Translated Article: New EU Regulation makes securely encrypted Chats illegal

Sanna/ July 13, 2022/ Stories

Neue EU-Regulierung macht sicher verschlüsselte Chats illegal by Erich Moechel for

[This article has been sitting in our translation queue for a while. We have translated the content, because Erich monitors the development of the war against encryption for many decades and has always deep insights into the processes behind the scenes.]

The word “encryption” is hardly mentioned directly in the Commission’s draft, which aims to make end-to-end encryption illegal in general. Series, Part 1.

The EU Commissioner Ylva Johansson’s Regulation on Combating Child Abuse on the Internet, which was presented on Wednesday, caused incredulous amazement in the professional world. “This will be the most sophisticated system of mass surveillance ever set up outside of Russia or China,” prominent cryptographer Matthew Green wrote in a first reaction on Twitter.

Securely encrypted chats are de facto prohibited by the requirements for search warrants, and all platforms must set up monitoring interfaces for this. On top of that, data retention of large data sets with private chats is planned.

The document, including detailed explanations by the Commission and recitals, has a length of 135 pages and was leaked by Politico magazine on Tuesday afternoon. The text then spread like wildfire, and this regulation has been the number one topic in the IT security industry ever since. The official text of the regulation was released for download by the Commission on Wednesday afternoon.

E2E is banned but hardly mentioned

Throughout the text, the aim of this draft regulation, namely to force the platforms to break secure encryption and thus make it monitorable or not to offer it at all, is mentioned exactly three times – and there twice only indirectly. On the one hand this happens in a subordinate clause, as it is initially noted that most of the answers to the previous public consultation only concerned the question of encryption and came from Germany. It is also insinuated that there was an organized campaign by unspecified interest groups.

The procedure that this draft regulation wants to impose on the platforms is explained quite simply: If there is a “detection order” from law enforcement officers – or whoever – then the operators must secure all data records defined in this search warrant, save them and search them in sequence . How they should do that when these communications are end-to-end encrypted is not even mentioned. So the same trick is used here that was used in the copyright regulation. E2E encrypted chats – even in larger groups – have been the general security standard for chats on all major platforms for years.

Under the guise of technology neutrality

These “detection orders” have to be obeyed, it says, how the platforms should do this in view of E2E encryption is generously left to the providers. There is basically no such “solution” for E2E encryption, since the apps or browsers on the end devices negotiate a temporarily valid so-called “session key” with each other, with which the respective chat is encrypted. This process happens directly between the user’s end devices, which means that neither the platform operator nor third parties can read it. This is also how end-to-end encryption is technically defined.

“Therefore, this regulation leaves the choice of the technologies used to the provider,” they just have to be in line with the requirements of the search warrants. Under the cloak of technology neutrality, the authors of this regulation present the platforms with a classic dilemma. If they meet the regulatory requirements, the end-to-end encryption must be compromised by an additional duplicate or master key. This is the opposite of E2E. Right in the next sentence, end-to-end encryption is described as “an important tool for the security and confidentiality of communications from users and children alike”.

Five different levels of regulation are presented here. Of these, only Option A is fully compatible with the EU Charter, the Union’s fundamental law. All other options are increasingly extremist variants of option B. In view of the information available so far, it is not surprising that the Commission prefers the most extreme variant, namely option E, with sleepwalking certainty. It also includes data retention of the data records.

“Security and Confidentiality”

If such a “detection order” is executed, “the providers have to take all security precautions possible to ensure that the technologies used are not used by the platforms, their employees or third parties for purposes other than those mentioned in the regulation”, it says in recital 28. This is necessary “to ensure the security and confidentiality of user communications”. This passage can hardly be surpassed in terms of bigotry paired with alleged technological neutrality. The Commission’s lawyers are ordering the security and confidentiality of personal chats, which is currently guaranteed by E2E-encrypted communication, to be lifted in order to be able to fulfill the search orders.

This overturning of the security measures should then be designed in such a way that security and confidentiality continue to be ensured. Anyone who writes such nonsense that makes every technician’s hair stand on end has either never dealt with security technology or is deliberately pretending to be clueless. All previous quotations come from the introduction or the recitals. The text of the regulation does not mention once that this regulation calls into question a security standard on the Internet that has been common for years. The same scam was already used in the text of the 2017 copyright policy. Upload filters are not mentioned once in the entire text, but the specifications are designed in such a way that they can only be technically met through the use of upload filters.

“Security through and despite encryption”

In terms of content, this text corresponds exactly to the paradoxical motto “Security through encryption, security despite encryption” of the German Council Presidency, which opened the frontal attack on secure encryption in 2020 with a resolution in the Council of Ministers. The word “security” is simply used in two different meanings, in the first part as “security through confidentiality” in the second part of the slogan as “public security”. This draft, pushed by Home Affairs Commissioner Ylva Johansson, uses exactly the same dishonest methods of deliberately misleading the public as to the real facts.

That’s not all bigotry this draft has to offer, as there is a third mention of encryption in the document, and that’s on the cover sheet (see screenshot above). “Distribution only on a ‘need to know’ basis”, which means that only those people who absolutely need to know the document will receive it. In addition, the text should “not be transported openly in public” and should be stored and transmitted securely in encrypted form. Copies should be shredded or securely deleted.

Share this Post