Category Archives: Encryption

Leaked EU Document Shows Spain Wants to Ban End-to-End Encryption – WIRED

WIRED is where tomorrow is realized. It is the essential source of information and ideas that make sense of a world in constant transformation. The WIRED conversation illuminates how technology is changing every aspect of our livesfrom culture to business, science to design. The breakthroughs and innovations that we uncover lead to new ways of thinking, new connections, and new industries.

Excerpt from:
Leaked EU Document Shows Spain Wants to Ban End-to-End Encryption - WIRED

Parents warned of Instagram and Facebook encryption risks – The Times

Government adverts will warn parents that it will be unsafe for their children to use Facebook and Instagram if Meta goes ahead with plans to encrypt messages on its platforms.

Tom Tugendhat, the security minister, accused the platforms parent company of choosing to allow predators to operate with impunity by introducing encrypted messaging despite an epidemic of child abuse.

Meta is expected to implement its long-trailed plans to encrypt messages on its Facebook Messenger and Instagram Direct platforms later this year.

Encryption already applies to Metas WhatsApp messaging service and Apples iPhone messages, among other platforms, but they require users to know the recipients phone number.

There are concerns that encrypting private messages on Facebook and Instagram creates a much greater risk of child abuse

Read the rest here:
Parents warned of Instagram and Facebook encryption risks - The Times

Spain Advocated for An All-Out Ban on End-to-End Encryption – WebProNews

As the EU grapples with a proposal to enforce message scanning, leaked information reveals Spain has advocated for a total ban on end-to-end encryption (E2EE).

The EU has proposed a bill that would force companies to scan the content on their platforms for illegal material, especially child sexual abuse material (CSAM). The bill would force companies to use on-device scanning, similar to what Apple considered voluntarily implementing before criticism forced it to backtrack. The EUs bill is so controversial that the blocs lawyers have already warned it is likely illegal and would be overturned in court, and Germany has vehemently opposed the bill.

Despite the controversy, it appears Spain wants even more aggressive action taken. According to Wired, a leaked document details the position of some 20 EU member states, with Spain taking the most aggressive anti-encryption stance.

Ideally, in our view, it would be desirable to legislatively prevent EU-based service providers from implementing end-to-end encryption, Spanish representatives said in the document.

It is shocking to me to see Spain state outright that there should be legislation prohibiting EU-based service providers from implementing end-to-end encryption, Riana Pfefferkorn, a research scholar at Stanford Universitys Internet Observatory in California, told Wired after reviewing the document. This document has many of the hallmarks of the eternal debate over encryption.

Breaking end-to-end encryption for everyone would not only be disproportionate, it would be ineffective of achieving the goal to protect children, Iverna McGowan, the secretary general of the European branch of the Centre for Democracy and Technology, told Wired.

McGowans statement echoes those of Germanys critics of the bill.

Child protection is not served if the regulation later fails before the European Court of Justice, said Felix Reda from the Society for Freedom Rights. The damage to the privacy of all people would be immense , he added. The tamper-free surveillance violates the essence of the right to privacy and cannot therefore be justified by any fundamental rights assessment.

According to Wired, 15 of the 20 nations were in favor of scanning E2EE messages for CSAM. Germany has continued to object to the bill as it is currently worded, saying it must be changed to guarantee encryption will not be weakened or circumvented. Estonia remains opposed, and Finland has warned the bill could be at odds with the countrys constitution.

The responses from countries such as Finland, Estonia, and Germany demonstrate a more comprehensive understanding of the stakes in the CSA regulation discussions, Stanfords Pfefferkorn says. The regulation will not only affect criminal investigations for a specific set of offenses; it affects governments own data security, national security, and the privacy and data protection rights of their citizens, as well as innovation and economic development.

See the original post here:
Spain Advocated for An All-Out Ban on End-to-End Encryption - WebProNews

Windows 11 Canary build 25370 adds vTPM, WPA3 Wi-Fi encryption and performance boost – Neowin

Windows 11 Canary build 25370 adds vTPM, WPA3 Wi-Fi encryption and performance boost  Neowin

More here:
Windows 11 Canary build 25370 adds vTPM, WPA3 Wi-Fi encryption and performance boost - Neowin

European Commission: "the content is the crime," so let’s break … – Statewatch

24 May 2023

The EU's proposed Child Sexual Abuse Material (CSAM) Regulation is perfectly legal, the European Commission has argued, in response to the Council Legal Service's arguments that the "detection orders" set out in the proposal would be illegal.

Image: zaphad1, CC BY 2.0

The Commission argues that "the content is the crime", and so access to the content of encrypted communications is necessary.

