People don't seem to realize that you need both attack and defense.
Let's take the 4 horsemen: terrorists, pedophiles, drug dealers, and money launderers.
* If you weaken encryption, you can catch more terrorists. At the same time, the terrorists can track down their targets more quickly, and they might even find your personal identity and counter-attack directly.
* If you weaken encryption, you can catch more pedophiles. But how will you be able to protect their victims? With weaker encryption/security, pedophiles will be able to track down information on potential/previous/future victims much more easily. And witness protection becomes worthless.
* With weakened encryption, one can crack a drug trafficking ring wide open. On the other hand, you will not be able to protect your witnesses. Worse, a smart organized crime cartel might be able to crack the encryption used by the police; using the thus-obtained counter-intelligence to evade capture. Witness protection programs become that much harder too, if not impossible.
* Money launderers will also be less safe if encryption is weakened. At the same time, everyone else's bank accounts will be less safe too, allowing for new kinds of fraud to proliferate.
> People don't seem to realize that you need both attack and defense.
This war on encryption is not being waged by "people". This is not something that can be rationalised to be avoided, otherwise it wouldn't even be an option.
I just hope that there will always be someone who has the competence and willingness to develop something that will keep freedom an option for everyone, even if it's "illegal"
The headline doesn’t seem to be backed by the content of the note they’re quoting.
I do wish papers would reserve “war” for actual wars; while I would be appalled if this goes all the way through, a note saying “we want to have a chat and this is why” is slightly further from even a metaphorical war on encryption than Farage is from an actual war on Brussels.
Every generation of warfare [1] looks completely indistinguishable from the previous one.
5th generation warfare [2] is "war" in every sense of the 1st principles of war. However, it manifests in a way that is unrecognizable in traditional surface-level manifestations of war. If anything, "not looking like a war" is a primary goal of 5th generation warfare.
> But the next generation of war – the so-called "fifth-generation" – won't feature armies or clear ideas. It will be what U.S. Army Major Shannon Beebe, the top intel officer for Africa, calls a "vortex of violence," a free-for-all of surprise destruction motivated more by frustration than by any coherent plans for the future. [3]
> the fifth-gen fighters' weapon of choice is political "stalemate," contends Marine Lt. Col. Stanton Coerr, in a new piece in Marine Corps Gazette.
> 5GW fighters will win by ... point[ ing ] out the impotence of secular military might. ... These fighters win by not losing, while we lose by not winning."
5GW sounds very much like the wars fought by various insurgent/paramilitary groups.
My experience is from Northern Ireland. The IRA and other republican paramilitary groups would never defeat the British military but would rather make the British government's position untenable through various acts of violence against a variety of target classes.
The republican motivation was as much frustration with the rights of the catholic population in northern Ireland as anything else.
> I do wish papers would reserve “war” for actual wars
There are fewer of those than you likely realise. Countries that we'd think of having a dozen wars in the last century may only have declared one or even none. The Geneva Conventions for example smartly do not hinge on declarations of war, they rely upon the idea of "armed conflict" which is an observable fact.
I get where you're coming from and I sort of agree, but the last time the US or the UK actually declared war was in 1942 (with Hungary and Thailand respectively!?). So if we used it properly, it would basically be a defunct word...
> This looks to me like the EU doing its typical thing of issuing memos to generate more memos, that will then generate more memos ...
Last time we had this shit, we ended up with Article 13. EU parliament has historically been rather unimportant so many parties, especially the conservatives, took pride in using the parliament (and the commission, see Oettinger) as dumping ground for toxic waste politicians or for party soldiers who needed a stable income.
It's never been about protecting people, it's about power. What is the source of most power? Knowledge. Knowledge about anything and everything. It's unimaginable what you could do with access to every conversation ever had, retroactively at your fingertips.
Power is neutral, it's users are not. We have already seen the dangerous precedent China has set with it's all-encompassing surveillance and human-rights violations.
This is a nice reminder that the EU isn’t some benevolent defender of human rights; it’s a surveillance state bureaucracy like all the others. They’ve done a spectacular job at branding, I’ll give them that.
Because the right to free speech is working out so well for American politics these days. Not to mention that we're jailing people for protesting the government while letting nazism be on the rise.
And while I'm not exactly sure which "right defend yourself + your property" you're referring to, I'd wager you're talking about the right to extrajudicially murder people who you feel threatened by, or the right to own tools intended to assist in that murder, neither of which are "human rights" if you're honest about what you're discussing. Even in the US, the right to bear arms is a constitutional one, not a human one.
> Because the right to free speech is working out so well for American politics these days.
I am unconvinced that the state of US politics is a consequence of a more permissive environment for speech.
> I'd wager you're talking about the right to extrajudicially murder people who you feel threatened by
That's one hell of a biased way to describe the right to defend oneself. The right to self defense, and to use basic tools in aid of that defense, is indeed an inherent human right and not one that that springs from the text of some document.
Free speech is very strong in Europe and deep rooted in the culture. You can say whatever you want, much more than in the US (we do not loose our mind when someone says tits or black - this is also free speech, not only amendments in the context of gov related speech). Charlie Hebdo paid a heavy price for this freedom (and while I do not like their style at all, I am deeply thankful to them).
