title: The new EU draft endagers everyone's security --- pub_date: 2020-11-09 --- author: ungleich --- twitter_handle: ungleich --- _hidden: no --- _discoverable: yes --- abstract: The EU is about to make the life of all citizens more dangerous. Besides the ones it tries to target. --- body: ## TL;DR The EU is trying to disable encryption for everyone. However, this approach is fundamentally flawed, as the bad guys don't follow the law. ## Introduction The Council of the European Union [has published a draft](https://www.heise.de/downloads/18/2/9/9/8/5/2/0/eu-council-draft-declaration-against-encryption-12143-20.pdf) which requires everyone who is offering secure communication channels to allow authorities to read the communication. The motivation is clear: terrorist attacks and unlawful behaviour should be prevented by wiretapping. Nobody wants crimes, do you? So far, so good. In theory. ## First problem: reducing security, endagering people The first problem is that modern encryption is not easy to break, or let's say it clearly: it's almost impossible to break. Thus passing this law requires decades of work to be undone. To make systems that have been mathematically proven to be secure, more insecure. This reduces security for any communication by default. And this does not only affect terrorists, but also government agencies and the general public. Thus it also reduces the freedom of speech. There are groups out there (f.i. in the area of climate change) that fear their life, if communication is revealed, because some governments do not allow free speech. ## Second problem: the bad guys don't comply One of the strangest problems with the EU proposal is that the idea is to make it a law that everyone has to follow. Or, more precisely: the idea is that companies like Whatsapp or Signal have to provide keys or backdoors into their systems that authorities can use for wiretapping. Now, this is a crucial problem. Because companies like us, ungleich, also provide [secure communication using Matrix](https://ungleich.ch/u/products/hosted-matrix-chat/). And we are not in the EU (for real: Switzerland is not in the EU). See the problem? No? Well. Let's say you are the bad guys and you plan to coordinate some attack. What do you do? You run your own chat system. It is trivial to do so. It cannot be technically prevented. It might be against the law in the EU to run a chat system that does not allow backdoor access, ok. But then again - you are going to do something that is against the law anyway. So this is the least of your problems. So the proposed law is actually doing the opposite of its intention: * It reduces security for everyone who is behaving according to law * It does not prevent unlawful acting parties to communicate securely ## Third problem: criminalizing science Apart from the obvious two really strong problems, the law might actually lead to research and science being prohibited. The underlying algorithms are usually based on mathematical hard to solve problems. The problems are carefully researched and in the end used to provide security, confidentiality and integrity. Researchers might be hindered by legal questions whether or not they are able to solve mathematical problems. Which then again stops progress in other areas of science as well Sounds wrong? It is. ## Fourth problem: a new attack vector For a moment let's assume that none of the above problems is already crucial enough to stop the whole motion. There is one more big and crucial problem: if authorities have a backdoor into your communication, this backdoor needs to be submitted to the authorities. It needs to be securely stored by authorities. And this makes authorities very interesting for hacking into. You do not need to attack a technical very secure system. You can just hack the authorities server and you gain access to everyone's communication. A much easier access. For terrorists, foreign (enemy) governments and everyone else who is interested in getting access to your communication. ## Summary The proposed draft is dangerous, but not for criminals. It is dangerous for everyone else. It is dangerous for civilians, governments, journalists, whistle-blowers and even the medicinal sector. The whole approach is fundamentally flawed and if passed as is reduces security for everyone, but the bad guys. We urge everyone reading this article to do whatever is in their power to stop this law passing, before it is too late. And too late might unfortunately already be on the 25th of November 2020. ## Related websites * [Report from heise (DE)](https://www.heise.de/hintergrund/EU-Regierungen-planen-Verbot-sicherer-Verschluesselung-4951415.html) * [Report from ORF (Austria, DE)](https://fm4.orf.at/stories/3008930/)