ungleich-staticcms/content/u/blog/the-dangerous-eu-draft/contents.lr

131 lines
5.4 KiB
Text
Raw Normal View History

2020-11-09 11:28:34 +00:00
title: The new EU draft endangers everyone's security
2020-11-09 10:57:24 +00:00
---
pub_date: 2020-11-09
---
author: ungleich
---
twitter_handle: ungleich
---
_hidden: no
---
_discoverable: yes
---
abstract:
The EU is about to make the life of all citizens more
dangerous. Besides the ones it tries to target.
---
body:
## TL;DR
The EU is trying to disable encryption for everyone.
However, this approach is fundamentally flawed, as the bad guys don't
follow the law.
## Introduction
The Council of the European Union [has published a
draft](https://www.heise.de/downloads/18/2/9/9/8/5/2/0/eu-council-draft-declaration-against-encryption-12143-20.pdf)
which requires everyone who is offering secure communication channels
to allow authorities to read the communication.
The motivation is clear: terrorist attacks and unlawful behaviour
2020-11-09 11:28:34 +00:00
should be prevented by wiretapping. No crime is better for everyone.
2020-11-09 10:57:24 +00:00
So far, so good. In theory.
2020-11-09 11:28:34 +00:00
## First problem: reducing security affects everybody
2020-11-09 10:57:24 +00:00
The first problem is that modern encryption is not easy to break, or
2020-11-09 11:28:34 +00:00
let's put it clearly: it is almost impossible to break. Thus passing
2020-11-09 10:57:24 +00:00
this law requires decades of work to be undone. To make systems that
have been mathematically proven to be secure, more insecure.
This reduces security for any communication by default. And this does
not only affect terrorists, but also government agencies and the
general public.
2020-11-09 11:28:34 +00:00
Thus it also reduces the freedom of speech. There are activists out there
2020-11-09 11:40:41 +00:00
(f.i. in the area of climate change) that fear their life, if their
2020-11-09 10:57:24 +00:00
communication is revealed, because some governments do not allow free
speech.
## Second problem: the bad guys don't comply
One of the strangest problems with the EU proposal is that the idea is
2020-11-09 11:28:34 +00:00
to make this into a law that everyone has to follow. Or, more precisely: the
2020-11-09 10:57:24 +00:00
idea is that companies like Whatsapp or Signal have to provide keys or
backdoors into their systems that authorities can use for wiretapping.
Now, this is a crucial problem. Because companies like us, ungleich,
also provide [secure communication using
Matrix](https://ungleich.ch/u/products/hosted-matrix-chat/). And we
2020-11-09 11:28:34 +00:00
are not in the EU (fact check: Switzerland is not in the EU).
2020-11-09 10:57:24 +00:00
2020-11-09 11:28:34 +00:00
See the problem? No? Well, let's say you are the bad guys and you plan
2020-11-09 10:57:24 +00:00
to coordinate some attack. What do you do?
2020-11-09 11:28:34 +00:00
You run your own chat system. It is very easy to do. It cannot be
2020-11-09 10:57:24 +00:00
technically prevented. It might be against the law in the EU to run a
chat system that does not allow backdoor access, ok. But then again - you
are going to do something that is against the law anyway. So this is
the least of your problems.
So the proposed law is actually doing the opposite of its intention:
* It reduces security for everyone who is behaving according to law
2020-11-09 11:28:34 +00:00
* It does not prevent unlawful parties from communicating securely
2020-11-09 10:57:24 +00:00
## Third problem: criminalizing science
Apart from the obvious two really strong problems, the law might
actually lead to research and science being prohibited. The underlying
2020-11-09 11:28:34 +00:00
algorithms are usually based on mathematically hard-to-solve
2020-11-09 10:57:24 +00:00
problems.
The problems are carefully researched and in the end used to provide
security, confidentiality and integrity.
2020-11-09 11:28:34 +00:00
Researchers can be hindered by legal questions whether or not they
are able to solve mathematical problems. Which then again can and will stop the progress in other areas of science as well. This all sounds terribly wrong, doesn't it?
2020-11-09 10:57:24 +00:00
## Fourth problem: a new attack vector
2020-11-09 11:28:34 +00:00
Let's assume for a moment that none of the above problems is already
2020-11-09 10:57:24 +00:00
crucial enough to stop the whole motion. There is one more big and
crucial problem: if authorities have a backdoor into your
communication, this backdoor needs to be submitted to the
authorities. It needs to be securely stored by authorities.
2020-11-09 11:28:34 +00:00
It means that this law will make authorities a very interesting target for hacking into. You do
not need to attack a technically very secure system. You can just hack
2020-11-09 10:57:24 +00:00
the authorities server and you gain access to everyone's
communication.
2020-11-09 11:28:34 +00:00
This enables much easier access for terrorists, foreign (enemy) governments and
2020-11-09 10:57:24 +00:00
everyone else who is interested in getting access to your
communication.
## Summary
2020-11-09 11:28:34 +00:00
The proposed draft is dangerous for everyone except the criminals. It is dangerous for civilians,
governments, journalists, whistle-blowers and even the science and medical
sectors.
2020-11-09 10:57:24 +00:00
2020-11-09 11:48:41 +00:00
The whole approach is fundamentally flawed and if passed as-is reduces
2020-11-09 10:57:24 +00:00
security for everyone, but the bad guys.
We urge everyone reading this article to do whatever is in their power
to stop this law passing, before it is too late. And too late might
2020-11-09 11:03:27 +00:00
unfortunately already be on the 19th of November 2020.
2020-11-09 11:02:33 +00:00
## Related websites
* [Report from heise (DE)](https://www.heise.de/hintergrund/EU-Regierungen-planen-Verbot-sicherer-Verschluesselung-4951415.html)
* [Report from ORF (Austria, DE)](https://fm4.orf.at/stories/3008930/)
2020-11-09 11:40:41 +00:00
* [Reddit discussion](https://www.reddit.com/r/cybersecurity/comments/jqp84o/eu_encryption_ban_proposed_following_terrorist/)
2020-11-09 11:46:13 +00:00
* [Technical details on politico](https://www.politico.eu/wp-content/uploads/2020/09/SKM_C45820090717470-1_new.pdf)
2020-11-09 11:59:58 +00:00
* [The EU draft document (on
heise.de)](https://www.heise.de/downloads/18/2/9/9/8/5/2/0/eu-council-draft-declaration-against-encryption-12143-20.pdf)
* [The EU draft document (on orf.at)](https://files.orf.at/vietnam2/files/fm4/202045/783284_fh_st12143-re01en20_783284.pdf)
2020-11-09 16:04:11 +00:00
* [Matrix.org about the current backdoor requests](https://matrix.org/blog/2020/10/19/combating-abuse-in-matrix-without-backdoors)