The CSAM proposal foresees a regime of "detection orders" that could be issued against providers of "interpersonal communication services" - for example, messaging services such as Signal and Whatsapp.

In a widely-reported leaked opinion (pdf), the Council Legal Service (CLS) argues that the regime of detection orders set out in the proposal is "not being sufficiently clear, precise and complete."

Furthermore, it would either "[compromise] the essence of the above-mentioned fundamental rights in so far as it would permit generalised access to the content of interpersonal communications," or fail to meet the proportionality requirement due to:

In a note (pdf) circulated in the Council on 16 May, the Commission sets out why it thinks otherwise:

"The Commission services are of the view that there are numerous elements that, especially when considered in their totality, likely justify the conclusion that the proposed system of detection orders is proportionate."

The Commission seeks to use the same case law as the CLS to argue that the CSAM proposal would in fact be entirely legal.

The CLS opinion also notes that:

"...the providers would have to consider (i) abandoning effective end-to-end encryption or (ii) introducing some form of 'back-door' to access encrypted content or (iii) accessing the content on the device of the user before it is encrypted (so-called 'client-side scanning')."

As has been pointed out multiple times, this would fatally undermine the way the internet works, putting the privacy and security of all users at risk - but this point does not appear to be a deterrent to the Commission.

On the issue of undermining encryption - and thus the privacy and security of communication via the internet more generally - the Commission's paper remains silent.


The minutes of the recent EU-US Senior Officials Meeting on Justice and Home Affairs, held in Stockholm on 16 and 17 March, demonstrate cooperation on a vast range of topics - including a "proof of concept" of the "Enhanced Border Security Partnership" involving the transatlantic sharing of biometric data, the need to "reinforce law enforcements legitimacy to investigate" in debates around breaking telecoms encryption, and US "concerns on radicalisation among police forces."

Negotiations are proceedings on the EU's proposed Regulation laying down rules to prevent and combat child sexual abuse, which will oblige communications service providers to undermine encryption and use unproven automated detection technologies in the hope of detecting online child abuse imagery. In mid-October, the Czech Presidency of the Council circulated compromise proposals on Chapter III, dealing with supervision, enforcement and cooperation. Two weeks later, proposals on Chapter I (general provisions) followed. They are published here.

At a recent event hosted by Europol's Innovation Hub, participants discussed questions relating to encrypted data and the ability of law enforcement authorities to access digital information. One issue raised was a possible "EU Vulnerability Management Policy for Internal Security," which could allow for "temporary retention of vulnerabilities and their exploitation by the relevant authorities." In effect, this would mean identifying weaknesses in software and, rather than informing the software developers of the problem, exploiting it for law enforcement purposes.

Read this article:
European Commission: "the content is the crime," so let's break ... - Statewatch

Broad coalition of advocacy groups urges Slack to protect users’ messages from eavesdropping – CyberScoop

A broad coalition of technology, civil liberties, reproductive justice and privacy advocacy groups are urging the global workplace collaboration platform Slack to offer end-to-end encryption so that its users messages cant be read by government officials or eavesdropping bosses.

Right now, Slack is falling short in terms of the most basic guardrails for platform safety and privacy, a group of 93 organizations wrote in the letter. At this political moment, this can mean life or death for some people online. We call on Slack to go beyond statements and put into action its commitment to human rights by implementing basic safety and privacy design features immediately.

Concerns about the security of private messages have come into greater focus in recent years due to a number of factors, including the rise of government use of spyware on activists and dissidents as well as the increased risks posed to reproductive rights after the U.S. Supreme Court overturned the right to abortion last summer. While there are no reported instances of Slack messages being weaponized in these cases, the trove of communications the platform collects from clients ranging from government agencies to activists has made users communications a target of both lawsuits and hackers.

The letter from groups such as the Mozilla Foundation and the Tor Project is the latest step in a campaign led by the digital rights advocacy group Fight for the Future that urges messaging companies to adopt encryption. Fight for the Future launched its campaign last year in response to the Supreme Courts Dobbs decision that ended the constitutional right to abortion, a ruling that led to concerns that abortion seekers unsecured communications could be used against them in criminal prosecutions.

In the aftermath of Dobbs, companies such as Meta doubled down on existing encryption efforts. However, Fight for the Future Campaign director Caitlin Seeley George said that Slack, which was named alongside other companies such as Meta, Twitter and Google in the Make DMs Safe campaign, hasnt been responsive to the groups requests.

