Tag: Encryption

Update: The Council of the European Union publishes recommendations on encryption

8. December 2020

In November, the Austrian broadcasting network “Österreichischer Rundfunk” sparked a controversial discussion by publishing leaked drafts of the Council of the European Union (“EU Council”) on encryption (please see our blog post). After these drafts had been criticized by several politicians, journalists and NGOs, the EU Council published “Recommendations for a way forward on the topic of encryption” on December 1st, in which it considers it important to carefully balance between protecting fundamental rights with ensuring law enforcement investigative powers.

The EU Council sees a dilemma between the need for strong encryption in order to protect privacy on one hand, and the misuse of encryption by criminal subjects such as terrorists and organized crime on the other hand. They further note:

“We acknowledge this dilemma and are determined to find ways that will not compromise
either one, upholding the principle of security through encryption and security despite
encryption.”

The paper lists several intentions that are supposed to help find solutions to this dilemma.

First, it directly addresses EU institutions, agencies, and member states, asking them to coordinate their efforts in developing technical, legal and operational solutions. Part of this cooperation is supposed to be the joint implementation of standardized high-quality training programs for law enforcement officers that are tailored to the skilled criminal environment. International cooperation, particularly with the initiators of the “International Statement: End-to-End Encryption and Public Safety“, is proclaimed as a further intention.

Next the technology industry, civil society and academic world are acknowledged as important partners with whom EU institutions shall establish a permanent dialogue. The recommendations address internet service providers and social media platforms directly, noting that only with their involvement can the full potential of technical expertise be realized. Europol’s EU Innovation Hub and national research and development teams are named key EU institutions for maintaining this dialogue.

The EU Council concludes that the continuous development of encryption requires regular evaluation and review of technical, operational, and legal solutions.

These recommendations can be seen as a direct response to the discussion that arose in November. The EU Council is attempting to appease critics by emphasizing the value of encryption, while still reiterating the importance of law enforcement efficiency. It remains to be seen how willing the private sector will cooperate with the EU institutions and what measures exactly the EU Council intends to implement. This list of intentions lacks clear guidelines, recommendations or even a clearly formulated goal. Instead, the parties are asked to work together to find solutions that offer the highest level of security while maximizing law enforcement efficiency. In summary, these “recommendations” are more of a statement of intent than implementable recommendations on encryption.

The Controversy around the Council of the European Union’s Declaration on End-to-End Encryption

27. November 2020

In the course of November 2020, the Council of the European Union issued several draft versions of a joint declaration with the working title “Security through encryption and security despite encryption”. The drafts were initially intended only for internal purposes, but leaked and first published by the Austrian brodcasting network “Österreichischer Rundfunk” (“ORF”) in an article by journalist Erich Möchel. Since then, the matter has sparked widespread public interest and media attention.

The controversy around the declaration arose when the ORF commentator Möchel presented further information from unknown sources that “compentent authorities” shall be given “exceptional access” to the end-to-end encryption of communications. This would mean that communications service providers like WhatsApp, Signal etc. would be obliged to allow a backdoor and create a general key to encrypted communications which they would deposit with public authorities. From comparing the version of the declaration from 6 November 2020 with the previous version from 21 October 2020, he highlighted that in the previous version it states that additional practical powers shall be given to “law enforcement and judicial authorities”, whereas in the more recent version, the powers shall be given to “competent authorities in the area of security and criminal justice”. He adds that the new broader wording would include European intelligence agencies as well and allow them to undermine end-to-end encryption. Furthermore, he also indicated that plans to restrict end-to-end encyption in Western countries are not new, but originally proposed by the “Five Eyes” intelligence alliance of the United States, Canada, United Kingdom, Australia and New Zealand.

As a result of the ORF article, the supposed plans to restrict or ban end-to-end encryption have been widely criticised by Politicians, Journalists, and NGOs stating that any backdoors to end-to-end encryption would render any secure encryption impossible.

However, while it can be verified that the “Five Eyes” propose the creation of general keys to access end-to-end encrypted communications, similar plans for the EU cannot be clearly deduced from the EU Council’s declaration at hand. The declaration itself recognises end-to-end encryption as highly beneficial to protect governments, critical infrastructures, civil society, citizens and industry by ensuring privacy, confidentiality and data integrity of communications and personal data. Moreover, it mentions that EU data protection authorities have identified it as an important tool in light of the Schrems II decision of the CJEU. At the same time, the Council’s declaration illustrates that end-to-end encryption poses large challenges for criminal investigations when gathering evidencein cases of cyber crime, making it at times “practically impossible”. Lastly, the Council calls for an open, unbiased and active discussion with the tech industry, research and academia in order to achieve a better balance between “security through encryption and security despite encryption”.

Möchel’s sources for EU plans to ban end-to-end encryption through general keys remain unknown and unverifiable. Despite general concerns for overarching surveillance powers of governments, the public can only approach the controversy around the EU Council’s declaration with due objectivity and remain observant on whether or how the EU will regulate end-to-end encryption and find the right balance between the privacy rights of European citizens and the public security and criminal justice interests of governments.

EU Member States address issues on encryption in criminal investigations

30. November 2016

Recently, Italy, Latvia, Poland, Hungary and Croatia, have proposed a new legislation, which could facilitate police investigators to access the different entities’ encrypted information in order to make it easier to crack open encryption technology.

According to the Polish officials, “One of the most crucial aspects will be adopting new legislation that allows acquisition of data stored in EU countries in the cloud”.

