We have some more translated news for you. In theory it is an article about policies and the process of law-making. In practice it concerns the use of encryption and everyone relying on service providers (mostly connected to the Internet, i.e. „cloud providers“). No matter how cool your start-up is and what its products aim to replace, information security will probably need a backdoor-free and working encryption technology as a core component. This is exactly why you cannot stay focused on the technology alone. Threats may come in the guise of new laws or regulations (think Wassenaar Arrangement). Matthias Monroy has some information about the official stance of the German government regarding the currently raging „crypto wars“. Enjoy!
Federal Ministry of the Interior: The “Cornerstones of German encryption policy“ from 1999 still remain
Author: Matthias Monroy
Published: 17.06.2015, 17:09
The [German] Ministry of the Interior (BMI) took a clear stand in it’s reply to a brief parliamentary inquiry on the current crypto debate. The inquiry was triggered by, among others, statements of the heads of Europol and Interpol, who warn of an increasing use of encryption technologies. According to the head of Europol these are ”one of the main instruments of terrorists and criminals”. Previously, the EU anti-terrorism coordinator Gilles de Kerchove had demanded to force Internet and telecommunications providers to install backdoors for encrypted communication. Now the EU Commission is preparing a series of meetings with Internet service providers that shall lead to the creation of a joint forum, to ”provide room” for the ”concerns of the law enforcement agencies” regarding the new encryption techniques.
The brief parliamentary inquiry focused on the possibilities (of federal authorities) to ”circumvent, lever-out or disable encryption technologies”. In his reply state secretary Günther Krings referred to the ”Cornerstones of German encryption policy”, a federal statement released in 1999. It was adopted under the former German Chancellor Gerhard Schröder of the SPD-Green Cabinet and was meant as contribution to the then ongoing crypto debate, a time when the demand for installation of backdoors was very fashionable.
Furthermore, the cabinet decision “cornerstones of German encryption policy” from 1999 still endures. The digital agenda of the federal government includes the goal to make Germany the “no.1 encryption location”. The development and consistent use of trustworthy IT security technologies are crucial for businesses, government and citizens in today’s information society. Therefore, the specific weakening or regulation of encryption technology is not pursued by the federal government.
Decryption allowed within “the Realms of Possibility”
The by now 16 year old document states that the government ”does not intend to restrict the free availability of encryption products in Germany”. Instead it strives to ”strengthen the users confidence in the security of encryption”. Nonetheless, it says by way of restriction:
By spreading strong encryption methods, the statutory powers of the law enforcement and security agencies to monitor telecommunication may not be undermined.
In the current response the access of police, customs and intelligence services to monitor telecommunication is out of question as well – however, without mentioning tools like Trojan [malicious] software. But ”authorized bodies” have the right to know about communication content and in this regard encrypted communication will be treated no differently than unencrypted. To possible extent these ”authorized bodies” may ”decrypt legally intercepted, but user-side encrypted communication within the realms of technical possibility […]”.
In Germany there is no obligation to hand over keys or passwords of user-side encrypted communication. But, according to the BMI, keys found in a search, seizure or by ”demand to surrender” can be used to decrypt intercepted communication. This likely includes searching through computer systems.
More co-operation with Service Providers
Decryption of non-user side encrypted communication however, may be implemented by a request to the provider:
As far as telecommunication providers encrypt communication in transit on their networks, this encryption must be removed by the telecommunication providers before they transfer it to the authorities.
Like Europol, Interpol, the European Commission, and the EU anti-terrorism coordinator the BMI sees ”problems in the identification of offenders” due to the increasing use of encryption technologies.
That is why the Federal Government wants to expand the cooperation of the European Commission with Facebook, Google & Co.:
Therefore, from the perspective of the Federal Government, any dialogue with internet service providers, to look for ways to meet the different needs, in relation of data protection to danger prevention and prosecution, is welcomed.