EU governments plan to ban secure encryption

[dasbene]

Summary

 

Like many before them the Goverments of the EU states want to enforce access to encrypted communication.

 

Extract from the draft

 

The bold parts of the document are the latest changes after an terrorist attack in vienna. For prevention of this a backdoor in encrypted coomunication was not needed.

Quote

Rather, it was due to the failure of Austrian services that the perpetrator, who had a criminal record, was neither monitored nor imprisoned. Not only did the man have contact with persons who were under surveillance by Austrian agents on behalf of the German Intelligence Agency, but the terrorist had also attempted to buy ammunition in Slovakia in July.

 

My thoughts

I am annoyed by another try of a regulatory body to ban effective encryption. These backdoors can be miss used or leak to goverments or organizations that are not trustworthy. Its difficult enough to keep the ship of encryption afloat without someone wanting to drill holes into it.

 

Sources

 EU-Regierungen planen Verbot sicherer Verschlüsselung

 Google Translate -> EU governments plan to ban secure encryption

 https://fm4.orf.at/stories/3008930/

[Wheresmehammer]

Bloody luddites.

[WereCat]

Again? They just won't stop until it eventually passes won't they?...

 

[RainfallWithin]

It's rather unlikely that encryption will be required to have backdoors because The General Data Protection Regulation (a regulation in EU law on data protection and privacy in the European Union and the European Economic Area) requires that organisations encrypt communications and peoples' data using the latest standards of encryption with no flaws. A new rule allowing backdoors would break that law.

[dasbene]

11 minutes ago, RainfallWithin said:

...the latest standards of encryption with no flaws.

The problem is that the law would just say backdoors a feature and not a flaw.

[rockking1379]

18 minutes ago, WereCat said:

Again? They just won't stop until it eventually passes won't they?...

 

Look...the only way we get this to stop is for it to actually go through. And then have their personal devices compromised directly as a result of it and all their dirty dealings and secrets openly published. Then point to their legislation and show them how they fundamentally Allowed it to

happen to themselves. At that point they either repeal the law. Or they never have privacy again and are forever under public scrutiny 

[akio123008]

Ugh..

 

They always keep bringing up terrorism as an excuse, however almost every single terrorist attack ends up being executed by an individual who was already well known by the authorities which then just failed to act. Information doesn't appear to be the bottleneck.

[jagdtigger]

They can try but it would get attacked immediately  by a whole avalanche of companies who rely on heavy secure encryption to connect up their offices around the world to a central location/office......

[paddy-stone]

Ugh, I can't even be bothered to get irate at this anymore. I will not willingly make myself less secure.

[BuckGup]

This is why we need age limits. Old people simply do not understand technology 

[RainfallWithin]

34 minutes ago, rockking1379 said:

Look...the only way we get this to stop is for it to actually go through. And then have their personal devices compromised directly as a result of it and all their dirty dealings and secrets openly published. Then point to their legislation and show them how they fundamentally Allowed it to

happen to themselves. At that point they either repeal the law. Or they never have privacy again and are forever under public scrutiny 

There have already been a number of huge fines handed to organisations by regulatory authorities over data breaches due to insufficient security and encryption since GDPR's implementation date on 2018-05-25. It would be ironic to see more organisations experiencing data breaches if a new law forced backdoors, which would lead to more huge fines.

[rockking1379]

4 minutes ago, RainfallWithin said:

There have already been a number of huge fines handed to organisations by regulatory authorities over data breaches due to insufficient security and encryption since GDPR's implementation date on 2018-05-25. It would be ironic to see more organisations experiencing data breaches if a new law forced backdoors, which would lead to more huge fines.

I want personal devices not so much organizations. Like the raunchy sexting photos sent between them and their spouses or mistresses. Messages about back door dealings. Expose everything! 

[Sauron]

Quote

EU governments plan to ban secure encryption

That's not what the draft says though... at all.

Quote

Moving forward, the European Union strives to establish an active discussion with the technology industry, while associating research and academia,to ensure the continued implementation and use of strong encryption technology. Competent authorities must be able to access data in a lawful and targeted manner, in full respect of fundamental rights and the data protection regime, while upholding cybersecurity. Technical solutions for gaining access to encrypted data must comply with the principles of legality, transparency, necessity and proportionality.

