mass surveillance. It is used (in most countries) via a court order which in some places (Germany, Swiss) is actually hellishly difficult to obtain. It is used on an individual basis and does not cost in for the police to use en-masse, because it is CHARGED for by the provider. It costs money.

      IMHO, the fight against legal intercept as a service component is both stupid and wrong. It is a legitimate ask and if it is not provided and backed up by appropriate legal constraints we will get encryption backdoors and mass surveillance instead.

      1. inmypjs Silver badge

        Re: Unintended consequences

        "intercept"

        So how do you intercept something that has encryption you can' t break legally or otherwise?

        1. Doctor Syntax Silver badge

          Re: Unintended consequences

          "So how do you intercept something that has encryption you can' t break legally or otherwise?"

          Different thongs. You can intercept it. You'll get encrypted data. That's your problem unless, of course, you can launch a MIM attack against it.

          1. Doctor Syntax Silver badge

            Re: Unintended consequences

            "thongs."

            Dammit! Things.

        2. Anonymous Coward
          Anonymous Coward

          Re: Unintended consequences

          "So how do you intercept something that has encryption you can' t break legally or otherwise?"

          You encrypt it twice. Once to send tonthe recipient...this is unbreakable. Twice to stealthily send a second encrypted copy which can then be decrypted by Theresa May.

          The only reasonably reliable way to protect yourself is if you also encrypt your messages *before* you enter them into your comms platform of choice. See: PGP

          I suspect this is what will occur if encryption is backdoored.

    5. Pascal Monett Silver badge

      Interesting question

      That actually might have an impact on me.

      I have a little website of my own, practically only known to my friends, where I post various things about our common online hobby-of-the-moment (we game together).

      This little website is absolutely nothing special, only html and some pics. No cookies, absolutely no ads and not a speck of Javascript in sight.

      Why should I slap a certificate on that and bother with https ? Is it really necessary for such a useless thing ?

      1. eldakka

        Re: Interesting question

        @Pascal Monett

        Because creating a key and self-signing it is trivial?

      2. gnasher729 Silver badge

        Re: Interesting question

        "Why should I slap a certificate on that and bother with https ? Is it really necessary for such a useless thing ?

        "

        It is absolutely necessary. IAs long as you allow http for "useless things" like your website, then someone can create fake Amazon, Google, Apple websites with http and some people will use them and get ripped off. And "not useless" commercial websites will continue to be careless and use http and get hacked.

        1. Pascal Monett Silver badge

          Re: "And "not useless" commercial websites will continue to be careless and use http"

          It seems to me that that is not any fault of mine. I think they'll be careless whether or not I get a cert for my site. I do not have a commercial website, nor do I have a site managed by any CMS or other mechanism that can be hacked without my knowing it.

          There isn't even any PHP, it's just plain ol' HTML. And the .htaccess is as locked down as I can make it.

          I do know how to make a self-signed cert, I just don't see the use for a site that is used by 6 people, tops.

    6. Anonymous Coward
      Anonymous Coward

      Re: Unintended consequences

      No (people should really read the original text before wearing the tinfoil hat). The proposal is about (personal) communication service, not about information services, and even public boards.

      Of course as soon as you offer a way to communicate through your site, you should offer an acceptable degree of privacy.

      Anyway, if you don't want anybody to tamper with your information while in transit, you should protect them with SSL/TLS. It may be far from perfect - but till now no other working substitute exists.

      Also, privacy is not anonymity - they are two different concepts. While anonymity may deliver some kind of privacy (and still, anonymity can be broken) , privacy doesn't require anonymity.

      An Internet provider or any communication company may know exactly who I am (because I pay bills), but when privacy is properly enforced, has no right to look into my data or let anyone access them (without consent, or under a lawful court order).

      1. bombastic bob Silver badge
        Black Helicopters

        Re: Unintended consequences

        "people should really read the original text before wearing the tinfoil hat"

        I think there's an icon for that...

