ProtonMail, Threema, Tresorit and Tutanota Warn EU Lawmakers Over 'Anti-Encryption' Push (techcrunch.com) 46
Four European apps which secure user data via end-to-end encryption, ProtonMail, Threema, Tresorit and Tutanota, have issued a joint-statement warning over recent moves by EU institutions that they say are setting lawmakers on a dangerous path to backdooring encryption. From a report: Last month the EU Council passed a resolution on encryption that's riven with contradiction -- calling for "security through encryption and security despite encryption" -- which the four e2e app makers believe is a thinly veiled call to backdoor encryption. The European Commission has also talked about seeking "improved access" to encrypted information, writing in a wide-ranging counter-terrorism agenda also published in December that it will "work with Member States to identify possible legal, operational, and technical solutions for lawful access." Simultaneously, the Commission has said it will "promote an approach which both maintains the effectiveness of encryption in protecting privacy and security of communications, while providing an effective response to crime and terrorism." And it has made it clear there will be no 'one silver bullet' as regards the e2e encryption security 'challenge.' But such caveats are doing nothing to alleviate the concerns of e2e encrypted app makers -- who are convinced proposals from the Council of the EU, which is involved in adopting the bloc's laws (though the Commission usually drafts legislation), sums to an push toward backdoors.
"While it's not explicitly stated in the resolution, it's widely understood that the proposal seeks to allow law enforcement access to encrypted platforms via backdoors," the four app makers write, going on to warn that such a move would fatally underline the security EU institutions also claim to want to maintain. "The resolution makes a fundamental misunderstanding: Encryption is an absolute, data is either encrypted or it isn't, users have privacy or they don't," they go on. "The desire to give law enforcement more tools to fight crime is obviously understandable. But the proposals are the digital equivalent of giving law enforcement a key to every citizen's home and might begin a slippery slope towards greater violations of personal privacy."
"While it's not explicitly stated in the resolution, it's widely understood that the proposal seeks to allow law enforcement access to encrypted platforms via backdoors," the four app makers write, going on to warn that such a move would fatally underline the security EU institutions also claim to want to maintain. "The resolution makes a fundamental misunderstanding: Encryption is an absolute, data is either encrypted or it isn't, users have privacy or they don't," they go on. "The desire to give law enforcement more tools to fight crime is obviously understandable. But the proposals are the digital equivalent of giving law enforcement a key to every citizen's home and might begin a slippery slope towards greater violations of personal privacy."
Open source and/or free (Score:2)
You can't make them obey silly EU rules, or anybody else's.
Re: Open source and/or free (Score:3)
Sure, except for France.
Re:Open source and/or free (Score:4, Interesting)
My guess on how this will go: They won't want backdoors for important stuff they care about, so large business and governments will have real encryption.
Regular people, small businesses? You are only allowed to use apps that share keys with gov't. You need an "encryption license" to not have shared keys. Sure, you can do it anyway illegally, but expect to go to prison if you get caught. How would you get caught? Pretty easy if the government is monitoring internet traffic and sees stuff they can't decrypt.
Sad, but that's how I see it playing out.
Re: (Score:1)
You're most likely correct. We have to make it blend in with the rest of the noise. It will have to go with steganography. Or, it's back to messaging in the Sunday classifieds
Re: (Score:2)
That's not how it panned out in Australia. Through the Assistance and Access Bill (2018) [homeaffairs.gov.au] they've given themselves the power to order any company to write and install their spyware on any device they've cleared with a judge.
In case what that means isn't obvious, they could for example order Google to write a special onscreen keyboard that sends everything t
Re: Open source and/or free (Score:1)
Re: Open source and/or free (Score:1)
Missing: backdoors will be found/used against govs (Score:5, Insightful)
Deciders are not primarily concerned by citizen privacy rights, but by their own security. To have more impact the message should be that backdoors can not be kept secret and thus will sooner or later be used by their enemies (foreign states, political opponents, criminals) against those in power.
