Press Release: A 40-year Step Backwards for Secure Communication
The UK government’s Online Safety Bill wants to set back the state-of-the art for secure communication 40 years backwards. The proposal includes compulsory backdoors for communication platforms and will lead modern encryption technologies into complete futility. If implemented, the secure messenger Signal will withdraw from the British market. The law is a serious threat to businesses and represents an unprotected gateway for espionage.
“Crypto Wars” – the fight against security
Secure communication has been under constant legal attack since it became widespread. The secure exchange of messages is perceived as a threat because, technically, no monitoring of correspondence can be implemented. The encryption software Pretty Good Privacy (PGP) was created in 1991 by Phil Zimmermann. After the code was published on the internet and spread internationally in the following years, Zimmermann became the target of investigations by the United States in 1993 for violating export restrictions on strong encryption. The legal export of PGP failed until 1995, when the source code was published in book form. PGP is historic, still in use today, and its history illustrates very well a chapter of the so-called “Crypto Wars” by governments against protection from spying.
In the last decades, the EU, the USA and Great Britain have repeatedly attempted to restore the technical status quo of the 1980s. The discussion about the controversial chat control is the next attempt. This time, the attempt is not to restrict encryption algorithms, but to demand the installation of backdoors in mobile phones and computer systems right from the start. The assumption is that only well-intentioned agencies, such as the police or investigating authorities, will use these backdoors. In reality, these ingrained vulnerabilities will be available to anyone who wants to intercept communications or carry out attacks. This opens up access to one’s own communication with all attackers worldwide.
Industrial espionage as normality
All companies, organizations and authorities nowadays rely on secure communication. Digitization has covered many paths and processes. Not only messages, but also data are transported securely between different points. Various messenger systems that guarantee secure communication between two or more endpoints have become established, especially for mobile phones. This end-to-end encryption is an important component of information security in general. It also corresponds to the state-of-the art and is recommended by authorities and certifications. There is no alternative protection of messages and data during transport.
The already documented cases of attacks against vulnerabilities in network infrastructure and other systems have been known for over 20 years. A prominent case is the so-called “Athens Affair”, in which over 100 people in the Greek government were wiretapped by unknown persons. The attack took place after the Olympic Games in 2004. The legally required monitoring interfaces of the mobile phone network were affected. Through these backdoors, telephone calls and exchanged messages could be recorded unnoticed and leaving no traces. The perpetrators are still unknown. The British “Online Safety Bill” and the “chat control” discussed in the EU now call for exactly these threats to be legally prescribed. This means that the possibilities for industrial espionage are enshrined in law.
Security must remain secure
That communication must be secure has, piquantly, also been noted by the UK Ministry of Defence. The company Element, which provides secure communication services, is based in the UK. Company spokespersons have announced that Element has already lost customers in anticipation of the “Online Safety Bill”. Among them is the UK Ministry of Defence. If the planned law is implemented, the backdoors it calls for will affect private individuals, businesses, government agencies and the government in equal measure. This means that government bodies are also exposed to espionage and can be eavesdropped on. Moreover, it is conceivable that the backdoors will entail additional vulnerabilities that are not yet foreseeable. According to a press release, even the Public Prosecutor’s Office in Cologne sees no need for the destruction of end-to-end encryption, because the real obstacles are the lack of personnel.
The consequences of the “Online Safety Bill” and chat control are the migration of communication to secure alternatives. The laws then do not have the desired effect, because these evasive measures have already been effective in the past. Ultimately, communications platforms will leave the UK or EU market. Meredith Whittaker, the president of Signal, has already announced that Signal Messenger will no longer be available in the affected countries if the surveillance law is implemented. WhatsApp has announced something similar.
The perfidious thing about the proposed laws is the attack on the devices and operating systems themselves. Until the 1990s, mathematical algorithms or their key lengths had been put on banned lists. The new advances now compromise the entire system used to send and receive messages. The laws will not change the lack of personnel and the backlog in forensic evaluations.
Programmes and booking
The DeepSec 2023 conference days are on 16 and 17 November. The DeepSec trainings will take place on the two preceding days, 14 and 15 November. All trainings (with announced exceptions) and presentations are intended to be face-to-face events, but may be partially or fully virtual due to future COVID-19 measures. For registered participants, there will be a stream of the lectures on our internet platform.
The DeepINTEL Security Intelligence Conference will take place on 15 November. As this is a closed event, we ask for direct enquiries about the programme by using our contact addresses. We will provide strong end-to-end encryption for communication: https://deepsec.net/contact.html
Tickets for the DeepSec conference and trainings can be ordered online via the link https://deepsec.net/register.html. Discount codes from sponsors are available. If you are interested, please contact us at deepsec@deepsec.net. Please note that we depend on timely ticket orders because of planning security.