As for the property this is a disaster. A squatter breaks in your house, stays 48 hours and it is basically theirs. This is the case where I am really pro gun because this is delayed robbery. I think that some blood will be poured and only then our useless politicians may get off their ivory tower to do something then (in France we are close)
I think free speech is much stronger in the EU. No central military means no central system of classifying things and no Espionage act. Similarly, gun rights are states rights in the EU. I shot an AK47 in Poland, seems pretty liberal to me...
You can find examples where certain US states or EU states have more freedom in a certain area, but the USA has a much more absolutist view towards human rights than the EU does in general.
In the EU, rights are subservient to "the greater good" (as defined by those in power). Some examples:
Germany will arrest you for using "symbols of unconstitutional organization". This includes the Communist Hammer + Sickle[1]
France has forced many mosques closed because the government found them to be too extreme[2]
All employers in the EU have the right to ban the Hijab and any religious dress[3].
And of course, you can be arrested all over the EU for speech that is deemed hateful.
In the EU, you only have your rights within reason. Once the exercising of your rights makes other people upset, they are curtailed.
Again, the US and EU have different definitions of "human right". So depending on what you think your rights are, you make feel you have more rights in the EU than in the US. But for those things that the US decides to protect as rights, they are on average protected much stronger than in the EU.
The same exact limits apply in the USA. Freedom of speech is no more absolute there than in the EU exactly because no one wants people "shouting fire in a crowded theatre".
Similarly, in the USA you can be fired for wearing a hijab just as rapidly.
The USA has some (not all) rights well protected against government action, but your employer has vastly more right to restrict your activities. Recent rulings even allow employers to compel religion or ban lgbt etc so long as the employer is "tightly held". This is the weakness of the US system: it protects a small number of limited rights very strongly, but only a small number and only against govetent interference. The EU has a much broader approach to rights in both these dimensions.
> Freedom of speech is no more absolute there than in the EU exactly because no one wants people "shouting fire in a crowded theatre".
In the US, only direct incitements to violence and mayhem are not protected (like your example). In the EU they take this much further to outright ban all speech deemed hateful. That's not the same restriction.
> Similarly, in the USA you can be fired for wearing a hijab just as rapidly.
Absolutely false. That kind of discrimination is against the law here[1]. I'm sure it still happens, but the wronged party has the ability to fight discrimination in court. In Europe, the opposite is true. The employer has a legal right to ban Hijabs and religious dress.
> Recent rulings even allow employers to compel religion or ban lgbt etc
Can you explain this more? Any info I find says the opposite[2].
> This is the weakness of the US system: it protects a small number of limited rights very strongly, but only a small number and only against govetent interference. The EU has a much broader approach to rights in both these dimensions.
This comes back to a fundamental disagreement about what rights are. For the Bill-of-Rights type rights, Americans do have much more robust protections than Europeans, and not just from governmental interference. There is better religious / racial employee protections, you have a greater ability to defend yourself against people violating your property rights, etc.
For fluffier rights, like "the right to respect" or "the right to free $governmentService", you are better off in Europe. But they do not protect these rights to the same degree as American Bill-of-Right rights. For example, in every German citizen has the right to healthcare, but they have a compulsory insurance scheme to pay for it. They call that a 'right', but its something different than in the American definition.
Compared to the US? I don't see it except for a few EU countries, mostly the ex-USSR ones.
> and to defend yourself + your property
Are you talking about the "right" to kill someone that tries to steal your laptop at night? Yeah, that's not usually allowed in the EU, only if your life is at risk.
Less just assume that they go ahead, everyone complies... How long until you'd need to revert the law, because all legal traffic is now exploitable, while the criminals are still using good crypto?
How much damage does this need to cause before politicians will sit down and understand while their half-assed idea failed?
Guns are controversial because they kill things and are thus a weapon. Encryption cannot kill anyone, if anything it is a shield. It’s also an infinitely replicable shield, and one that is omnipresent.
I don’t think anyone believes they can ban it, but like tax evasion it’s probably going to be a nice excuse they can use to catch the people they don’t like that do use it. For the rest of us, don’t worry—they’ll make sure you’re always safe and no criminals would exploit your unencrypted communications, and surely no one with access to the means of encryption would exploit it!
This is it. They don't intend to stop use of encryption, but it does give them probable cause to investigate or arrest you if you are caught using encryption. It's a tool of law enforcement to get around "blocks" like needing a warrant, etc.
I don’t need guns in the modern world, but they are not illegal, just restricted. In most countries you can legally own guns, shotguns and rifles.
It’s not that you can only own a shotgun that has been modified so it can kill only ducks and not police officers. Everyone understand that you can’t modify a weapon like that.
Crypto is a little different because the need is bigger. This means looser restrictions, to the point where having laws against using it makes no sense.
Encryption is a very easy copy paste of programs and Is free, guns are a complex physical device that cost money and must be manufactured elsewhere and distributed to sellers. There's a significant level in effective ability to use them.
But yes, it is similar. Distribution is so widespread that illigalization doesn't affect those who don't follow the law.