Re: (Score:3)
Yep. Law enforcement having keys to everybody's house sounds good (the can go in and save you!) until you realize that it's the same key for everybody's house and that if a single criminal gets a copy of the key then every criminal in the world will immediately have a copy of that key.
Re: (Score:2)
Fire departments and real estate agents often actually do have the key to a locked box that contains a key to a home or business.
Evidence that that is not always foolproof:
Even when the fire codes say that businesses must provide a lock box with a key to the business and give the fire department a key to the lock box, the health department won't allow that if the business is a pharmacy (at least in Illinois).
When looking at houses with my son and his real estate
Re: (Score:2)
Also... most police cars already have a big red key in the trunk that will open most houses:
https://www.google.com/search?... [google.com]
The fire department have even bigger ones.
Re: (Score:2)
What are the deciders going to do if a foreign government demands access to their devices when they are traveling in that foreign country?
Something more lasting needs done... (Score:2)
If the enemies of the people of the free world continue to push these anti-free information, anti-encryption, anti-speech, anti-anonymity, anti-neutrality, and generally anti-open policies and efforts throughout the world over and over and over again it is only a matter of time before they sneak them through, find the right poster child case to blind people, etc. Some more permanent tabling of these subjects needs to occur to smash measures which have already slipped through and block future efforts.
Re: (Score:1)
...it is only a matter of time before they sneak them through
It will be eternal cat and mouse, new tech will be developed to circumvent the tyrants.
Re:Something more lasting needs done... (Score:4, Interesting)
I don't think that is a safe bet forever. That has been the case for decades so we get comfortable but I think we've been losing that race in the past decade or so, slowly. The chase can't go on forever not when an AI which requires tyrant level resources to run can crush us at go.
Signal for now, then Jami? (Score:2)
At this moment, with the enormous stir around biased whatsapp and the like, there is no doubt the end2end encrypted Signal is definitely and safely started, with a strongly growing mass of users ensuring the critical mass is reached too.
Then the next step is (again) to prepare a switch towards similarly open-source apps, end2end encrypted, but that will additionally eliminate the last criticality : the risk that someone, or some state, stops the central server.
Signal still needs a server.
Jami doesn't, and i
Case study of the TSA locks ? (Score:5, Insightful)
Anyone with 1/2 of a clue said before their introduction that the master keys would make their way into the public domain.
Fast forward to today and most of the TSA master key designs are available for anyone to download and the most master keys for the most popular locks are available on sites like ebay for less than $20.
The real kicker is when bags are destroyed in handling because those that are suppose to have a copy of these keys have either lost them, sold them or just cannot be bothered to use them because a box cutter will do the trick.
drink first the medicine yourself (Score:5, Insightful)
Re: (Score:3)
It *has* happened that fast, but usually leaking the keys takes a few years. I forget how long it took the BluRay encryption key to leak, but it was at least several months.
Why don't we call out the real issue? (Score:3, Insightful)
If you force platforms to install back doors, you'll only force those users onto platforms who won't comply, or you'll force those users to go deeper underground to prevent from being tracked, mitigating the back doors effectiveness for the people you're trying to stop / counter, and hurting the public trust.
At its very core, this kind of legislation is... (Score:3)
It is an infringement on both freedom of expression and, ultimately, even on freedom of thought itself. It is misguided, unethical, and wholly wrong.
Here's the thing... bad people do bad things. It doesn't matter if you try to restrict the tools that bad people can use, because they will just go and invent their own if they have to, or steal what they feel they need, and you won't even ever know about it because they are, you know, bad people.
Meanwhile, people that did not ever mean to do anything wrong don't have access to these tools and are made *more* vulnerable to the bad actors that *are* out there who have access to tools that only law enforcement was supposed to have. The efforts that it might save law enforcement by having always backdoored encryptiion are *VASTLY* outweighed by the increased effort that law enforcement would have to undertake to just protect the general public from these people.
Which belies the most obvious true intention: that having mandatory backdoors in encryption was never about protecting the public or in the interests of simplifying law enforcement's job, but only about having power and control.
