From 715846720990939725f6698e6f5731e8edb4f6db Mon Sep 17 00:00:00 2001 From: Nico Schottelius Date: Mon, 9 Nov 2020 11:57:24 +0100 Subject: [PATCH] +eu draft --- .../u/blog/the-dangerous-eu-draft/contents.lr | 122 ++++++++++++++++++ 1 file changed, 122 insertions(+) create mode 100644 content/u/blog/the-dangerous-eu-draft/contents.lr diff --git a/content/u/blog/the-dangerous-eu-draft/contents.lr b/content/u/blog/the-dangerous-eu-draft/contents.lr new file mode 100644 index 0000000..ec17e93 --- /dev/null +++ b/content/u/blog/the-dangerous-eu-draft/contents.lr @@ -0,0 +1,122 @@ +title: The new EU draft endagers everyone's security +--- +pub_date: 2020-11-09 +--- +author: ungleich +--- +twitter_handle: ungleich +--- +_hidden: no +--- +_discoverable: yes +--- +abstract: +The EU is about to make the life of all citizens more +dangerous. Besides the ones it tries to target. +--- +body: + +## TL;DR + +The EU is trying to disable encryption for everyone. +However, this approach is fundamentally flawed, as the bad guys don't +follow the law. + +## Introduction + +The Council of the European Union [has published a +draft](https://www.heise.de/downloads/18/2/9/9/8/5/2/0/eu-council-draft-declaration-against-encryption-12143-20.pdf) +which requires everyone who is offering secure communication channels +to allow authorities to read the communication. + +The motivation is clear: terrorist attacks and unlawful behaviour +should be prevented by wiretapping. Nobody wants crimes, do you? +So far, so good. In theory. + +## First problem: reducing security, endagering people + +The first problem is that modern encryption is not easy to break, or +let's say it clearly: it's almost impossible to break. Thus passing +this law requires decades of work to be undone. To make systems that +have been mathematically proven to be secure, more insecure. + +This reduces security for any communication by default. And this does +not only affect terrorists, but also government agencies and the +general public. + +Thus it also reduces the freedom of speech. There are groups out there +(f.i. in the area of climate change) that fear their life, if +communication is revealed, because some governments do not allow free +speech. + +## Second problem: the bad guys don't comply + +One of the strangest problems with the EU proposal is that the idea is +to make it a law that everyone has to follow. Or, more precisely: the +idea is that companies like Whatsapp or Signal have to provide keys or +backdoors into their systems that authorities can use for wiretapping. + +Now, this is a crucial problem. Because companies like us, ungleich, +also provide [secure communication using +Matrix](https://ungleich.ch/u/products/hosted-matrix-chat/). And we +are not in the EU (for real: Switzerland is not in the EU). + +See the problem? No? Well. Let's say you are the bad guys and you plan +to coordinate some attack. What do you do? + +You run your own chat system. It is trivial to do so. It cannot be +technically prevented. It might be against the law in the EU to run a +chat system that does not allow backdoor access, ok. But then again - you +are going to do something that is against the law anyway. So this is +the least of your problems. + +So the proposed law is actually doing the opposite of its intention: + +* It reduces security for everyone who is behaving according to law +* It does not prevent unlawful acting parties to communicate securely + +## Third problem: criminalizing science + +Apart from the obvious two really strong problems, the law might +actually lead to research and science being prohibited. The underlying +algorithms are usually based on mathematical hard to solve +problems. + +The problems are carefully researched and in the end used to provide +security, confidentiality and integrity. + +Researchers might be hindered by legal questions whether or not they +are able to solve mathematical problems. Which then again stops +progress in other areas of science as well Sounds wrong? It is. + +## Fourth problem: a new attack vector + +For a moment let's assume that none of the above problems is already +crucial enough to stop the whole motion. There is one more big and +crucial problem: if authorities have a backdoor into your +communication, this backdoor needs to be submitted to the +authorities. It needs to be securely stored by authorities. + +And this makes authorities very interesting for hacking into. You do +not need to attack a technical very secure system. You can just hack +the authorities server and you gain access to everyone's +communication. + +A much easier access. For terrorists, foreign (enemy) governments and +everyone else who is interested in getting access to your +communication. + + +## Summary + +The proposed draft is dangerous, but not for criminals. It is +dangerous for everyone else. It is dangerous for civilians, +governments, journalists, whistle-blowers and even the medicinal +sector. + +The whole approach is fundamentally flawed and if passed as is reduces +security for everyone, but the bad guys. + +We urge everyone reading this article to do whatever is in their power +to stop this law passing, before it is too late. And too late might +unfortunately already be on the 25th of November 2020.