Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Encryption Privacy EU

ProtonMail, Threema, Tresorit and Tutanota Warn EU Lawmakers Over 'Anti-Encryption' Push (techcrunch.com) 46

Four European apps which secure user data via end-to-end encryption, ProtonMail, Threema, Tresorit and Tutanota, have issued a joint-statement warning over recent moves by EU institutions that they say are setting lawmakers on a dangerous path to backdooring encryption. From a report: Last month the EU Council passed a resolution on encryption that's riven with contradiction -- calling for "security through encryption and security despite encryption" -- which the four e2e app makers believe is a thinly veiled call to backdoor encryption. The European Commission has also talked about seeking "improved access" to encrypted information, writing in a wide-ranging counter-terrorism agenda also published in December that it will "work with Member States to identify possible legal, operational, and technical solutions for lawful access." Simultaneously, the Commission has said it will "promote an approach which both maintains the effectiveness of encryption in protecting privacy and security of communications, while providing an effective response to crime and terrorism." And it has made it clear there will be no 'one silver bullet' as regards the e2e encryption security 'challenge.' But such caveats are doing nothing to alleviate the concerns of e2e encrypted app makers -- who are convinced proposals from the Council of the EU, which is involved in adopting the bloc's laws (though the Commission usually drafts legislation), sums to an push toward backdoors.

"While it's not explicitly stated in the resolution, it's widely understood that the proposal seeks to allow law enforcement access to encrypted platforms via backdoors," the four app makers write, going on to warn that such a move would fatally underline the security EU institutions also claim to want to maintain. "The resolution makes a fundamental misunderstanding: Encryption is an absolute, data is either encrypted or it isn't, users have privacy or they don't," they go on. "The desire to give law enforcement more tools to fight crime is obviously understandable. But the proposals are the digital equivalent of giving law enforcement a key to every citizen's home and might begin a slippery slope towards greater violations of personal privacy."

This discussion has been archived. No new comments can be posted.

ProtonMail, Threema, Tresorit and Tutanota Warn EU Lawmakers Over 'Anti-Encryption' Push

Comments Filter:
  • You can't make them obey silly EU rules, or anybody else's.

    • by lhaeh ( 463179 ) on Thursday January 28, 2021 @01:18PM (#61002104)

      My guess on how this will go: They won't want backdoors for important stuff they care about, so large business and governments will have real encryption.

      Regular people, small businesses? You are only allowed to use apps that share keys with gov't. You need an "encryption license" to not have shared keys. Sure, you can do it anyway illegally, but expect to go to prison if you get caught. How would you get caught? Pretty easy if the government is monitoring internet traffic and sees stuff they can't decrypt.

      Sad, but that's how I see it playing out.

      • You're most likely correct. We have to make it blend in with the rest of the noise. It will have to go with steganography. Or, it's back to messaging in the Sunday classifieds

      • by ras ( 84108 )

        My guess on how this will go: They won't want backdoors for important stuff they care about, so large business and governments will have real encryption.

        That's not how it panned out in Australia. Through the Assistance and Access Bill (2018) [homeaffairs.gov.au] they've given themselves the power to order any company to write and install their spyware on any device they've cleared with a judge.

        In case what that means isn't obvious, they could for example order Google to write a special onscreen keyboard that sends everything t

    • We will see that once the proposal becomes tangible, and viral people will complain, everything will be kept at the status quo. The giants (e. g. Telegram) would be put at risk in this sense, but startups like Cubbit, focusing on the peace of mind given by the fact that no one can access the files, will be empowered by this inner people desire of freedom. What do you think?
  • by Framboise ( 521772 ) on Thursday January 28, 2021 @12:42PM (#61001932)

    Deciders are not primarily concerned by citizen privacy rights, but by their own security. To have more impact the message should be that backdoors can not be kept secret and thus will sooner or later be used by their enemies (foreign states, political opponents, criminals) against those in power.

    • Yep. Law enforcement having keys to everybody's house sounds good (the can go in and save you!) until you realize that it's the same key for everybody's house and that if a single criminal gets a copy of the key then every criminal in the world will immediately have a copy of that key.

      • by jbengt ( 874751 )
        To extend your analogy into reality:

        Fire departments and real estate agents often actually do have the key to a locked box that contains a key to a home or business.

