from the security-through-encryption-and-security-despite-encryption dept
A few months ago, Techdirt wrote about a terrible bill in the US that would effectively destroy privacy and security on the Internet by undermining encryption. Sadly, that's nothing new: the authorities have been whining about things "going dark" for years now. Moreover, this latest proposal is not just some US development. In an official document obtained by Statewatch (pdf), the current German Presidency of the Council of the European Union (one of the key organizations in the EU) has announced that it wants to move in the same direction (found via Netzpolitik). It aims to prepare:
an EU statement consolidating a common line on encryption at EU level in the area of internal security to support further developments and the dialogue with service providers. It should seek to find a proper balance between the protection of privacy, intellectual property protection and lawful law enforcement and judicial access, thereby stressing security through encryption as well as security despite encryption
In other words, the EU is still chasing the unicorn of "lawful access" to encrypted material without somehow breaking encryption. An accompanying unofficial "note" from the European Commission services lists some of what it calls "key considerations", but these are still chasing that unicorn without explaining how that can be done (pdf):
Technical solutions constituting a weakening or directly or indirectly banning of encryption will not be supported.
Technical solutions to access encrypted information should be used only where necessary, i.e. where they are effective and where other, less intrusive measures are not available. They must be proportionate, used in a targeted and in the least intrusive way.
Slightly more detail about the options is found in another unofficial note exploring "Technical solutions to detect child sexual abuse in end-to-end encrypted communications" (pdf). Most of the solutions involve installing detection tools on the user's device. That can be circumvented by using devices without the detection software, or using a service that does not install them. Perhaps the most interesting technical approach involves on-device homomorphic encryption with server-side hashing and matching:
In this solution, images are encrypted using a carefully chosen partially homomorphic encryption scheme (this enables an encrypted version of the hash to be computed from the encrypted image). The encrypted images are sent to the [online service provider] server for hashing and matching against an encrypted version of the hash list (the server does not have the homomorphic encryption keys).
But this only works for services that implement such a scheme, and it only applies to existing images, not general messages or even videos. Moreover, the technology to implement such an approach is still under development.
Essentially, the EU, like the US, is telling people to "nerd harder", and come up with a solution that allows lawful access, but does not break encryption. Since hard nerding for many decades has failed to produce a way of doing that, maybe it's time for the authorities to accept that it just can't be done. The good news is that doesn't matter. Techdirt has been explaining why for years: there are encryption workarounds that mean law enforcement and others can get what they need in other ways. Indeed, one of the EU papers mentioned above provides perhaps the best example of this approach (pdf):
The recent dismantling of the EncroChat network in a joint investigation coordinated by Eurojust and Europol shows the degree to which those involved in criminal activity utilise all available technology, such as crypto telephones, which go well beyond publicly available end-to-end encrypted services.
Although it cites the case of EncroChat -- a Europe-based encrypted mobile network widely used by organized crime there -- in an attempt to prove how serious the problem is, it actually does the opposite. As the detailed explanation of how EU police managed to hack into the network and place malware on handsets explains, breaking the encryption proved irrelevant, because the authorities found a workaround.
The EncroChat bust demonstrates something else that is generally overlooked. It is already clear that far from going dark, the authorities today have access to unprecedented quantities of useful information that can be used to track down suspects and prevent crimes. That's from things like social media and e-commerce sites. But as the EncroChat materials show, when criminals use closed, encrypted channels to communicate, they paradoxically open up, speaking freely about their past, present and future crimes, naming names, and giving detailed information about their activities. That means it's actually in the interest of the authorities to allow criminals and terrorists to use encrypted services. When workarounds are found, these hitherto secret channels provide greater quantities of high-quality intelligence than would ever be obtained if people knew their communications had backdoors and were therefore not safe.
Follow me @glynmoody on Twitter, Diaspora, or Mastodon.
Thank you for reading this Techdirt post. With so many things competing for everyones attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise and every little bit helps. Thank you.
The Techdirt Team
Filed Under: encryption, eu, going dark, law enforcement, lawful access
See the rest here:
EU Still Asking For The Impossible (And The Unnecessary): 'Lawful Access' To Encrypted Material That Doesn't Break Encryption - Techdirt