123 lines
4.5 KiB
Text
123 lines
4.5 KiB
Text
|
title: The new EU draft endagers everyone's security
|
||
|
---
|
||
|
pub_date: 2020-11-09
|
||
|
---
|
||
|
author: ungleich
|
||
|
---
|
||
|
twitter_handle: ungleich
|
||
|
---
|
||
|
_hidden: no
|
||
|
---
|
||
|
_discoverable: yes
|
||
|
---
|
||
|
abstract:
|
||
|
The EU is about to make the life of all citizens more
|
||
|
dangerous. Besides the ones it tries to target.
|
||
|
---
|
||
|
body:
|
||
|
|
||
|
## TL;DR
|
||
|
|
||
|
The EU is trying to disable encryption for everyone.
|
||
|
However, this approach is fundamentally flawed, as the bad guys don't
|
||
|
follow the law.
|
||
|
|
||
|
## Introduction
|
||
|
|
||
|
The Council of the European Union [has published a
|
||
|
draft](https://www.heise.de/downloads/18/2/9/9/8/5/2/0/eu-council-draft-declaration-against-encryption-12143-20.pdf)
|
||
|
which requires everyone who is offering secure communication channels
|
||
|
to allow authorities to read the communication.
|
||
|
|
||
|
The motivation is clear: terrorist attacks and unlawful behaviour
|
||
|
should be prevented by wiretapping. Nobody wants crimes, do you?
|
||
|
So far, so good. In theory.
|
||
|
|
||
|
## First problem: reducing security, endagering people
|
||
|
|
||
|
The first problem is that modern encryption is not easy to break, or
|
||
|
let's say it clearly: it's almost impossible to break. Thus passing
|
||
|
this law requires decades of work to be undone. To make systems that
|
||
|
have been mathematically proven to be secure, more insecure.
|
||
|
|
||
|
This reduces security for any communication by default. And this does
|
||
|
not only affect terrorists, but also government agencies and the
|
||
|
general public.
|
||
|
|
||
|
Thus it also reduces the freedom of speech. There are groups out there
|
||
|
(f.i. in the area of climate change) that fear their life, if
|
||
|
communication is revealed, because some governments do not allow free
|
||
|
speech.
|
||
|
|
||
|
## Second problem: the bad guys don't comply
|
||
|
|
||
|
One of the strangest problems with the EU proposal is that the idea is
|
||
|
to make it a law that everyone has to follow. Or, more precisely: the
|
||
|
idea is that companies like Whatsapp or Signal have to provide keys or
|
||
|
backdoors into their systems that authorities can use for wiretapping.
|
||
|
|
||
|
Now, this is a crucial problem. Because companies like us, ungleich,
|
||
|
also provide [secure communication using
|
||
|
Matrix](https://ungleich.ch/u/products/hosted-matrix-chat/). And we
|
||
|
are not in the EU (for real: Switzerland is not in the EU).
|
||
|
|
||
|
See the problem? No? Well. Let's say you are the bad guys and you plan
|
||
|
to coordinate some attack. What do you do?
|
||
|
|
||
|
You run your own chat system. It is trivial to do so. It cannot be
|
||
|
technically prevented. It might be against the law in the EU to run a
|
||
|
chat system that does not allow backdoor access, ok. But then again - you
|
||
|
are going to do something that is against the law anyway. So this is
|
||
|
the least of your problems.
|
||
|
|
||
|
So the proposed law is actually doing the opposite of its intention:
|
||
|
|
||
|
* It reduces security for everyone who is behaving according to law
|
||
|
* It does not prevent unlawful acting parties to communicate securely
|
||
|
|
||
|
## Third problem: criminalizing science
|
||
|
|
||
|
Apart from the obvious two really strong problems, the law might
|
||
|
actually lead to research and science being prohibited. The underlying
|
||
|
algorithms are usually based on mathematical hard to solve
|
||
|
problems.
|
||
|
|
||
|
The problems are carefully researched and in the end used to provide
|
||
|
security, confidentiality and integrity.
|
||
|
|
||
|
Researchers might be hindered by legal questions whether or not they
|
||
|
are able to solve mathematical problems. Which then again stops
|
||
|
progress in other areas of science as well Sounds wrong? It is.
|
||
|
|
||
|
## Fourth problem: a new attack vector
|
||
|
|
||
|
For a moment let's assume that none of the above problems is already
|
||
|
crucial enough to stop the whole motion. There is one more big and
|
||
|
crucial problem: if authorities have a backdoor into your
|
||
|
communication, this backdoor needs to be submitted to the
|
||
|
authorities. It needs to be securely stored by authorities.
|
||
|
|
||
|
And this makes authorities very interesting for hacking into. You do
|
||
|
not need to attack a technical very secure system. You can just hack
|
||
|
the authorities server and you gain access to everyone's
|
||
|
communication.
|
||
|
|
||
|
A much easier access. For terrorists, foreign (enemy) governments and
|
||
|
everyone else who is interested in getting access to your
|
||
|
communication.
|
||
|
|
||
|
|
||
|
## Summary
|
||
|
|
||
|
The proposed draft is dangerous, but not for criminals. It is
|
||
|
dangerous for everyone else. It is dangerous for civilians,
|
||
|
governments, journalists, whistle-blowers and even the medicinal
|
||
|
sector.
|
||
|
|
||
|
The whole approach is fundamentally flawed and if passed as is reduces
|
||
|
security for everyone, but the bad guys.
|
||
|
|
||
|
We urge everyone reading this article to do whatever is in their power
|
||
|
to stop this law passing, before it is too late. And too late might
|
||
|
unfortunately already be on the 25th of November 2020.
|