Encryption is actually incredibly hard. This is why it took whatsapp and other apps centrally doing it, and coordinating it between devices, to make end-to-end encryption commonly used.
The difficulty is using the established methods to build out a whole system that is workable in realistic conditions.
A system that handle sending messages when one party is off-line. A system that doesn't require up-front key agreement between all parties. A system that handles moving devices somewhat gracefully. A system that gives decent guarantees on the identity of your counter party, without being very onerous.
Making a system that meets the above requirements and others I missed, and that remains as usable as if the encryption weren't there is hard.
Maybe they don’t realize that e-commerce wouldn’t exist without trustworthy encryption. They’re taking about sabotaging trillions of dollars of economic transactions in lieu of just doing real police work to find the criminals.
It is not only e-commerce. A digital information network like the Internet is without doubts of great usefulness, be it commerce, business, science, or keeping personal relations.
However, a communications network where trustworthiness, integrity, and privacy of communication is not kept is not worth much.
This is why: Human communication uses universally some kind of medium to transmit some kind of symbols. This is pretty much universal whether we use gestures, sound waves, smoke signals, handwritten letters, telegraph lines and Morse code or digital networks. To be able to communicate, we need to have trust that the symbols match the reality which they are supposed to describe - be it a bank transaction, a business plan, or a marriage proposal. If symbols and reality do not match, they do not have any value. This is so important that we judge individuals in how well what they say matches what they do, the property which we call honesty and trustworthiness. It is much of the yarn which binds the social fabric. It is quite the same as with money - anyone can print numbers on pieces of paper but to have people agree these pieces represent some value, it needs trust. Without this trust, business is hardly possible.
In many realms, privacy is also required, or more technically, confidentiality of individual communication. Especially in business, but also in domains where individuals need to be protected from organizations which have more power than them, and not always benevolent intentions (think of gay people in Russia or Iran). Furthermore, integrity and confidentiality of information is intertwined, as digital signatures do not work without private keys, and security certificates need to be kept safe. This becomes even more important as much software is distributed via the cloud. Without confidential keys, there is no integrity of software.
Disabling or crippling encryption is like demanding that no private dwellings can have locks on the doors, so that police can enter at any time and check whether somebody has stolen something. Clearly, theft is not desirable, but preventing theft is not worth it to generally abolish the security of people's private living space.
TLS is e2e encryption between the browser and the site. It's absolutely required because the modern e-commerce story relies on sending credit card details over the wire.
Not true. E-commerce did just fine even without TLS in the past.
Also most of the e-commerce features don't really need encryption, but authenticity. That can be achieved with just asymmetric crypto and signing, but payloads can be in the open.
There was no e-commerce before SSL. That was a huge thing and one of the main driving factors for all e-commerce sites to get certificates, display all those “trust” badges, etc.
Most people buying things online would prefer to keep their credit card information private.
Almost no e-commerce solutions handled credit cards. That was done by bank payment gateways.
Anyway, most people didn't use credit cards either (and still don't), preferring wire transfers, because they felt they had more control over those (instead of giving someone info they could use to take money from the card at any time, they'd initiate and control the transfer themselves - push vs pull approach).
Times changed since then, but there was little financial risk to buyers from e-commerce not being encrypted at the time.
You seem to be assuming some US situation, where using credit cards online and handing card details to actual e-commerce websites was/is maybe more common.
But this article you're commenting under is about EU and I'm providing an experience from one of the EU member countries. So US situation is not relevant.
Not sure the EFF is particularly active in the EU? I'd have suggested the Open Rights Group, except being UK based it's now harder for them to lobby the EU. Maybe La Quadrature du Net: https://www.laquadrature.net/en/
Let’s say they ban end to end encryption tomorrow in their save the children and puppies act. Guess who is still going to use it? The criminals are of course. You can’t ban math.
It's not like e2e is heavily utilized must-have for crime either. Tons of crime happen through regular unencrypted text messages, and nobody gets caught. But this isn't about protecting in the first place, so it isn't all that relevant.
e2e is a heavily utilized must-have for any organized crime these days, and this is very frequently a wall that law enforcement hit and cannot get past.
I don't think banning encryption or something silly like that is therefore the solution, but minimizing the problem is not helpful in understanding why there's such a heavy push from all sorts governments, democratic and authoritarian alike, to "deal" with the problem. It's not always because they are Teh Evil Surveillance Statez who want to Take Your Freedom for the sake of Total Control. It's because they are faced with a serious actual real problem of criminals using a technology they barely understand and cannot get past, and so they instinctively reach for the trusty hammer they are so accustomed to using against all serious problems - the Legislative Ban.
They don't understand that using this hammer will have significant unintended consequences, but this isn't malevolence. It's fear and lack of competence.
>but this isn't malevolence. It's fear and lack of competence.
I'm not sure which is worse. We absolutely need people with the expertise in the area to make these kinds of decision. It's like giving a gardener the position to launch nukes. I'm sure they're very capable at trimming bushes, but that isn't exactly useful here.
e2e is really not a must-have in crime. It's a nice-to-have, but people can and often do very well without it. If we aren't capable of catching the lowest hanging fruit, how is this even of any use? At the same time we're not giving out the right signal about the state of surveillance already in place by not utilizing it to it's maximum potential.
