How do you ban cocaine? How do you ban special parts in guns that make them automatic? How do you enforce any law that's not practical to enforce?
You just make it a felony with a penalty of decades of imprisonment. Then, all the businesses stop doing it and you selectively enforce the law in order to make an example out of people. The idea is never to enforce it fully.
If encryption is a felony, your average business will stop using it, which is pretty much the desired effect. They don't care so much about your personal website or data store using encryption. They'll just make it a fringe technique.
It's like staying so are you banning freight and air travel too to those politicians in order to stop cocaine. When do programmers get it that those analogies don't mean anything in real world.
Except it's not cocaine. It's banning bikes, when everyone uses bikes, no? VPNs and SSL explicitly are the target, in part. It's not a figure of speech, it's factually the thing. If your point is politicians don't get that then... fuck idk, I'm hoping for maliciousness over that level of incompetence.
Government can ban combustion too. So that next time it's revealed in a court of law that you caused combustion, you'll be locked up. It's not about preventing combustion, it's about if they find evidence that you combusted, you getting a criminal sentence.
The how probably isn't so hard if you are a state actor. You won't be 100% effective, but if you make it a felony to possess systems that can do it, to use systems that can do it, to possess any data that can be tied to such a system, etc., etc. it's quite likely that usage would drop to nearly nothing.
I think the how is pretty simple: If you're a company that runs a chat/communication app and you can't comply with a government request for the contents of private communication on your platform then you're in violating of the law.
If you have any presence in Spain then you'd be subject to fines or whatever cross-jurisdictional sanctions they can get away with. Or if you're untouchable legally they could require ISPs to block you and you can play whack-a-mole. The majors players where 95% of communications happens would either have to play ball or withdraw from the country. In practice this probably means that small apps get away without complying until the government has a request for you that you fail to meet.
It's a horrible and terrifying idea, but I think it's reasonable to enforce and get the vast majority of people to have unencrypted communications. (but not the vast majority of dedicated criminals)
It is not pretty simple. A govt can't win a whack-a-mole game. Consider attempts to block Telegram in Russia. They caused so much collateral damage while not even approaching the goal, that the whole effort had to be canceled and swept under the rug.
Finland "warned that the proposal could conflict with the Finnish constitution" and Germany "has staunchly opposed the proposal", so I don't think there's going to be an EU law banning end-to-end encryption. So if Spain were to act alone, I can't imagine banning WhatsApp (which uses end-to-end encryption) would go over well with their constituents. It's on 98% of their smartphones and (at least in 2015) they used it more than any other EU country [1]. WhatsApp (like Signal) said it would leave the UK rather than weaken encryption if end-to-end encryption was banned there. [2] I'm sure the same would be true for Spain.
Maybe WhatsApp is lying, but it would put them in a predicament for the following situation: a user from outside of Spain chatting with someone inside of Spain. Assuming they comply with Spanish law, they could,
1. Say nothing and show no warning message. Would generate negative press and distrust in the platform.
2. Show a warning message when a user tries to message someone in Spain. Some would commend the transparency, but the press and public may still be upset that they acquiesced to the Spanish governments' demands.
3. Create an entirely different version of the app for Spanish users. This wouldn't generate much negative press outside of Spain, but Spanish users absolutely would be upset that they can't contact people outside Spain with the app.
This is not an edge case scenario: 15% of people in Spain are foreign-born (likely contacting family and friends from their home country) and 2.7 million Spaniards live abroad (likely contacting family and friends inside of Spain.)
Option 3 is likely out of the picture, but of options 1 and 2, while neither would result in the death of WhatsApp, some users may indeed leave the platform due to it. In order to be worse than losing the entire country of Spain, 2.35% of WhatsApp users would have to leave the app. That seems unlikely, but even still WhatsApp might not feel it's worth the risk, and in any case they'd probably prefer to not have to spend development hours building systems to comply with the law. Easier to just cut them off.
Most likely it would enable them to go "well we can't decrypt your messages you exchanged with you conspirators which we think would prove you're a criminal, but since you used E2EE you are now a criminal by default."
It also enables them to stop petty criminals, but we both know they don't really care about that.
> but since you used E2EE you are now a criminal by default
Wouldn't simple mappings introduce sufficient plausible deniability in this case?
An example: Every two bits in the encrypted message are mapped to 0=A, 1=T, 2=G, 3=C and suddenly everyone is transmitting DNA sequences for research and evaluation.
Attach the encrypted message to a legitimate sequence and-- boom! --you have a "telomere".
If they can get the apps removed from Google/Apple app stores in their country, and put blocks at the ISP level to prevent anyone actually communicating with Signal or WhatsApp servers, they'll get most of the way there.
It's not even the "why?". I get the "why?" even though I obviously don't agree.
It's the "how?".