Re: (Score:2)
I think what the governments and law enforcement really want are... fake apps that look like real apps for criminals. Leave the public alone, go and trick the criminals into using the fake stuff that is completely feeding info to the good guys. Just get a warrant first.
Re: (Score:2)
Re: (Score:2)
You are very trusting.
If you'd said "I think what many people in the governments and law enforcement really want are... ", I'd agree with you, but schemers frequently maneuver their way into decision making positions...and they have a different agenda. Also a large number of law enforcement agents mainly want their job to be easier...so an approach that complex wouldn't satisfy them. And some occasionally have their minds made up without regard to the evidence, and just want to be able to scan everything
Re: (Score:2)
Don't trust ProtonMail (Score:2)
I've been conversing with ProtonMail's PR on Twitter about their safety. At the moment, you have to give ProtonMail one of:
1) your real IP
2) your Credit Card #
3) your clear email address
4) your paypal account
to get an account there. Back in the day you could come in via Tor and donate with Bitcoin to get an account (anti-spam measure). Today they make you ID yourself.
They stopped responding when their old methods were mentioned (politely). NSL is suspected.
Last I checked Tutanota had 'enable .onion add
Re: (Score:2)
To fight spam, please verify you are human. Your email or phone number will not be linked to the account created. It is only used during the signup process. A hash will be saved to prevent abuse of the ProtonMail systems.
Unless you are running your own mail server, you have to trust the provider. It is a pity they don't allow bitcoin (though that is traceable as well, apparently).
Re: (Score:2)
Centralized services will always be a target. Sad but true.
Which is why one should use Jami, or Briar if only small messages are needed.
These solutions exist now. They don't convince because users critical mass is not reached, and the suppressing of the central server prevents storage, which means both sender and receiver must be online at the same time -which is a bother.
But you can get you a Jami and a Briar address now.
Jurisdiction (Score:1)
Three out of four of those companies' HQ are located in Switzerland, outside of the jurisdiction of whatever EU regulation
Re: (Score:3)
Re: (Score:2)
Doesn't this depend on what we mean by "do business in the EU" though?
Absolutely if they have offices in the EU then they have to abide by EU rules. But I consume services from some non-EU companies (e.g. video games from Russian companies) and it has nothing to do with the EU. To the extent that I don't even pay VAT. The EU has no jurisdiction over those companies, and no way to know that I pay for their services.
At least that's how I think it all works.
Re: (Score:2)
digital equivalent of giving [EVERYBODY] a key to (Score:3)
"But the proposals are the digital equivalent of giving law enforcement a key to every citizen's home and might begin a slippery slope towards greater violations of personal privacy"
should read "But the proposals are the digital equivalent of giving [EVERYBODY] a key to every citizen's home and might begin a slippery slope towards greater violations of personal privacy"
Secret meaning (Score:2)
You're missing the secret meaning of this demand: It's tools that don't cost more money, since the government already has cyber-surveillance units. That's the real point here. Of course, there are a few others: The declared pupose is enabling the police to spy on criminals but really they mean everybody they don't know and trust, creating a 'us versus them' elitism. And this need for elitism changes reality: Backdoor encryption works only when the 'good guys' use it, which is why this denial of human
Laws for you but not for me. (Score:2)
Statists routinely pass laws that apply to most people but not to them. Here they say they want you to be secure and private -- except from them. It is similar to the travel and restaurant lockdowns now in place that have often been ignored by the same people who put the regulations in force. They are willing to let you protect your privacy -- but not from them. Encryption has faced this sort of government restriction before and overcame it through open source initiatives that spread robust encryption f
Let's remove the abstraction for those legislators (Score:1)
SolarWinds should have been a warning (Score:2)
We just had a major hack into large systems due to a single point of failure: SolarWinds. And that was supposed to be an secure system.
You want to make this easier for foreign agents introducing forced and known security holes? A "backdoored system" is just a synonym for an insecure system. Those who want it either are technology illiterates, or actually want the nation to be insecure.