    7. Doctor Syntax Silver badge

      Re: Unintended consequences

      "So in order to own a website, you have to register with a certification authority? That's a step backward for privacy, right there."

      Maybe someone should invent an open certification authority. What would it be called? How about LetsEncrypt.org? I wonder when someone will get round to it.

    8. gnasher729 Silver badge

      Re: Unintended consequences

      "Does this mean that unsecured http:// websites would be banned? So in order to own a website, you have to register with a certification authority? That's a step backward for privacy, right there."

      It's a big step forward. It means that whatever website I access, nobody knows what data is exchanged between me and the website. And there's no reason why someone can't create a site that let's you send complete webpages to the site which will then be published on your behalf.

  6. Nattrash
    Stop

    Sorry but ElReg is wrong...

    Richard, editors at ElReg, please...

    I really enjoy reading ElReg, but now you are really showing the same kind of journalism as other, "no-need-to-check-facts-let's-just-blindly-copy-and-push-out-quickly" outlets. Or maybe you are so preoccupied with your local situation that there is no need to consider off island mind sets or opinions. Shame on you...

    As I tried to outline in my comment to Kierans piece of June 16 (Look who's joined the anti-encryption posse: Germany, come on down, to which you conveniently linked in this piece. Ever considered a non-self-produced source?), Germany's interior minister Thomas de Maizière never said the country was working on a law to give itself the right to decrypt messages (joining the UK, USA and Australia in the belief that safe backdoors are feasible and Pi can be legislated to a value of 3.0).

    As I mentioned in my comment to Kierren, what Mr. de Maizière was reported to have said actually was:

    „Wir wollen, dass Messenger-Dienste eine Ende-zu-Ende-Verschlüsselung haben, damit die Kommunikation unbescholtener Bürger ungestört und sicher ist.“ (Frankfurter Allgemeine Zeitung, http://www.faz.net/aktuell/politik/inland/innenminister-de-maiziere-will-zugang-zu-whatsapp-nachrichten-15055364.html)

    which translates as “We want that messenger services have an end-to-end encryption, ensuring that the communication of respectable citizens is undisturbed and secure.” So that means he does not dismiss encryption, nor does he champion breaking it. Nor does he seem to adhere to the same practices and beliefs as, as you described, the US, UK, and Australia.

    So, to help you with your (self inflicted) confusion "That's the exact opposite of what Germany's interior minister Thomas de Maizière announced [...]" Nope, it's not. As multiple news sources (see my comment on the 16th) show Mr. de Maizière actually went on record, saying that he welcomes encryption for citizens.

    As I tried to explain, the remarks of Mr. de Maizière refer to a process that has been ongoing for years now, concerning the adaptation of legislation (TKÜ), which would include (encrypted) messenger services in the already existing abilities of authorities to monitor telecommunications. This would be in the same corner as phone tapping in case of suspicion, and will only be possible with a warrant. So call it an update of existing legislation if you want. And again, as I mentioned before in the comment on Kierrens piece, this implies an approach on an individual basis (with a warrant) instead of a mass surveillance approach in the hope to find something interesting.

    Although I probably agree with the opinion of the majority of commentards on this forum here on the use of encryption, and have a good laugh about "technical savvy" comments of politicians like Ms. May and Rudd, I also think it is essential to get your facts straight and correct. After all, barking up a tree that turns out to be not a tree at all makes you look extremely silly...

    1. Anonymous Coward
      Anonymous Coward

      Re: Sorry but ElReg is wrong...

      I think you are missing the point. The germans are saying they want to include encrypted comms in with other comms they have the right to listen on. AS THE ARTICLE said, while they may not have the technical ability they are creating the legal ability. Your point about mass surveillance vs targeted surveillance is irrelevant as things are either encrypted or they are not, this is not about mass surveillance in any way.

      The only issue here is governments trying to force a technical impossibility due to their own lack of knowledge, suggesting that politicians are not as bad or as stupid about tech as we believe is not likely to be that popular a view on this website.