Power corrupts, and the effects can be seen all over. Imagine what absolute power does
Any self-respecting drug cartel and terrorist organization has been using modern encryption at all levels, from street to the top, for more than a decade now. What criminals would not be using an e2e chat app nowadays? Truly the lowest hanging fruit, and no fruit above that. The barrier of entry to using a level of encryption that's beyond the capabilities of most law enforcement agencies to snoop on was equivalent to finding a decent software/IT guy in 2010. It's non-existent in 2020. Just open the app store.
This pretty much solves a very serious problem for all illicit activity - secure communications. It's strange to argue that this ought to have no impact on the ability of law enforcement to combat organized crime or terrorism because they should just compensate elsewhere. That's waiving a problem away instead of facing up to it. Of course it's having a big impact, and telling them 'just be better elsewhere' is not gonna work, they'll still push for stupid legislation.
>Any self-respecting drug cartel and terrorist organization has been using modern encryption at all levels
There are plenty of organizations who by this logic don't. However they don't dissappear, even though we already have the tools available. If they're not capable of using the tools they have, why are they reaching for something substantially harder to do? There must be something else to it if they're not bothering to do what they can.
> It's strange to argue that this ought to have no impact on the ability of law enforcement to combat organized crime
Of course power grants you that, it grants you absolutely anything you want, just like setting a fire gets rid of the rodents in your house, along with the house. That is exactly why absolute power is not to be assigned to any single organization, it can't be contained.
There is also the expectation like anyone using encryption for malicious purposes wouldn't do it regardless of any law, just like criminals carry illegal weapons. Only the law-abiding citizens could therefore be targeted
You don't need to ban math to ban e2e encryption in the same way you don't need to ban physics in order to ban murder. You pass a law making it a crime to develop or use e2e encryption algorithms, and punish those who don't follow the law extremely harshly. The rest will comply because they'll be scared to be punished.
A criminal org doesn’t need end-to-end encryption to be untouchable by the authorities, all it needs is an HTTPS web server with a login page. Those are cheap enough that any organisation with at least one full-time-equivalent person on their payroll can afford to change server every week.
The advantage of e2e is so a central chat server can’t be ordered to leak secrets; I can’t see how an org which doesn’t care about the law in general is going to care about that law in particular.
I think that it is pretty much the kind of wishful thinking they have. But then steganography.
In this cat-and-mouse game, you do end up banning math [1].
If you want to enable communication where both parties don't need to be online at the same time, and with easy setup of a trusted system, you will need something very much like the signal protocol.
That requires setting up a pretty complicated central service. Moreover, you are going to need to do quite some updating on the end-points of the e2e encrypted communications? Setting up this kind of operation, when illegal to do so, is hard. Moreover, it requires certain expertise that is not common among criminals.
How many criminals are going to be able to run this correctly? How many of these systems will get infiltrated by police, with a 'security update' being pushed that surreptitiously breaks the encryption?
Banning e2e encryption would do pretty good at moving almost everyone of off e2e encryption I think.
>If you want to enable communication where both parties don't need to be online at the same time, and with easy setup of a trusted system, you will need something very much like the signal protocol.
PGP and S/MIME would like a word. Note that PGP is used routinely on the darknets for pasting orders into a web form. There are several detailed howtos available.
PGP and S/MIME are widely considered as insufficient.
Certainly, they existed for a long time, and yet it did not seem to impede police investigations. Whilst I don't think the current complaints aren't exaggerated I do believe police when they say "Because of whatsapp, we are hitting cases where we would normally send a warrant, but now we can't". This wasn't the case before with PGP, and with decent reasons. (PGP is not very user friendly)
I can't wait for the "If you have nothing to hide, then you have nothing to fear" refrains to be trotted out yet again.
Inverted totalitarian klepto-plutocracy wins against any individual who doesn't take extra-ordinary measures when it builds a panopticon. "Let's see your 30 year search history and find a crime in there to persecute, I mean, prosecute you with. Or even a professional technical illegality would suffice. Searching all records." It won't be used so much to target the "baddies," but for unaccountable, omnipotent, NSA-style mass-surveillance.
A while ago I learned the term "souveillance", or "citizen undersight", as a strategy for the public to "watch the watchers". The public must surveille and report on those who wield power over them.
> The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
> This makes the work of law enforcement and the judiciary more challenging, as they seek to obtain lawful access to evidence.
And the ever growing surveillance permeating our society makes it less challenging, but they're not asking for reduced authority to compensate for that, are they?
Why are you assuming that policing is a video game where difficulty needs to be balanced?
“Hey sex-traffickers that know what they’re doing are telling all their people to switch to Signal. Since basically our only tools to connect people are phone location history, call logs, text messages, and maybe surveillance footage if we’re lucky, we’re hitting a massive brick wall in every investigation. Help?”
Like go listen to or watch some true crime podcasts and documentaries and see just how little police have at their disposal.
> Why are you assuming that policing is a video game where difficulty needs to be balanced?
