Translated Article: EU Council of Ministers discusses Back Doors in Encryption again
EU-Ministerrat diskutiert wieder Hintertüren in Verschlüsselung by Erich Moechel for fm4.ORF.at
Gilles de Kerchove, EU’s anti-terror coordinator, is once again working against secure encryption per se. Since these new demands by law enforcement officials on the EU Council of Ministers are nowhere openly accessible, this confidential Council document is published in full by FM4.
The corona virus pandemic has led to a surge in teleworking worldwide. Instead of behind firewalls in secure corporate networks, millions of employees worldwide work from insecure home offices. The only real protection is the end-to-end encryption (E2E) of the data traffic.
In the middle of this scenario, the “Five Eyes” secret service alliance is starting the next phase of its global campaign against secure encryption. Again, police law enforcement is used as a vehicle. After the United States, the European protagonist Gilles de Kerchove, the Union’s counterterrorism coordinator, is on the move again. His new initiative is already being discussed behind the upholstered doors of the EU Council of Ministers, and his basic paper from May 8 was leaked to ORF.at.
Newspeak about “Front Doors”
The paper, classified as “limite” – access for a restricted group of people – is the technical addendum to de Kerchoves letter to the member states, which was published on Thursday by Netzpolitik.org. De Kerchove is bluntly calling for European laws against E2E encryption based on the model of the American EARN IT Act, which was brought into the US Senate in March. Essentially, providers should be forced to offer encrypted services only if they also produce duplicate keys for all of these communications, which they can hand over to law enforcement officers if necessary.
De Kerchove calls this in the tried-and-tested manner of newspeak “front doors”, because secret “back doors” should be rejected since they could be misused, it says in his urgent letter to the governments of the Union. All access would be strictly according to the law, namely authorized by the decision of an ordinary court. What is consistently concealed is the fact that these “front doors” can only work if the existing security routines are systematically broken by such duplicate keys. In this case, one speaks of a “backdoor”, ie a back door that not only compromises the “legally monitored” but all users of the respective web service.
How the Lever is used in the United States
In its current form, the upcoming US law EARN IT holds a tremendous leverage that is intended to force Internet companies to undermine the security of their services in favor of monitoring. As in Europe, IT corporations that offer web space, communication services etc. for a broad public are generally exempt from liability for the content generated by their users. In the USA, this principle has been in effect since the “Communications Decency Act” of 1996, and the EARN IT Act is intended to abolish this liability.
That’s what some would like for Europe too. Based on the hierarchy in the technical explanations, access to the content of encrypted smartphones apparently remains a priority for law enforcement officers, although the EU Commission has already provided five million euros to Europol’s European Cybercrime Center to purchase forensic toolkits, in addition to an extensive catalogue of measures . According to the paper, this is not enough, especially since more and more smartphones are being encrypted.
The Document in full
However, it is not mentioned that a growing proportion of logins on smartphones does not happen via passwords, but via fingerprint and face recognition. If the law enforcement officers already have the smartphone in custody, they will most likely also have its owner and thus fingerprints and face. While these demands are still understandable in themselves because they do not endanger the security of everyone’s communication, all four of the following points do.
Then it goes head-on against E2E encryption as offered by WhatsApp, Signal and all other securely encrypted services. This is the main goal of the campaign, which was launched via EUROPOL 2016 and has already been successful to a certain extent in Australia and the USA. It is argued that extending WhatsApp’s E2E encryption to the entire Facebook group would jeopardize its own measures against “child pornography” and terrorism (point 3). The encryption of data at the protocol level – the most important security measure against cybercriminals – is only dealt with from the point of view of police monitorability. Nothing is weighed against each other in de Kerchoves entire bundle; the security of users by encrypting their data traffic is not an issue at all. Rather, “security” is equated with “monitorability by the police”. All protocols and security mechanisms of the Internet are evaluated solely in terms of their monitorability by the authorities.
Since the document classified as “confidential” is currently not available anywhere, FM4 publishes it here. Only by reading the entire text the whole arrogance of this approach does become visible.