Translated Article: US bill against Secure Encryption of Chats

US-Gesetzesentwurf gegen sichere Verschlüsselung von Chats by Erich Moechel for fm4.ORF.at

A new US law on “Access by law enforcement officers to encrypted data” is intended to force chat providers such as Signal or WhatsApp to incorporate back doors into their security architectures.

In the United States, a bill is on its way to the Senate that has stunned the IT industry. The planned law on “Access by law enforcement officers to encrypted data” turns upside down all the rules that have been in force on the WWW for 25 years. Encrypted chats and data backup for a wide audience should therefore only be offered if the provider has duplicate keys. That would be the end of end-to-end encryption (E2E) from Signal, WhatsApp and others.

The same applies to hardware manufacturers who have to provide access for law enforcement officers – i.e. back doors. This is primarily aimed at iPhones. This bill, supported by three Republican hardliners, is not a US solo effort. Gilles de Kerchhove, the EU coordinator against terror, Europol and conservatives in the EU Council of Ministers, have been calling for the same thing since May.

Worldwide Campaign against E2E

The targets of intelligence agencies and law enforcement officers are the same on both sides of the Atlantic. Large providers such as Facebook should be urged not to offer any actually end-to-end encrypted services. “End-to-end” means that the encryption process is negotiated between the users’ end devices. Because the service provider does not play a role in this, it does not have any keys that could be handed over to the prosecutors if necessary.

To prevent such a scenario, intelligence agencies and law enforcement officers run alternated campaigns since 2015 to encourage governments to change the law. These campaigns had started in the Anglo-Saxon world. Via Europol, de Kerchove and, above all, the British, demands came to the European Union to take steps against offers of E2E encryption on large social networks or of chat providers and make new laws.

Legislative Change back to 1995

In the United States, this manifests itself in necessary changes to laws, in particular the Communications Assistance Law Enforcement Act (CALEA). Since 1995, the telecoms have been obliged to set up surveillance interfaces in the then new digital mobile radio networks and to transmit data to the authorities for investigations unencrypted. The latter, however, only if they had the necessary keys, because a general ban on using secure encryption was not enforceable even then.

The CALEA Act has ensured clear conditions since 1995, but that is now set to change, because the relevant passages are to be deleted. Instead of “encryption that the provider performs”, it should now read “encryption that the provider provides or enables”. As a consequence, Apple, WhatsApp, Signal, and all other providers of encrypted chats would have to build back doors for law enforcement officers into their systems in order to comply with the law.

Liability as a Lever against Providers

And then there’s the EARN IT Act, which has been going through the Senate committees since March. This bill goes in exactly the same direction. To put it in a nutshell: Communication providers that offer E2E-encrypted services to a wide audience should be liable if they cannot deliver the material unencrypted on submission of a search warrant for so-called “child pornography”. As in Europe, IT corporations that offer web space, communication services etc. for a broad public are generally exempt from liability for the content generated by their users. This principle has been in force in the USA since the “Communications Decency Act” of 1996 – in Europe through the E-Commerce Directive of 2000 – through the EARN IT Act this liability exemption would be abolished.

The Back Door of the Front Door

In the United States, two new legal levers are being prepared to undermine the security of communication services in favour of their controllability. One would like to have the same thing in Europe if it works according to the will of de Kerchoves and other hardliners. His list of obstacles to law enforcement through encryption looks like the list of US desires in the new bill as if they were copied from each other. What is completely missing in all relevant legislative projects is an assessment of the consequences if the security architecture of the providers is undermined. Regardless of whether the interfaces for monitoring are called “back doors” or “front doors”, they can only function if the existing security routines are systematically broken. This compromises not only the data security of “lawfully monitored” suspects, but all users of the respective web service.

Tags: , , , , , , , , , ,

Leave a Comment