But that's their argument. "Give up your rights because policing is getting harder", while staying quiet when policing gets easier. If policing, on the whole, isn't actually getting harder, their argument is invalid.
Look at your own example. Despite encryption, the police would still get a graph of connections (even without knowing the message contents), and since surveillance is so massively easier now, they could:
1) Monitor everyone involved, leading them to incriminating locations (surveillance cameras, drones, tracking devices, hidden microphones, facial recognition applied to pictures people post publicly...)
2) Plant targeted (as opposed to population-wide) backdoors on their devices, circumventing encryption
3) Watch them enter passwords on their devices with telescopic lenses
What you call a brick wall is barely a wet paper bag. We should not have to give up our rights and allow mass surveillance of all communication just because police are unwilling to use the targeted tools.
Aren't we talking about the ability to break into specific devices like the phone or laptop of a deceased victim or a non-cooperative suspect? I'm not talking about dragnet surveillance at all here.
If you can come up with a system where it's possible to break into any device without having the ability to break into every device I'm all ears.
It sounds like we agree on the problem. If you require backdoors on devices/software, that can circumvent encryption in bulk, without the relatively expensive and time-consuming steps of physically planting bugs or similar on specific targets, it will inevitably be used for dragnet surveillance. At least that's what happened almost every time so far.
This is not a vice reserved for the powerful. Politicians and whatnot certainly do nakedly make a principled argument one and the opposite the next. So does almost everyone. We do it especially when something is at stake, but we'll also do it to win an argument.
It's an irony of human nature. OOH, we're seekers of patterns, principles and consistency. OTOH, we're also highly adept at using these tendencies selectively and disingenuously.
AFAIK, more or less the same as with phones or paper mail: No third party is allowed to listen in, except police and other duly authorized parties, after they have a warrant.
The difference is listening to a phone is easy for the police, while breaking encryption is impossible.
I'd assume the result is intended to be identical to phone safety: abuse will be technically possible but legally criminalized and in practice rare.
Now how this works out in the face of the international internet is a whole other can of worms, of course.
EU is composed of multiple people with multiple, differing goals. It's also to note that things like GDPR only affect peons like corporations or people, not the governments.
The EU doesn't have a particularly strong stance on privacy from law enforcement. Law enforcement organizations are specifically exempt from e.g. GDPR.
Do you have any good learning resources on encryption? any Github repositories worth mirroring, with the actual implementations? I am a programmer with zero experience in that area but want to some day be able to "roll out my own crypto" if necessary :)
EDIT: I'm not afraid of all the math I need to learn, just point me in the right direction.
Cryptography is more math than programming unfortunately. It might take a lot of time to become apt at it, but it is a very commendable goal.
The problem isn't necessarily in using a weaker encryption, it's that you can detect that you can't break some crypto, and arrest whoever is using that. This won't stop illegal use of course, but will stop anyone interested in their privacy
> This won't stop illegal use of course, but will stop anyone interested in their privacy
It won't stop much on the long term. Techniques like chaffing and winnowing[0] can be used to provide confidentiality while preserving plausible deniability.
oh god, please teach these people about encryption: what they're trying to do - it does not work like they think it works (as it seems to be).
> Locking the door of your house (with near impossible to break locks) prevents us to find out what you're doing/keeping in your house, so we can't know whether you're doing/keeping something illegal in your house. So we are going to ban the making and using of unbreakable (or infeasable to break open) locks for locking the door of your house.
< The law-enforcement people as well as the criminals will be able to break into my house. What about that?
It seems like what they want is not so much breakable locks, but for you to have locks that can all be opened by a common master key. And they pinky swear that the master key will be kept totally safe and all the thousands of law enforcement officers they share it with will also keep it totally safe, and they will never ever use it except for intended purposes, and no bad guys will ever be able to get a copy of it.
This is the Common Master Key (CMK) theory. How are they going to keep CMK secret (using encryption? which encryption?) and they can make sure the holders of CMK are honest (that they can't be forced/bribed/etc.) about their usage?
Not especially - 99.9% of people have doors that are adequate to keep burglars out, but the cops can kick them down or break a window if they need to, in an emergency.
Which is exactly what encryption backdoor advocates want.
Note, the police does not have the key to my front door. And yet, the police can get into my house if they need to. In the world of locks and doors, there is almost nothing I can feasibly do to totally make it impossible for the police to get into my house if I want to keep them out.
Encryption is different. Making encryption that is nigh impossible to break is almost trivial these days. And the police has no recourse.
Whether that is an acceptable change from before is very much up for discussion, but we should be clear that something did change.
Let's say that it's possible to create a lock and doors for your house that are impossible to defeat. The security forces would instead find another way into your property; the window, the chimney, blowing a hole in the wall, etc.
If the security forces don't have a master key for E2E encryption they should instead find another way to find evidence of a crime if they suspect one has taken place. The analogy does fall down somewhat when thinking about completely digital crimes when there is no physical evidence, one that comes to mind is child abuse, though this could be detected by teachers/care givers or analyzing videos/pictures from users which didn't practice good OPSEC.
