EU agreed to "ban" encryption

Sad news. The EU governments seem to have secretly agreed to force breaking encryption the austrian ORF - followed by several other european media - revealed.

Seems, like the trousers are down, finally. 5-eyes’ wishes to be fullfilled eventually. Purism’s Librems becoming more relevant day by day it seems…

5 Likes

Yeah kind of double speak from the EU right? GPDR and then encryption must be breakable?

I personally think the EU is given too much authority to begin with.

4 Likes

EU != EU

Baning the encryption is an initiative of governments in the EU.

GDPR was an initiative from the parliament.

4 Likes

Thanks that cleared it all up. Hahahaha.

Humm, after reading the proposal I understood, they still want strong encryption, but with a secure backdoor (that what I call ‘wanting the butter, not paying it, and having the seller’s ass’ … the translation doesn’t feel that great in english…)
So it’s not really a ban, did I miss something ?

3 Likes

Yes

It looks to be fairly early days - but that is the direction that things are moving - in many countries.

It may be only implicit that the backdoor is “secure” but the bottom line is: they still want strong encryption but they want a mandatory backdoor.

Yes and no.

If a provider refused to implement a backdoor then, yes, it could really be a ban (on that provider). In the extreme, if all providers refused to implement a backdoor then it could really be a blanket ban on all encryption.

A citizen could take the perspective that once encryption has a backdoor then it is not encryption any more. In that sense too it is a ban on encryption.

Apart from those two perspectives, it is not phrased as an outright ban.

Exactly. Assume that there are no places left. Everyone has to fight it in their own country.

3 Likes

It is likely that if and when this becomes legislation, it will look at two different scenarios:

  1. Data in transit
  2. Data at rest

For the “data in transit” scenario, I believe that we would then fairly quickly reach the point that … any messaging service where the mode of operation is controlled by some central entity should be assumed to be broken, even if it ostensibly offers end-to-end encryption. (Some decent service providers will probably shut down, or relocate, rather than offer a broken service.)

The “data at rest” scenario is much more difficult for the government.

I would expect in any case an ongoing arms race between people who find the whole situation unacceptable and the government.

2 Likes

basically decentralization is always current if you don’t want to risk a ‘gov-honeypot’

3 Likes

Maybe more countries should leave the EU. If the economic alliance is threatened, perhaps the leaders of the EU might compromise on allowing privacy. I don’t know what the political environment is there. But it appears that the Union is taking away some rights from its member states.

4 Likes

might prove relevant to some of you …

1 Like

It’s the contrary. The member states governments agreed on this. The EU unlike the US is still a very loose union where the resp. head of states of the member states have more power than the EU institutions. Doesn’t make them saints (see e.g. upload filter decision) but the EU institution (Comission, Parliament, Court) used to care more about open source (e.g. funding a bug bounty for the security of vlc) and privacy (gdpr, several decisions that data retention of your isp is unlawful).

Anyway I expect that this would still have to pass the parliament and if it does or is bypassed someone will sue on this on European courts in case this will enter legislation some how. They implemented data retention several times here and they speak about it again… at least courts always stop this… would be better they would understand that it’s unlawful before starting such laws.

The only solace I take in all of this tracking is that it is not really clear how effective it actually is at achieving its stated goals (as opposed to making the big tech companies lots of money).

These two articles are worth reading:
The (non)sense of online advertising: when the numbers don’t add up

and
The new dot com bubble is here: it’s called online advertising

I don’t think the conclusions reduce the need for the L-5 and vpn, dns fitering, protonmail, etc. It does how ever suggest that any data leakage that may be of more limited impact.

3 Likes

to paraphrase Snowden “there are many good reasons why we shouldn’t make govs. around the world too efficient at what they do”

if an email RSA encryption Key can be easily bypassed/subverted by a back-door then imagine how easily TLS/SSL can be negated.

when you buy a new Purism product the company sends you an UN-encrypted email with a .pdf (blob) invoice (at least that’s how it is if you pay everything up front) … why isn’t it sent through e2ee mail ?

answer : because the system is automated and the ‘gov.’ has such a thing as ‘bulk-tee-collect-tool’ :wink: it works basically in the same way that a ‘T’ (tee) junction in plumbing works … splits the output in two directions :sweat: :weary: :mask:

1 Like

Regardless of the dynamics within the EU, member states will be enthusiastic supporters of this.

In any case, the UK has left the EU and it already has such legislation i.e. much further along the road to the authoritarianism of total surveillance.

UK has had a severe-privacy-invading military-intelligence apparatus for many years however if you look at the global-bulk-collection-map based on what Snowden has revealed certain countries from the south-American-continent have it much worse :wink:

This is the only reasonable perspective. It is only a matter of time until the backdoor leaks. And that time might be very short indeed. Most likely the backdoor will be obtained by foreign intelligence before it is even implemented.

5 Likes

A backdoor would be a high-priority target for an intelligence service. And which country’s backdoor is the weakest link? It only requires one country to slip up … Surely the EU didn’t imagine that the EU can have a backdoor but noone else can.

5 Likes

As stated earlier above by maximillian it’s not the EU itself. The initiative is driven by european governments respectively was demanded throughout the last months/years primarily by the 5-eyes and some US-politicians.


From my personal point of view forcing to implement a backdoor into encrypted communication means
a) broken encryption - not totally worthless, but if you can’t trust it, what’s it’s value?
b) a security-hole that WILL be used one day - question is only about when it happens not if

1 Like

This is perhaps a subject for a separate thread, but given that this thread spurred the subject, I’ll just respond here and try to keeps things nice and neat.

I think it is easy from a technical understanding on implementing encryption why having a backdoor would be stupid, and something you’d never want.

However, in countries where innocence is assumed until proven guilty, the burden of building evidence is GREATLY hampered, particularly when it comes to digital crimes, by encryption. I’m sure there is a scenario all of his can envision where we would want to be able to break encryption. (Imagine a terrorist plot, millions of lives in danger, etc.)

I know that all of us have a healthy dose of skepticism when it comes to law enforcement and judiciary wings of government. However, in systems where these entities can be trusted and the population rely on them for safeguarding and maintaining law and order, do we not want them to be able to do their job?

I know it is a double edge sword. On one hand good people wouldn’t abuse the power, and on the other bad people will. But what is better?

Is being able to communicate privately always above the law and civic responsibility?

2 Likes

It may also be the case that the backdoor can be interfered with by the owner of the device, to the extent that the backdoor is not operational. So, while that is a better outcome than having a backdoor, it raises a separate problem with the whole idea of a backdoor.

That is the crux of it. Crimes in the real world are detectable in the real world.

Is this an acceptable price to pay for tackling purely digital crimes? Not in my book. Law enforcement of course disagree.

Good or bad, recent (and no so recent) history shows that abuse will occur.

3 Likes