Humm, after reading the proposal I understood, they still want strong encryption, but with a secure backdoor (that what I call ‘wanting the butter, not paying it, and having the seller’s ass’ … the translation doesn’t feel that great in english…)
So it’s not really a ban, did I miss something ?
It looks to be fairly early days - but that is the direction that things are moving - in many countries.
It may be only implicit that the backdoor is “secure” but the bottom line is: they still want strong encryption but they want a mandatory backdoor.
Yes and no.
If a provider refused to implement a backdoor then, yes, it could really be a ban (on that provider). In the extreme, if all providers refused to implement a backdoor then it could really be a blanket ban on all encryption.
A citizen could take the perspective that once encryption has a backdoor then it is not encryption any more. In that sense too it is a ban on encryption.
Apart from those two perspectives, it is not phrased as an outright ban.
Exactly. Assume that there are no places left. Everyone has to fight it in their own country.
It is likely that if and when this becomes legislation, it will look at two different scenarios:
Data in transit
Data at rest
For the “data in transit” scenario, I believe that we would then fairly quickly reach the point that … any messaging service where the mode of operation is controlled by some central entity should be assumed to be broken, even if it ostensibly offers end-to-end encryption. (Some decent service providers will probably shut down, or relocate, rather than offer a broken service.)
The “data at rest” scenario is much more difficult for the government.
I would expect in any case an ongoing arms race between people who find the whole situation unacceptable and the government.
Maybe more countries should leave the EU. If the economic alliance is threatened, perhaps the leaders of the EU might compromise on allowing privacy. I don’t know what the political environment is there. But it appears that the Union is taking away some rights from its member states.
It’s the contrary. The member states governments agreed on this. The EU unlike the US is still a very loose union where the resp. head of states of the member states have more power than the EU institutions. Doesn’t make them saints (see e.g. upload filter decision) but the EU institution (Comission, Parliament, Court) used to care more about open source (e.g. funding a bug bounty for the security of vlc) and privacy (gdpr, several decisions that data retention of your isp is unlawful).
Anyway I expect that this would still have to pass the parliament and if it does or is bypassed someone will sue on this on European courts in case this will enter legislation some how. They implemented data retention several times here and they speak about it again… at least courts always stop this… would be better they would understand that it’s unlawful before starting such laws.
to paraphrase Snowden “there are many good reasons why we shouldn’t make govs. around the world too efficient at what they do”
if an email RSA encryption Key can be easily bypassed/subverted by a back-door then imagine how easily TLS/SSL can be negated.
when you buy a new Purism product the company sends you an UN-encrypted email with a .pdf (blob) invoice (at least that’s how it is if you pay everything up front) … why isn’t it sent through e2ee mail ?
answer : because the system is automated and the ‘gov.’ has such a thing as ‘bulk-tee-collect-tool’ it works basically in the same way that a ‘T’ (tee) junction in plumbing works … splits the output in two directions
UK has had a severe-privacy-invading military-intelligence apparatus for many years however if you look at the global-bulk-collection-map based on what Snowden has revealed certain countries from the south-American-continent have it much worse
This is the only reasonable perspective. It is only a matter of time until the backdoor leaks. And that time might be very short indeed. Most likely the backdoor will be obtained by foreign intelligence before it is even implemented.
A backdoor would be a high-priority target for an intelligence service. And which country’s backdoor is the weakest link? It only requires one country to slip up … Surely the EU didn’t imagine that the EU can have a backdoor but noone else can.
As stated earlier above by maximillian it’s not the EU itself. The initiative is driven by european governments respectively was demanded throughout the last months/years primarily by the 5-eyes and some US-politicians.
From my personal point of view forcing to implement a backdoor into encrypted communication means
a) broken encryption - not totally worthless, but if you can’t trust it, what’s it’s value?
b) a security-hole that WILL be used one day - question is only about when it happens not if
This is perhaps a subject for a separate thread, but given that this thread spurred the subject, I’ll just respond here and try to keeps things nice and neat.
I think it is easy from a technical understanding on implementing encryption why having a backdoor would be stupid, and something you’d never want.
However, in countries where innocence is assumed until proven guilty, the burden of building evidence is GREATLY hampered, particularly when it comes to digital crimes, by encryption. I’m sure there is a scenario all of his can envision where we would want to be able to break encryption. (Imagine a terrorist plot, millions of lives in danger, etc.)
I know that all of us have a healthy dose of skepticism when it comes to law enforcement and judiciary wings of government. However, in systems where these entities can be trusted and the population rely on them for safeguarding and maintaining law and order, do we not want them to be able to do their job?
I know it is a double edge sword. On one hand good people wouldn’t abuse the power, and on the other bad people will. But what is better?
Is being able to communicate privately always above the law and civic responsibility?
It may also be the case that the backdoor can be interfered with by the owner of the device, to the extent that the backdoor is not operational. So, while that is a better outcome than having a backdoor, it raises a separate problem with the whole idea of a backdoor.
That is the crux of it. Crimes in the real world are detectable in the real world.
Is this an acceptable price to pay for tackling purely digital crimes? Not in my book. Law enforcement of course disagree.
Good or bad, recent (and no so recent) history shows that abuse will occur.