I forget which group it was (Lizard Squad? LulzSec?) where one of the members was identified by analyzing internet usage and monitoring the suspects coming and going.
Honestly, if the police get into my house because of another way, I think that counts as 'defeating my lock'.
Indeed, the fact that police can blow a hole in my wall is part of why I say they can defeat the lock.
Change the analogy to a safe. No matter how good the safe, if police want, they can read the contents of the documents in my safe. The same can not be said for contents of encrypted documents.
Now, it might be possible for the police to persecute someone without access to those documents. Certainly, I am not arguing 'the police need this access because they used to have it'. All I am arguing is that encryption came with a meaningful change in what law enforcement can and cannot access without cooperation.
Claiming that we don't even need to consider the question because nothing meaningful changed is wrong. I don't believe we need to make that claim to argue against banning e2e encryption though.
> The paper said EU member states have “called for solutions” to allow “law enforcement and other competent authorities to gain lawful access to digital evidence”, without weakening encryption or breaching privacy and fair trial guarantees.
This is interesting because if we consider EU27 and the Press Freedom Index we discover that 8 countries have a good situation, 11 satisfactory, 8 noticeable problems...could the 8 countries (Romania,Croatia, Poland, Greece, Cyprus North, Malta, Hungary) be somehow beneficial from the encryption weakening?
Bulgaria
EU law enforcement authorities would be allowed to access end-to-end encrypted communications under plans that set up a potential clash with both technology companies and privacy advocates.
The proposal to expand “targeted lawful access” for such data would help an EU crackdown on child abuse networks and other organised crimes, according to an European Commission internal note seen by the Financial Times.
The plans from the commission’s home affairs wing aim to “stimulate a discussion” among EU member states “on the issues posed by end-to-end encryption” for the ability to “advance investigations and prosecute criminals”. That push is coming into increasing conflict with the privacy safeguards both tech business and European digital authorities have sought to maintain for internet users.
“The application of encryption in technology has become readily accessible, often free of charge, as industry is opting to include encryption features by default in their products,” the commission note said. “Criminals can make use of readily available, off-the-shelf solutions conceived for legitimate purposes. This makes the work of law enforcement and the judiciary more challenging, as they seek to obtain lawful access to evidence.”
The note echoes language used by US attorney-general William Barr, who, in December, said that the difficulties posed for law enforcement agencies by encryption technology were among the US Justice department’s “highest priorities”.
The paper said EU member states have “called for solutions” to allow “law enforcement and other competent authorities to gain lawful access to digital evidence”, without weakening encryption or breaching privacy and fair trial guarantees. It said the commission will recommend that the bloc’s 27 justice and home affairs ministers discuss next steps, possibly at a meeting next month.
The note, written to be shared with the EU’s 27 member states and marked as “need to know” only, said it does not represent the official position of the commission.
EU experts including members of law enforcement and the judiciary estimated at a workshop late last year that the use of encryption had affected their ability to gain lawful access to electronic evidence in between a quarter and all of their cases, depending on the crime area, the commission paper said. The criminal use of legitimate end-to-end encrypted technology in online communications platforms would “continue to increase”, the experts added.
The commission note points to how the dismantling this summer of the EncroChat criminal network showed how criminals were using services such as crypto telephones, “which go well beyond publicly available end-to-end encrypted services”. The Europe-wide crackdown resulted in more than 800 arrests, the seizure of millions of euros in cash, illegal drugs, weapons and vehicles and — according to the UK’s National Crime Agency — averted 200 possible murders being planned.
“Successful operations of this kind remain the exception at the moment, due in part to limitations in technical capabilities available to law enforcement, and also because the existing legal landscape across EU member states is very diverse,” the note said. “Few member states have specific legal provisions allowing law enforcement and judicial authorities to tackle encryption.”
The commission initiative comes as the US-led “Five Eyes” intelligence alliance pushes for law-enforcement access to encrypted material. The grouping, which brings together the US, UK, Canada, Australia and New Zealand, called last year for tech companies to “include mechanisms in the design of their encrypted products and services whereby governments, acting with appropriate legal authority, can obtain access to data in a readable and usable format”.
Asked about the commission’s plans, one official at the EU executive said: “The objective here is to enable the intelligence community to track WhatsApp messages.”
The commission did not immediately respond to a request for comment.
The Commission note said any official orders to access encrypted electronic communication should be proportionate and targeted at specific individuals or groups in the context of the investigation of a specific crime. Technical solutions to access encrypted information should be used only where they are effective and “where other, less intrusive measures are not available”, the paper adds.
EU home affairs officials have grown increasingly concerned about international paedophile networks and in July unveiled plans to force technology companies to take greater responsibility for reporting them. Law enforcement officials said child abuse has risen during the Covid-19 pandemic social restrictions, as criminals have had the chance to spend more time at home sharing illegal images online or targeting housebound children.
Ylva Johansson, EU home affairs commissioner, told the FT earlier this year that the bloc must develop “new tools in the digital age” as part of a broader security strategy due to be published this year. She has called for measures to make it easier for law enforcement agencies and judicial institutions to obtain electronic evidence from other EU states.
