127 lines
5 KiB
Markdown
127 lines
5 KiB
Markdown
title: The new EU draft endangers everyone's security
|
|
---
|
|
pub_date: 2020-11-09
|
|
---
|
|
author: ungleich
|
|
---
|
|
twitter_handle: ungleich
|
|
---
|
|
_hidden: no
|
|
---
|
|
_discoverable: yes
|
|
---
|
|
abstract:
|
|
The EU is about to make the life of all citizens more
|
|
dangerous. Besides the ones it tries to target.
|
|
---
|
|
body:
|
|
|
|
## TL;DR
|
|
|
|
The EU is trying to disable encryption for everyone.
|
|
However, this approach is fundamentally flawed, as the bad guys don't
|
|
follow the law.
|
|
|
|
## Introduction
|
|
|
|
The Council of the European Union [has published a
|
|
draft](https://www.heise.de/downloads/18/2/9/9/8/5/2/0/eu-council-draft-declaration-against-encryption-12143-20.pdf)
|
|
which requires everyone who is offering secure communication channels
|
|
to allow authorities to read the communication.
|
|
|
|
The motivation is clear: terrorist attacks and unlawful behaviour
|
|
should be prevented by wiretapping. No crime is better for everyone.
|
|
So far, so good. In theory.
|
|
|
|
## First problem: reducing security affects everybody
|
|
|
|
The first problem is that modern encryption is not easy to break, or
|
|
let's put it clearly: it is almost impossible to break. Thus passing
|
|
this law requires decades of work to be undone. To make systems that
|
|
have been mathematically proven to be secure, more insecure.
|
|
|
|
This reduces security for any communication by default. And this does
|
|
not only affect terrorists, but also government agencies and the
|
|
general public.
|
|
|
|
Thus it also reduces the freedom of speech. There are activists out there
|
|
(f.i. in the area of climate change) that fear their life, if their
|
|
communication is revealed, because some governments do not allow free
|
|
speech.
|
|
|
|
## Second problem: the bad guys don't comply
|
|
|
|
One of the strangest problems with the EU proposal is that the idea is
|
|
to make this into a law that everyone has to follow. Or, more precisely: the
|
|
idea is that companies like Whatsapp or Signal have to provide keys or
|
|
backdoors into their systems that authorities can use for wiretapping.
|
|
|
|
Now, this is a crucial problem. Because companies like us, ungleich,
|
|
also provide [secure communication using
|
|
Matrix](https://ungleich.ch/u/products/hosted-matrix-chat/). And we
|
|
are not in the EU (fact check: Switzerland is not in the EU).
|
|
|
|
See the problem? No? Well, let's say you are the bad guys and you plan
|
|
to coordinate some attack. What do you do?
|
|
|
|
You run your own chat system. It is very easy to do. It cannot be
|
|
technically prevented. It might be against the law in the EU to run a
|
|
chat system that does not allow backdoor access, ok. But then again - you
|
|
are going to do something that is against the law anyway. So this is
|
|
the least of your problems.
|
|
|
|
So the proposed law is actually doing the opposite of its intention:
|
|
|
|
* It reduces security for everyone who is behaving according to law
|
|
* It does not prevent unlawful parties from communicating securely
|
|
|
|
## Third problem: criminalizing science
|
|
|
|
Apart from the obvious two really strong problems, the law might
|
|
actually lead to research and science being prohibited. The underlying
|
|
algorithms are usually based on mathematically hard-to-solve
|
|
problems.
|
|
|
|
The problems are carefully researched and in the end used to provide
|
|
security, confidentiality and integrity.
|
|
|
|
Researchers can be hindered by legal questions whether or not they
|
|
are able to solve mathematical problems. Which then again can and will stop the progress in other areas of science as well. This all sounds terribly wrong, doesn't it?
|
|
|
|
## Fourth problem: a new attack vector
|
|
|
|
Let's assume for a moment that none of the above problems is already
|
|
crucial enough to stop the whole motion. There is one more big and
|
|
crucial problem: if authorities have a backdoor into your
|
|
communication, this backdoor needs to be submitted to the
|
|
authorities. It needs to be securely stored by authorities.
|
|
|
|
It means that this law will make authorities a very interesting target for hacking into. You do
|
|
not need to attack a technically very secure system. You can just hack
|
|
the authorities server and you gain access to everyone's
|
|
communication.
|
|
|
|
This enables much easier access for terrorists, foreign (enemy) governments and
|
|
everyone else who is interested in getting access to your
|
|
communication.
|
|
|
|
|
|
## Summary
|
|
|
|
The proposed draft is dangerous for everyone except the criminals. It is dangerous for civilians,
|
|
governments, journalists, whistle-blowers and even the science and medical
|
|
sectors.
|
|
|
|
The whole approach is fundamentally flawed and if passed as-is reduces
|
|
security for everyone, but the bad guys.
|
|
|
|
We urge everyone reading this article to do whatever is in their power
|
|
to stop this law passing, before it is too late. And too late might
|
|
unfortunately already be on the 19th of November 2020.
|
|
|
|
## Related websites
|
|
|
|
* [Report from heise (DE)](https://www.heise.de/hintergrund/EU-Regierungen-planen-Verbot-sicherer-Verschluesselung-4951415.html)
|
|
* [Report from ORF (Austria, DE)](https://fm4.orf.at/stories/3008930/)
|
|
* [Reddit discussion](https://www.reddit.com/r/cybersecurity/comments/jqp84o/eu_encryption_ban_proposed_following_terrorist/)
|
|
* [Technical details on politico](https://www.politico.eu/wp-content/uploads/2020/09/SKM_C45820090717470-1_new.pdf)
|