European countries were asked by the Slovakian government (which holds the current presidency of the EU Council) to identify the way, in which their law enforcement authorities deal with technology preventing from the communication interception as long as they are not authorised to get the information.

Via a freedom of information request, twelve countries, amongst others Finland, Italy, Swedem or Poland, responded to the Dutch internet rights NGO Bits of Freedom, that they frequently encounter encrypted data while carrying out criminal investigations. The UK and Latvia indicated that it happens ‘almost always’.

Ultimately a dispute on prohibiting or creating backdoors in order to weaken encryption for digital and telecommunication services has raised among Germany and European Union.

Even though Germany has dismissed charges that the government is pushing companies to create encryption backdoors in their products, Angela Merkel has announced that investigators will pay more attention to tracing criminals who use the darknet and encryption, especially since the shooting in Munich in July.

So far however, Europol, ENISA and the Commission´s vice president Andrus Ansip oppose creating the backdoors weakening encryption.

USA: Is the government able to require users to unlock smartphones via fingerprints?

25. May 2016

Most of the market leaders in smartphone manufacturing have been developing fingerprint sensors as a security measure in order to protect the smartphone against unauthorized access. However, legal complications might force them to reconsider this security measure.

As NBC reported, a woman in California was compelled by a search warrant to unlock her iPhone via fingerprint in February. Some experts say, that this falls in a legal gray area.

Although it has not been clarified why the FBI wanted the iPhone of the woman in California, as the search warrant did not specify the reason the FBI wanted access to the phone, only that it was granted. The smartphone, however, was found in the home of the boyfriend, who is a suspected gang member, as the Los Angeles Times reported in April.

Is there a difference in opening the smartphone via passcode and via fingerprint?

Neil Richards, a privacy law professor at Washington University, said that opening the smartphone with a passcode violates the Fifth Amendment protection against self-incrimination, whereas the use of a fingerprint provides law enforcement some legal cover. He went on “Most people don’t draw a distinction between a fingerprint and a password, but the law does”.  The problem is due to the fact that the laws have been made before smartphones were invented. According to the respected law, it is allowed to collect physical evidence during the course of an arrest, such as DNA evidence or fingerprints. Therefore, typing a passcode, for example 1-2-3-4, in order to access a smartphone counts as testimonial whereas the fingerprint sensor that also opens the smartphone, only with biometric data instead of a password, can be seen as physical evidence.

Due to the fact that eight people are killed and 1,161 are injured every day in the USA as a result of distracted driving, there is the discussion to implement a test for texting while driving. As the New York times reported that the state legislature considers roadside tests called the Textalyzer. Police officers would be able to plug a cellphone into a laptop and determine if it was used while driving. However, in case a police officer looks at the content of a phone the Textalyzer could cause a number of privacy problems.

Richards concluded “They’re going to start thinking twice about nudging people toward just using fingerprints. It is secure against private parties, but under current law, it’s not as secure against the government.”

 

Category: USA
Tags: ,

FBI paid probably more than 1 Million for cracking San Bernardino iPhone

26. April 2016

NBC News reports that FBI Director James Comey might have disclosed how much the agency spent for cracking the iPhone of the San Bernardino attackers.

Comey commented on the case so that the organization paid “a lot, more than I will make in the remainder of this job, which is seven years and four months, for sure” at a security conference in London. He went on that it “was in my view worth it” and that the FBI will now be able to crack any other iPhone 5s with IOS 9 by using the developed software.

Based on this given timeframe and by multiplying his salary of $180,000 per year, NBC News comes to a figure of $1.3 million. However, there was no official comment on part of the FBI.

Category: USA
Tags: , ,

Tech coalitions write open letter over US bill banning encryption

21. April 2016

A Tech group just wrote an open letter to US Senators Richard Burr and Dianne Feinstein, concerning their bill requiring all encryption to be breakable on command.

The mentioned letter starts by saying “We write to express our deep concerns about well-intentioned but ultimately unworkable policies around encryption that would weaken the very defenses we need to protect us from people who want to cause economic and physical harm.” and goes on by pointing out “unintended consequences”.

Reform Government Surveillance, the Computer and Communications Industry Association, the Internet Infrastructure Coalition, and the Entertainment Software Association have signed the letter. Those four represent most of the major internet and tech companies such as Microsoft, Google, Amazon, eBay, Facebook, Netflix and Verisign.

At the same time an US survey from ACT concludes that 93 percent of peole being asked answered it is important that their data is secured and that 92 percent of people being asked support strong encryption on their devices.

 

Category: USA
Tags:

WhatsApp just added end-to-end encryption

6. April 2016

WhatsApp is an online messaging service, that has grown into one of the most used applications, owned by Facebook. Messages, phone calls and photos are exchanged via WhatsApp by more than a billion people. Therefore, only Facebook itself operates a larger communications network.

This week was revealed that the company has added end-to-end encryption to every form of communication developed by a team of 15 of out of 50 overall employees for any person using the latest version of WhatsApp, so that all messages, phone calls and photos are encrypted. This regards any smartphone, from iPhones to Android phones to Windows phones. By encrypting end-to-end not even WhatsApp’s employees have access to the data sent through this communication network. This means that WhatsApp will not be able to comply with a court order demanding the disclosure of the content of messages, phone calls and photos sent by using its service.

This way of encryption has generally led to a public discussion between technology companies and governments. For example, in the UK, politicians have proposed banning this encryption so that companies should be forced to install “backdoors” in order to be able to disclose the content only to law enforcement.

 

Category: Countries · EU · USA
Tags: , ,