Average Joe doesn't care about their erosion of privacy, infact, they will applaud this decision because privacy is used by criminals and underground pedos in their opinion.
Remember, Average Joe is quiet happy to use privacy invasive products like Whatsapp, Facebook, Instagram, Gmail, Yahoo, Skype etc etc because it is convenient. Choosing privacy friendly alternatives is bothersome and complicated for them.
Privacy will now be viewed as a criminal act of sedition
As an engineer I'm used to think in trade-offs, and I wonder why that is not more common. The goals they whish to attain might be reasonable, but at what price? What are the disadvantages? In Europe there are some states becoming more authoritarian and who knows what's comes next? Democracy and freedom is not set in stone, it must be protected -- in this case it must be protected by ensuring secure communication.
What are they going to do if one app denies to comply(which will surely be the case)? Sure they can pull it from app stores, but installing an APK shouldn't be that big of a barrier.
Also are they telling that companies like whatsapp will have to do it across the globe? What happens to chat between EU region and outside EU.
It's not difficult to imagine mandating signed bootloaders and signed software to be the norm aswell, there is no one who can make chips by themselves.
If it became known that the government intended to make the post office open all mail and store copies of it forever, I would imagine that there would be a public outcry.
How is this any different?
The basic premise that people need to fight is the idea that there can be no such thing as a private conversation.
Go ahead. Declare war on encryption. Make it weaker. But don't come running to me complaining that your bank balances have been drained because weak encryption allowed hackers to break in and take all your stuff.
I keep thinking when these types of interventions are proposed how homomorphic encryption can solve a lot of the described issues in a more secure and ethical way.
Maybe technical solution to this without backdoors would be to encrypt everything twice and store both?
One is for intended target and second time with public key provided by law enforcement.
And perhaps there should be a third independent actor who would hold the private key (in hardware without extraction possibility hopefully) and on request basis would decrypt something for law enforcement and provide supervision and statistics for citizens. Ok one problem would be then that if that machine breaks there is no way to decrypt anything encrypted for that public key :D.
This is a back-door, since the public key will give you full access to plaintext.
Moreover, how do you audit whether the second cipher-text exists, and whether the second cipher-text actually decrypts to the same plain-text as the first?
There are plausible schemes for creating a common second actor that can access communication with a warrant. But they aren't this simple, and they tend to come with large complexity downsides.
> EU home affairs officials have grown increasingly concerned about international paedophile networks and in July unveiled plans to force technology companies to take greater responsibility for reporting them.
> terrorists, pedophiles, drug dealers, and money launderers
At some point, unless you want everyone making their own personal moral judgements (including people who e.g. don't think women should have rights?), it should be permissible to deal neutrally with everyone who wants to do business with you. Let the law enforcers enforce the law, let the bankers bank.
The Mexican drug cartels could not fit cash through the teller stations quickly enough, so HSBC had special teller boxes so that it was far more efficient.
> U.S. agencies responsible for enforcing money laundering laws rarely prosecute megabanks that break the law, and the actions authorities do take barely ripple the flood of plundered money that washes through the international financial system.
From your first link. It sounds like the law enforcers need to do better at enforcing the law. If they can't enforce it against the banks, how can we expect the banks to enforce the law against themselves?
"It sounds like the law enforcers need to do better at enforcing the law"
While true, it's a non-sequitur.
OP made the point that banks serve criminals and asked then who are the "real crooks". You asked if bankers can serve everyone neutrally rather than be expected to exercise "personal morality". Which is a fair question in my opinion
Questions of individual moral duty aside, however, banks are not merely neutral when the law forbids them from specific activity and they decide to do it anyway.
Now your goalpost appears to be that banks should be able to do whatever they want if law enforcement cannot do anything about it, which is a very strange stance, to be honest
This doesn't make much sense when you think about the context of the original work you're quoting.
Niemoller was writing about a fascist government. Fascism is inherently built on an "us-vs-them" conflict. The details may change, but a key point is there's always an enemy who is responsible for everything that's wrong with the world. When fascists take power, they set out to get rid of the enemy. Then they find that didn't actually fix anything, so they splinter away some of their former in-group and make them the new enemy.
That is what fascists groups in power must do, because of course everything is much more complex than they claim. Nothing is ever as simple as "if we get rid of that group of undesirables, everything will be great", no matter who those undesirables are. Socialists? Capitalists? People who post on HN? Any other group you might name? The answer is never as easy as "those people are bad."
There doesn't need to be a slippery slope from whatever the government wants to outlaw to everyone being a criminal. It depends on the structure and goals of the government. In a fascist state, yeah it's pretty much guaranteed. In the US? Well, we're a muddled mix of everything with a very mixed record and uncertain future, but at least we're not a fascist state. There isn't a guarantee that any step leads to a next step.
So it really isn't analogous to the situation the original work was describing. And it's not really constructive to weaken its point by making jokes applying it to this situation, given the point it's trying to make. But maybe the fact that so many people don't understand the context means it's already too late.
> But maybe the fact that so many people don't understand the context means it's already too late.
final answer?
so. yes, it is a joke. its funny because its Europe and has an unrelatable but likely more relevant 21st century approach to regulating unhelpful industries. I like that they made regulations against the data brokers, who are the enemy even though the data broker's individual actions are fairly benign.