        Evidence that that is not always foolproof:

        Even when the fire codes say that businesses must provide a lock box with a key to the business and give the fire department a key to the lock box, the health department won't allow that if the business is a pharmacy (at least in Illinois).

        When looking at houses with my son and his real estate
    • Deciders are not primarily concerned by citizen privacy rights, but by their own security.

      What are the deciders going to do if a foreign government demands access to their devices when they are traveling in that foreign country?

  • If the enemies of the people of the free world continue to push these anti-free information, anti-encryption, anti-speech, anti-anonymity, anti-neutrality, and generally anti-open policies and efforts throughout the world over and over and over again it is only a matter of time before they sneak them through, find the right poster child case to blind people, etc. Some more permanent tabling of these subjects needs to occur to smash measures which have already slipped through and block future efforts.

    • ...it is only a matter of time before they sneak them through

      It will be eternal cat and mouse, new tech will be developed to circumvent the tyrants.

    • At this moment, with the enormous stir around biased whatsapp and the like, there is no doubt the end2end encrypted Signal is definitely and safely started, with a strongly growing mass of users ensuring the critical mass is reached too.

      Then the next step is (again) to prepare a switch towards similarly open-source apps, end2end encrypted, but that will additionally eliminate the last criticality : the risk that someone, or some state, stops the central server.
      Signal still needs a server.

      Jami doesn't, and i

  • by nzkbuk ( 773506 ) on Thursday January 28, 2021 @12:50PM (#61001954)
    Policy makers need to be shown a case study on TSA approved locks.

    Anyone with 1/2 of a clue said before their introduction that the master keys would make their way into the public domain.

    Fast forward to today and most of the TSA master key designs are available for anyone to download and the most master keys for the most popular locks are available on sites like ebay for less than $20.

    The real kicker is when bags are destroyed in handling because those that are suppose to have a copy of these keys have either lost them, sold them or just cannot be bothered to use them because a box cutter will do the trick.

  • by e**(i pi)-1 ( 462311 ) on Thursday January 28, 2021 @01:06PM (#61002026) Homepage Journal
    in general, it would be a good idea if one asks the lawmakers proposing backdoor implementation measures to let them installon their own devices first as a proof that things are harmless, then see the reaction when within days or maybe hours their private conversations, browsing habits, medical records, financial data are blasted all over the internet.
    • by HiThere ( 15173 )

      It *has* happened that fast, but usually leaking the keys takes a few years. I forget how long it took the BluRay encryption key to leak, but it was at least several months.

  • by Murdoch5 ( 1563847 ) on Thursday January 28, 2021 @01:22PM (#61002134) Homepage
    If you want to stop terrorism you need to stop the acceptance of religious extremism, and I would go as far to say the acceptance of religious faith.

    If you force platforms to install back doors, you'll only force those users onto platforms who won't comply, or you'll force those users to go deeper underground to prevent from being tracked, mitigating the back doors effectiveness for the people you're trying to stop / counter, and hurting the public trust.
  • ... equivalent to a prohibition against communicating using a language that doesn't happen to be known to legislators or law enforcement.

    It is an infringement on both freedom of expression and, ultimately, even on freedom of thought itself. It is misguided, unethical, and wholly wrong.

    Here's the thing... bad people do bad things. It doesn't matter if you try to restrict the tools that bad people can use, because they will just go and invent their own if they have to, or steal what they feel they need, and you won't even ever know about it because they are, you know, bad people.

    Meanwhile, people that did not ever mean to do anything wrong don't have access to these tools and are made *more* vulnerable to the bad actors that *are* out there who have access to tools that only law enforcement was supposed to have. The efforts that it might save law enforcement by having always backdoored encryptiion are *VASTLY* outweighed by the increased effort that law enforcement would have to undertake to just protect the general public from these people.

    Which belies the most obvious true intention: that having mandatory backdoors in encryption was never about protecting the public or in the interests of simplifying law enforcement's job, but only about having power and control.

    • I think what the governments and law enforcement really want are... fake apps that look like real apps for criminals. Leave the public alone, go and trick the criminals into using the fake stuff that is completely feeding info to the good guys. Just get a warrant first.

      • by mark-t ( 151149 )
        This presumes that criminals are too clueless to discern the difference between a fake app and a real one.
      • by HiThere ( 15173 )

        You are very trusting.

