In an appeal to the RIPE community Patrik Fälström, Technical Director and Head of Security at Netnod, and Stephen Farrell, Researcher at Trinity College Dublin and long time Security Area Director at the IETF, spoke out against the next wave of “not so secure encryption” proposals from the European Union. A recent Council of Ministers’ paper from the Portugese Presidency underlines once more the need for access to end-to-end encrypted communication.
“It is not over”, both Fältström and Farrell warned in their talks at the RIPE82 meeting on backdoor discussions, which according to Fältström are happening without technical experts.
The sky is not falling
Encryption has become a commodity, driven in recent years by Edward Snowden’s revelations about illegal state mass snooping. “Encryption is our standard feature for kind of everything. It's not really an interesting set of product category any more”. Of course, new crypto algorithms are being developed all the time, and a number of interesting challenges have remained, from fully-homomorphic encryption to secure cloud communications or ideas on how to allow hosts to authenticate when they do not have their own public IP address space (but instead use private IP addresses).
Despite agitated debates over users going dark by using more and more TLS or relying on the various developed DNS privacy mechanisms, so far the sky has not fallen, according to Farrell, “and I don’t think it will”.
Implementing Security and Privacy, BUT...
The European Commission has nevertheless been pushing for legal access to end-to-end encrypted communication. The Portugese Presidency published a paper on 12 May 2021 where it set out its next steps to develop a system for secure but accessible encryption under EU law.
“Serious organised crime and terrorist attacks are planned, executed and concealed online, illegal substances and products are marketed, and criminals are finding subtle ways to launder profits unhindered by physical borders. Fast developing technologies amplify the scale of the problem”, the Presidency paper reads. It asks Member States to support the European Commission’s preparations for a respective legislative proposal in 2022. Member States are asked to help identify options on how to move forwards on encryption.
This belief that encryption that is accessible via backdoors, frontdoors or vulnerabilities will still be secure leaves Fälström at a loss. Two recent technical proposals circulated by the EU presidency clearly illustrate the problem. One wants a hash of every communication sent from a device to a specific server for ‘review’, without the hash being end-to-end-encrypted. Another mechanism presented to Member States is that “everyone must have a secure enclave in the centre that is trusted, and inside the secure enclave you can access the unencrypted data even though it's end-to-end”, Fältström reported, reiterating the general feeling of technical experts, who feel that such concepts defy the sheer laws of mathematics. Either you encrypt securely end-to-end, or you do not.
Fallout of EncroChat break-in
Nurturing the ideas of accessible end-to-end encryption has been the recent Encrochat affair, Fälström added. French and Dutch police used the mobile encryption provider Encochat’s server to send out manipulated updates, thus gaining access to all 60000 Encrochat users’s devices. Was that still a targeted operation or was it a general phishing expedition which is banned by Swedish law at least, Fälström wondered. In Sweden one defendant, who was sentenced based on EncroChat material, has been acquitted. According to the public prosecutor, 200 more cases will result in acquittals as well, because the material was inconclusive. While the prosecution does not want the cases to go up to higher courts for fear of a dismissal of the EncroChat material as mass surveillance, law enforcement still promotes the results in the case for legalizing a generalized chat surveillance.
As the issues around weakening encryption were both a technical and legal problem, a much more multi-stakeholder discussion is urgently needed, Fälström said at RIPE 82. “It is like forcing a round peg in a square hole, and just because that’s what’s happening right now, we must participate in that operation”.
It is worth noting that the EU is not the only party to start considering legislation to address the round-peg-square-hole, some concerning proposals are also on the road in Mauritius, Brazil, Australia and other countries, Olaf Kolkman of the Internet Society warned. For more information see here.
This article is part of our RIPE 82 reporting and was written for CENTR by Monika Ermert. Monika has been working as an IT journalist for over 20 years. She has covered the evolving internet governance landscape, EU and worldwide attempts to regulate and the risks and fun of technology. She holds an M.A. in Chinese/Media Studies from the University of Tuebingen and lives and works in Munich, Germany.