The concerns raised by the Fight for the Future campaign arent abstract. In the past year, there have been several high-profile cases in which law enforcement used private messages turned over by tech companies to investigate illegal abortion.

Were moving to a point where the expectation that communication platforms have end-to-end encryption is becoming the new norm, said Seeley George. I think people broadly are a lot more aware and cautious about how theyre communicating with people in part because, unfortunately, weve seen cases pop up already where the consequences of not having secure messaging have become really clear.

Slack has more than 10 million daily users around the globe and is used by a range of entities including government agencies, political campaigns and Fortune 500 companies. The platform does encrypt data in transit. However, user messages are not protected using end-to-end encryption, meaning that workspace administrators or Slack are free to snoop on conversations. Without end-to-end encryption, that data could also be accessed by law enforcement that requests it.

Slack said in a blog post that its policy is to carefully review all requests for legal sufficiency and with an eye toward user privacy. According to its last available transparency report, Slack received 31 law enforcement requests between January 1 to December 31, 2021. Five of those requests involved content data.

Ranking Digital Rights, one of the groups that signed the letter, observed that Slack was in the minority when it came to the practices of most global messaging services and instead aligns more closely with Chinese messaging platforms.

The letter to Slack comes amid growing pressure on encrypted messaging services from lawmakers in both the U.S. and abroad. WIRED reported Monday that a leaked European Council document found that the majority of EU countries represented in the document supported some form of scanning encrypted messages with Spain taking the more extreme position of advocating for a full ban of the technology.

In addition to end-to-end encryption, the groups behind the letter are urging Slack to adopt anti-harassment tools such as blocking and reporting features. In the past, the company has said that such a feature doesnt make sense for a workplace tool. Critics say that the messaging platform is used by a broad array of groups and that workplace harassment on Slack is a well-documented issue that got even worse during the rise of remote work.

Caroline Sinders, a researcher who has been pushing Slack to introduce a block feature since 2019, says that anti-harassment and encryption features are the seatbelts of online safety. We need to shift our thoughts away from thinking of these solely as additional features, but as necessary and required functionality to create and maintain a healthier web, she said in a statement.

Slack responded to a request for comment from CyberScoop by reiterating its user privacy policies.

Slack is a workplace communication tool and we take the privacy and confidentiality of our customers data very seriously, a spokesperson wrote in an email. Our policies, practices, and default settings are aligned with business uses of our product.

Seeley George said that its important to push companies that have come out as pro-choice to follow through with that commitment when it comes to user security. We cant and wont let companies like Slack hide behind good PR moments, she said. We really need to push them to go further and really consider safety more holistically.

Updated May 24, 2023: To include a comment from Slack.

The rest is here:
Broad coalition of advocacy groups urges Slack to protect users' messages from eavesdropping - CyberScoop

Vaultree unveils Fully Functional Data-In-Use Encryption solution for … – Help Net Security

Vaultree announces a major leap forward in healthcare data protection, bringing its Fully Functional Data-In-Use Encryption solution to the sector.

Coupled with a groundbreaking software development kit and encrypted chat tool, Vaultrees technology revolutionizes the data encryption landscape, providing full-scale protection of sensitive patient data, even in the event of a breach, while preserving operational efficiency and performance.

In todays digital era, no sector is more vulnerable to cybercrime than healthcare. The first half of 2022 alone witnessed 337 breaches, affecting billions of patients worldwide. The repercussions of such breaches not only risk lives but also jeopardize the privacy of the most sensitive patient information, including womens reproductive health data.

Vaultrees solution redefines the security landscape, providing comprehensive data protection with complete search and computational capabilities, ushering in a new era of privacy assurance in healthcare.

Time is of the essence when lives are at stake. Clinical trials, ePHI, advanced healthcare research, and all critical data must be shielded from a data breach. Bringing our proven Fully Functional Data-In-Use Encryption solution to the healthcare sector is transformative. Stolen or leaked data is rendered useless to cybercriminals, while maintaining optimal performance in data processing, said Ryan Lasmaili, CEO of Vaultree. This is our commitment to meeting the urgent need for secure, privacy-centric healthcare and setting a safer future for patients and healthcare providers.

With Vaultree, healthcare organizations are now equipped to securely process, search, and compute encrypted data in real time, enabling precise data analysis and AI-driven modeling to enhance patient care and outcomes. Complying with vital privacy and security regulations, such as HIPAA and GDPR, becomes effortless.

Were not just protecting data, were empowering healthcare organizations to enhance their service, said Ryan Lasmaili. From improved data analytics to enriched patient experiences and telemedicine capabilities, privacy does not have to compromise performance.