      1. Nattrash

        Re: Sorry but ElReg is wrong...

        No, I'm just as sorry, but you are missing the point. Indeed, the Germans like to include the ability to look at encrypted messages. But, maybe it's more clear what my problem with this piece of reporting is (and Kierrens piece earlier), when I repeat what I also mentioned in my comment on the June 16 piece.

        Here it keeps banging the decrypting drum and so on. But if you're familiar with the matter/ sources, you would know that actually, the Germans never mentioned breaking encryption. Their approach is to introduce soft/ malware on the suspects device, being able to monitor before encryption happens.

        I'm not disputing right or wrong, encryption yes or no. I just want to believe that ElReg does good, solid, fact based, quality journalism...

        1. Doctor Syntax Silver badge

          Re: Sorry but ElReg is wrong...

          "Their approach is to introduce soft/ malware on the suspects device, being able to monitor before encryption happens."

          That's a distinction without a difference. It simply means that they're granting themselves the right to break the system as a whole rather than the encrypted component of it. Same effect.

          1. Nattrash

            Re: Sorry but ElReg is wrong...

            Very, very true. But like I wrote before: that is not what I want to highlight or dispute.

            What I do expect, as an ElReg reader, is that the pieces are factual and correct. If not, I could get my knowledge just as easily from the Sun or Bild, and be a happy bunny.

            So if German politicians want to introduce a law that allows introducing soft/ malware on a device, so encrypted messages can be read before encryption, I would value it very much when ElReg reports that. However, writing that German legislators want to break encryption, decrypt, or force the installation of backdoors in messenger applications would be not reporting reality, but fiction, because that is NOT what they're planning. That would be similar to writing here that there has been peace in the Middle East since last week. And let's be honest, that is not how I have learned to value ElRegs reporting...

  7. John Smith 19 Gold badge
    Gimp

    " “decryption, reverse engineering or monitoring of such communications shall be prohibited”,"

    Lucky for Britain that they are leaving the EU and HMG, lead by their Beloved Leader Mrs May will "Take Back Control" of UK broadband users privacy.

    You must feel so much safer already.

    1. Graham Cobb Silver badge

      Re: " “decryption, reverse engineering or monitoring of such communications shall be prohibited”,"

      Fortunately we will only have to wait about 20 years to get it. I am sure that within 20 years we will find that we have no choice but to ask to join either the EU or the USA (51st state) in order to have a reasonable position in a world dominated by very large countries (China, India) and very large economic blocks (North America, EU and something Russian-led).

      And the EU is certainly not going to re-grant us our current rebates and opt-outs. But by then the end of the pound and entry into a fully federal environment (EU or US) will definitely be worth it. If nothing else, to allow us to share our elderly care and pensions problems.

      Unfortunately, I am not sure I will still be around to see it.

      1. Lyndon Hills 1

        Re: " “decryption, reverse engineering or monitoring of such communications shall be prohibited”,"

        but to ask to join either the EU or the USA (51st state)

        I think Puerto Rica is reckoning to be 51st. We might have to settle for 5n.

      2. Anonymous Coward
        Devil

        Re: " “decryption, reverse engineering or monitoring of such communications shall be prohibited”,"

        IMHO, within 20 years you will join India... but see the bright side - outsourced jobs will come there.

  8. Chronos

    As ye sow...

    I wrote in April last year

    For the avoidance of doubt, "free" is simply a have now, pay later with your privacy deal. It's worth remembering, when June rolls along, that we didn't even have a right to the expectation of privacy before the HRA 1998. Ms May&co wants to repeal that[1] but even that would be a pointless gesture until the shadow of the ECtHR is removed. Be careful with that vote, folks. You may have someone's eye in.

    OTOH, I can't help wondering if Call-me-Dave's special exception on closer political integration renders that a moot point.

    [1] George Carlin once said a right isn't a right if someone can take it away. It's just a temporary privilege.

    I'm getting too bloody good at this prediction lark, unfortunately.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like