The real key here is knowingly. Large banks have had a slew of "scandals" whereby they've been caught moving many billions of dollars for evil organizations the rest of us would go to prison for donating to. How many times do these organizations have to get caught for it to be handled in a fashion comparable to mere mortals?
I say "scandals" because by some miracle it never seems to be a particularly big deal in the media.
> Aguably, the news is shadowed by other, more immediate topics - it would be interesting to see how it would have been received in a non-2020-ish year.
This is what frustrates me. You can find these scandals happening way before 2020. The fact that it isn't common knowledge is distressing.
If the banks' involvement in such activities was promoted to the same extent as the political noise that currently dominates, we might have actually have made some improvement in human and drug trafficking between the 80s and now.
Especially given the abysmal state in cross border law enforcement. The Europol is mainly a purely administrative entity; police has to fax stuff around and gets results via physical mail.
It’s not “illegal” if we just contract a trusted ally to spy on our own citizens. The US, U.K., Germany, and the other five eyes do it. I’d been shocked if the French or Dutch aren’t doing it but I haven’t read about it myself.
This is the same EU that came up with GDPR? Where is the right to privacy thinking on this? Encryption is essential to having freedom. It is simply the electronic equivalent to being able to meet in secret, a right that all humans can and should have.
Law enforcement does not have the right to be in my private meetings. Even with a warrant or if they spy, there are risks and limits. Yes, they can spy, but they are limited by reality. Encryption imposes almost the same limitations on digital life as secrecy does in real life. Why should my rights be different online?
You haven’t met many police officers lately, I guess. They all agree that they have the right to break the law, and a duty to protect anyone in their group (not just police officers, but almost any other government employee) from the law. At the very least until that paedophile teacher manages to get into the newspaper just by the shear number of victims he makes. By far the biggest group of child abuse perpetrators are physical Ed teachers (which is even pretty obvious, if you were a paedophile, what job would you take?) and the agencies protecting children all get regularly caught abusing children, and generally getting away with it.
The child argument is stupid because government employees, and children themselves share about 90% of child abuse crimes between them. Of course, one might make the point that children abusing other children at school is also technically their responsibility ... as it’s on their watch. There’s no point protecting against the 1% case ...
That’s what I find so hard to believe. Governments know they themselves are the big problem when it comes to child abuse, but the reaction is always more, and ever more powerful bureaucrats, some of which have excellent positions to abuse children with (like youth services psychiatrists, who decide on the use of state violence against children. Doesn’t take an expert how that post can be abused to get an 11 year old girl to ... you). We know no-one is taking any of these jobs for the excellent benefits or pay ...
I am surprised to see this point being made. The government has one of the worst records on data privacy of all democracies. It's laughable to think they won't proceed with this and go further, again, before long.
hahaha - the UK government has been insrumental in paving the way in 'banning encryption' and other such laws.
Thankfully they (UK Government) has proven over and over again that they are pretty inept when it comes to doing much with technology. I've worked on a number of Government projects including the recent Test and Trace debacle and they are always a shit-show.
I'd agree that outsourced national infrastructure initiatives that are either ad hoc or politically-motivated tend to be debacular in their nature - but I have a sneaking suspicion the real power houses that focus on all thing cryptographical (ie. our security services) are possibly world-leading.
The concept of a multi-national bureaucracy that has a massive budget and little accountability has very little appeal to me.
I get that it enabled mobility for EU citizens and the potential for combating large scale problems like climate change, but with human nature being what it is corruption and overreach is unavoidable
Well, it has been only few months since when a ""study"" released, ordered by the EU parliament, where the authors were asking for a european firewall similar to the chinese one.
Between drowning refugees and immigrants in Mediterranean sea, shooting them at the borders and throwing whoever survive in concentration camps, it's only logical to go after the local dissidents too.
It's doubtful all this would be required just for refugees. Though I've heard of conspiracy theories about taking them in order to justify all-encompassing surveillance to your own populace
Oh no no i didn't mean that it's happening because of/for the immigration.
Just saying that European Union is already in honeymoon with the far right so such policies are only to be expected.
Let's take the 4 horsemen: terrorists, pedophiles, drug dealers, and money launderers.
* If you weaken encryption, you can catch more terrorists. At the same time, the terrorists can track down their targets more quickly, and they might even find your personal identity and counter-attack directly.
* If you weaken encryption, you can catch more pedophiles. But how will you be able to protect their victims? With weaker encryption/security, pedophiles will be able to track down information on potential/previous/future victims much more easily. And witness protection becomes worthless.
* With weakened encryption, one can crack a drug trafficking ring wide open. On the other hand, you will not be able to protect your witnesses. Worse, a smart organized crime cartel might be able to crack the encryption used by the police; using the thus-obtained counter-intelligence to evade capture. Witness protection programs become that much harder too, if not impossible.
* Money launderers will also be less safe if encryption is weakened. At the same time, everyone else's bank accounts will be less safe too, allowing for new kinds of fraud to proliferate.