Vaultrees partnerships highlight its innovative and forward-thinking approach. Joining forces with Googles AlloyDB for PostgreSQL, Vaultree leads the cybersecurity industry into a new era of cloud-based, Fully Functional Data-In-Use Encryption.

In addition, Vaultrees alliance with Qrypt supports the only unbreakable key generation algorithm in the market, allowing Vaultree to offer unmatched data protection across sectors. Vaultree supports enterprises handling large amounts of sensitive data, including those in financial services, insurance, retail, telecom and energy sectors.

Vaultrees unwavering commitment to improving data privacy and security across all sectors is evident. With its healthcare-specific solution, Vaultree is making significant strides in protecting sensitive patient data, fostering enhanced healthcare experiences, and fundamentally reshaping data security standards within the sector.

By enabling better communication, understanding, and care through Vaultree, healthcare providers can offer improved services while maintaining respect for patients privacy.

Read the original:
Vaultree unveils Fully Functional Data-In-Use Encryption solution for ... - Help Net Security

Could These Bills Endanger Encrypted Messaging? – IEEE Spectrum

Billions of people around the world use a messaging app equipped with end-to-end encryption, such as WhatsApp, Telegram, or Signal. In theory, end-to-end encryption means that only the sender and receiver hold the keys they need to decrypt their message. Not even an apps owners can peek in.

In the eyes of some encryption proponents, this privacy tool now faces its greatest challenge yetlegislation in the name of a safer Internet. The latest example is the United Kingdoms Online Safety Bill, which is expected to become law later this year. Proposed laws in other democratic countries echo the U.K.s. These laws, according to their opponents, would necessarily undermine the privacy-preserving cornerstone of end-to-end encryption.

On its face, the bill isnt about encryption; it aims to make the Internet less unpleasant. The bill would give the U.K.s broadcasting and telecoms regulator, Ofcom, additional policing powers over messaging apps, social-media platforms, search engines, and other services. Ofcom could order providers to take down harmful content, such as hateful trolling, revenge porn, and child pornography, and fine those service providers for failing to comply.

The authorities are looking for needles in a haystack....Why would they want to vastly increase the haystack by scanning one billion messages a month of everyday people? Joe Mullin, Electronic Frontier Foundation

The specific segment of the Online Safety Bill that worries encryption advocates is Clause 110, which entitles Ofcom to issue takedown orders for messages whether communicated publicly or privately by means of the service. To do this, the bill obliges services to monitor messages with accredited technology that has received Ofcoms stamp of approval.

Observers believe that there is no way for service providers to comply with Clause 110 takedown orders without compromising encryption. Representatives from Meta (which owns WhatsApp), Signal (which pioneered the Signal encryption protocol that WhatsApp also uses), and five other firms signed an open letter in opposition to the bill:

What does proactive scanning look like in practice? One example could be Microsofts PhotoDNA, which the company says was designed to crack down on images of child pornography. PhotoDNA assigns each image an irreversible hash; authorities can compare that hash to other hashes to find copies of an image without actually examining the image itself.

According to Joe Mullin, a policy analyst at the Electronic Frontier Foundation (EFF), a nonprofit that opposes the bill, services could comply with Clause 110 by mandating that PhotoDNA or similar software run on their users devices. While this would leave encryption intact, it would also act as what Mullin calls a backdoor, allowing for an apps owners or law-enforcement agencies to monitor encrypted messages.

In an app that has end-to-end encryption, such a system might work something like this: Software like PhotoDNA, running on a users device, might create a hash for each message or each media file a user can see. If the authorities flag a particular hash, an apps owner could scan the sea of hashes to pinpoint groups or conversations that also hold that hashs corresponding message. Then, whether voluntarily or under legal obligation, the owner might share that information with law enforcement.

While this method wouldnt break encryption, Mullin and other privacy advocates still find the idea of client-side monitoring to be unacceptably intrusive.

Another strong possibility is that to avoid the creation of such backdoors, services will be intimidated away from using encryption altogether, Mullin believes.

The U.K.s Department for Science, Innovation and Technology did not respond to a request for comment. However, earlier this month, a spokesperson of a different U.K. government office denied that the bill would require services to weaken encryption.

The U.K. bill isnt the only one raising privacy advocates concerns.

Since 2020, U.S. lawmakers from both major parties have pushed the so-called EARN IT Act. In the name of cracking down on child pornography, the bill would open the (currently closed) door for lawsuits against Internet services who fail to remove such material. The bill does not mention encryption, and its elected backers have denied that the act would harm encryption. The bills opponents, however, fear that the threat of legal action might encourage services to create backdoors or discourage services from encrypting messages at all.