        If you'd said "I think what many people in the governments and law enforcement really want are... ", I'd agree with you, but schemers frequently maneuver their way into decision making positions...and they have a different agenda. Also a large number of law enforcement agents mainly want their job to be easier...so an approach that complex wouldn't satisfy them. And some occasionally have their minds made up without regard to the evidence, and just want to be able to scan everything

  • Comment removed based on user account deletion
  • I've been conversing with ProtonMail's PR on Twitter about their safety. At the moment, you have to give ProtonMail one of:

    1) your real IP
    2) your Credit Card #
    3) your clear email address
    4) your paypal account

    to get an account there. Back in the day you could come in via Tor and donate with Bitcoin to get an account (anti-spam measure). Today they make you ID yourself.

    They stopped responding when their old methods were mentioned (politely). NSL is suspected.

    Last I checked Tutanota had 'enable .onion add

    • It is still an anti-spam measure. This is what they say on the signup page - accessed from Tor:

      To fight spam, please verify you are human. Your email or phone number will not be linked to the account created. It is only used during the signup process. A hash will be saved to prevent abuse of the ProtonMail systems.

      Unless you are running your own mail server, you have to trust the provider. It is a pity they don't allow bitcoin (though that is traceable as well, apparently).

    • by Herve5 ( 879674 )

      Centralized services will always be a target. Sad but true.

      Which is why one should use Jami, or Briar if only small messages are needed.
      These solutions exist now. They don't convince because users critical mass is not reached, and the suppressing of the central server prevents storage, which means both sender and receiver must be online at the same time -which is a bother.
      But you can get you a Jami and a Briar address now.

  • Three out of four of those companies' HQ are located in Switzerland, outside of the jurisdiction of whatever EU regulation

    • So? If they want to do business in the EU (meaning supply services to those who reside in the EU), they'll have to abide by EU rules or the EU won't allow them to operate in the EU.
      • by animaal ( 183055 )

        Doesn't this depend on what we mean by "do business in the EU" though?

        Absolutely if they have offices in the EU then they have to abide by EU rules. But I consume services from some non-EU companies (e.g. video games from Russian companies) and it has nothing to do with the EU. To the extent that I don't even pay VAT. The EU has no jurisdiction over those companies, and no way to know that I pay for their services.

        At least that's how I think it all works.

        • Google "data residency laws". If the data must reside in the EU, then the owner of the data must have servers in the EU. If they have servers in the EU, then they're subject to all other EU laws. You might be able to make a case of they lease the servers from a third party, but IANAL.
  • "But the proposals are the digital equivalent of giving law enforcement a key to every citizen's home and might begin a slippery slope towards greater violations of personal privacy"

    should read "But the proposals are the digital equivalent of giving [EVERYBODY] a key to every citizen's home and might begin a slippery slope towards greater violations of personal privacy"

  • ... give law enforcement more tools to fight crime ...

    You're missing the secret meaning of this demand: It's tools that don't cost more money, since the government already has cyber-surveillance units. That's the real point here. Of course, there are a few others: The declared pupose is enabling the police to spy on criminals but really they mean everybody they don't know and trust, creating a 'us versus them' elitism. And this need for elitism changes reality: Backdoor encryption works only when the 'good guys' use it, which is why this denial of human

  • Statists routinely pass laws that apply to most people but not to them. Here they say they want you to be secure and private -- except from them. It is similar to the travel and restaurant lockdowns now in place that have often been ignored by the same people who put the regulations in force. They are willing to let you protect your privacy -- but not from them. Encryption has faced this sort of government restriction before and overcame it through open source initiatives that spread robust encryption f

  • The only appropriate response here is for enterprising software engineers to break into all accounts of the specific legislators supporting these fundamentally lazy and abusive rules, and then publish all the data captured. Then - and sadly pretty much only then when humans consider themselves above others - will those legislators back off from their extremely well intended and extremely poorly thought out ideas.
  • We just had a major hack into large systems due to a single point of failure: SolarWinds. And that was supposed to be an secure system.

    You want to make this easier for foreign agents introducing forced and known security holes? A "backdoored system" is just a synonym for an insecure system. Those who want it either are technology illiterates, or actually want the nation to be insecure.

"I'm a mean green mother from outer space" -- Audrey II, The Little Shop of Horrors

Working...