This is a bit too vague for my taste and it could definitely lead to governments demanding a backdoor into certain services in some cases but nowhere does it say that strong encryption would be banned. Having to prove "necessity and proportionality" is also going to make it really hard to call upon this without a really good reason.

 

I don't like this because it's really not necessary or particularly useful but it's not a blanked ban.

6 minutes ago, huilun02 said:

So are they after the right to demand communications information from the service provider, or are they specifically going for backdoors?

 

Important to make the distinction.

In some cases "accessing encrypted data" necessarily means adding a backdoor.

[dasbene]

7 minutes ago, Sauron said:

That's not what the draft says though... at all.

Technically it does not. Thats the title my source is using but i think the draft does imply banning end-to-end encryption. For private communication this means effectivly secure encryption.

 

I am quite happy that Threema is improving their services and that their are based in switzerland, so we still have a service to go to.

[Doobeedoo]

Think of the terrorism! 

[jagdtigger]

47 minutes ago, Sauron said:

That's not what the draft says though... at all.

Actually yes. If anyone else besides the ones who have the key has an option to decrypt the data then that encryption is no longer secure, period.

[Sauron]

16 minutes ago, jagdtigger said:

Actually yes. If anyone else besides the ones who have the key has an option to decrypt the data then that encryption is no longer secure, period.

It doesn't say that kind of encryption will be banned though... it just says governments will talk to companies to see what can be done to find a compromise. Also if your data can be end-to-end encrypted between you and the server, meaning the company that controls the server has access to your data without compromising the security of the transmission. This is the case for services like facebook for instance.

[Curufinwe_wins]

Yeah I don't really understand this situation. The EU had been really hardon user privacy and encryption standards and even perm delete. This seems rather out of norm for them. I know a lot of drafts don't actually make it to final, but this really seems more like the kind of thing Trump would be pushing (and admittedly, Poland and others are in the EU, so who knows).

 

EDIT: I forgot about 5 eyes. Sigh. Either way. I sincerely hope this never reaches finalization with that text, even if it doesn't explicitly require backdoors.

[Nayr438]

So they are going to try make Secure Encryptions insecure for the general public, which will probably have a minimal impact on most illegal activity.

I guess they are going to ignore open-source options that can be altered, compiled, and redistributed by any individual. While maybe not well known, I am sure you will see a rise if something like this passes, making there solution short term while putting the general public at a higher risk for the long term.

[RejZoR]

How many times do I have to repeat how idiotic this idea is? Whole online communication is baed on encryption trust. Without that trust with backdoors or without encryption entirely simply doesn't exist.

[dasbene]

25 minutes ago, Sauron said:

if your data can be end-to-end encrypted between you and the server

thats only the case if a server is one of the ends and a completly different case.

 

26 minutes ago, Sauron said:

it just says governments will talk to companies to see what can be done to find a compromise

A compromise that has the hard requirement for the goverment to have access, thats not a compromise. End-to-end encryption YES or NO, thats a binary decision, so no space for any compromise. What they actually mean is something like: "only WE are accessing your communication and ony for REALLY REALLY BAD things". Its not a f****** compromise.

[jagdtigger]

36 minutes ago, Sauron said:

meaning the company that controls the server has access to your data without compromising the security of the transmission.

If they were after that they would not need any new legislation just a mundane warrant.....

[Intergalacticbits]

I can't speak to the EU because I'm an American but I really feel that in the US.

That it is just a matter of setting up a good system of checks and balances to ensure things are done correctly.

I think it is foolish not to collect intelligence on America's enemies especially within its own borders.

To me that would include terrorists, organized criminals, loosely organized criminals, occult groups who engage in dangerous behavior and any other group or individual who poses a serious threat of violence to the general public. Along with people, criminals who prey on people as a way of life.

 

Personally I want people who fight crime to have the tools they need to protect people.

 

I think to be all one way or the other on this issue is not realistic in my country.

I'm sure that some kind of system that is fair could be done here.

If it were put together by intelligent, moral yet worldly people who understand the need for this kind of thing and also the need to prevent its misuse.

 

 

Honestly I thought it was already being done in the US?

It seems like a no brainer to me.

 

 

[CTR640]

"Terrorism" is an old and lame excuse. They just wanna invade in everyone's privacy as usual.

[Sauron]

8 minutes ago, jagdtigger said:

If they were after that they would not need any new legislation just a mundane warrant.....

If it's already logged, sure. This could let them demand that a company log the data when they otherwise wouldn't.