In the European Union, lawmakers have proposed the Regulation to Prevent and Combat Child Sexual Abuse. In its current form, the regulation would allow law enforcement to send detection orders to tech platforms, requiring them to scan messages, media, or other data. Critics believe that by mandating scanning, the regulation would undermine encryption.

In March, WhatsApps boss Will Cathcart said the app would not comply with the bills requirements

EFFs Mullin, for his part, believes that other methodsallowing users to report malicious posts within an app, analyzing suspicious metadata, even traditional police workcan crack down on child sexual abuse material better than scanning messages or creating backdoors to encrypted data.

The authorities are looking for needles in a haystack, Mullin says. Why would they want to vastly increase the haystack by scanning one billion messages a month of everyday people?

Elsewhere, Russia and China have laws that allow authorities to mandate that encryption software providers decrypt data, including messages, without a warrant. A 2018 Australian law gave law-enforcement agencies the power to execute warrants ordering Internet services to decrypt and share information with them. Amazon, Facebook, Google, and Twitter all opposed the law, but they could not prevent its passing.

Back in Westminster, the Online Safety Bill is just a few hurdles away from assent. But even the bills passing probably wont mean the end of the saga. In March, WhatsApps boss Will Cathcart said the app would not comply with the bills requirements.

From Your Site Articles

Related Articles Around the Web

Read more:
Could These Bills Endanger Encrypted Messaging? - IEEE Spectrum

New CISA Zero Trust Maturity Model Brings Attention to Encryption … – InvestorsObserver

New CISA Zero Trust Maturity Model Brings Attention to Encryption-in-Use Solutions

HACKENSACK, N.J., May 24, 2023 (GLOBE NEWSWIRE) -- Paperclip, Inc. (OTCMKTS:PCPJ) announces that its Paperclip SAFE solution can help organizations align with the Cybersecurity and Infrastructure Security Agency (CISA) updated Zero Trust Maturity Model released last month. This latest version highlights the importance of the core function of Paperclip SAFE, to encrypt data in use.

Paperclip would like to thank CISA for recognizing the need to encrypt data in use as a critical component of data security, said Mike Bridges, President and COO of Paperclip. It is the first compliance body to recommend this encryption technique to address the vulnerability related to searchable data. Encryption at rest and in motion has been part of basic compliance for years but they do nothing to protect data when you need to search it.

Its time to do more if we want to impact the growing data breach epidemic, Bridges added. I have no doubt that other compliance bodies will follow CISAs lead and recognize that encryption-in-use or searchable data encryption is critical to zero trust, privacy, and ultimately, keeping sensitive data secure.

Paperclip SAFE leverages the foundation of searchable symmetric encryption, patented shredding technology, full AES256 encryption, access controls, data masking and Privacy Enhancing Computation (PEC) to go beyond what companies currently know about data encryption. SAFE is fast, searchable, complex encryption designed for the way data is queried. SAFE ensures that data is always encrypted and out of the threat actors grasp.

Zero trust is an approach where access to data, networks and infrastructure is kept to what is minimally required and the legitimacy of that access must be continuously verified. The Zero Trust Maturity Model version 2 includes four stages of maturity: Traditional, Initial, Advanced, and Optimal. It also lists five key pillars of security: Identity, Devices, Networks, Applications/Workloads, and Data. Encrypting data in use is now listed as an Optimal function under Data Security.

According to CISA, the Zero Trust Maturity Model furthers the federal governments continued progress toward a zero trust approach to cybersecurity. While the Model is specifically intended for federal agencies, CISA recommends that all organizations review this guidance and take steps to advance their progress toward a zero trust model.

There is a growing and shifting cybersecurity market that is being driven by the hacker community, Bridges said. The traditional approach to data security wont work against hackers who are regularly changing their techniques. As a result, organizations and government agencies must think differently and utilize different ways to protect their sensitive data, including new encryption-in-use solutions like Paperclip SAFE.

About CISA As the nations cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day.

About Paperclip, Inc. Paperclip is a proven technology partner that continues to revolutionize content and document management, and data security for Fortune 1,000 companies worldwide. Every second of every day, our innovative solutions are securely processing, transcribing, storing, and communicating sensitive content across the internet. Maximizing efficiency to save millions annually, while maintaining absolute security and compliance. For more information, visit .

CONTACT Megan Brandow, Director of Marketing Paperclip, Inc. (585) 727-0983

Continue reading here:
New CISA Zero Trust Maturity Model Brings Attention to Encryption ... - InvestorsObserver