Follow

EU_politics + encryption + privacy 

The EU Council has approved a resolution to undermine encrypted communications for EU citicens:
data.consilium.europa.eu/doc/d

A petition to declining this resolution and to keep citicens' privacy is online at the EU parliament:
europarl.europa.eu/petitions/e

As of today at 07:59 CET this petition has been signed by 13 supporters
----------------------------------------------------------

· · Yello · 4 · 10 · 4

EU_politics + encryption + privacy 

@fredl99 that doublespeak document is painful to read. If every single sentence needs the justification "but we do care about your privacy!"...

EU_politics + encryption + privacy 

@yarmo
Yes, it clearly expresses a kind of split opinion. "We respect your right on data security but we have to care for our state's security.
And it shows the lack of understanding technical principles. That's why the solution of this problem shall be delegated to technicians.
The only hope is that many of these will explain to them that there is no such thing like "partial pregnancy" and also no practical technical solution for this proposal.

EU_politics + encryption + privacy 

@yarmo
There's a detail too. A sentence in paragraph 6 says, "enable authorities to use their investigative powers which
are subject to proportionality, necessity and judicial oversight under their domestic legislation, while respecting common European values and upholding fundamental rights".

Defining proportionality, necessity, judicial oversight, European values and fundamental rights is left to each nation.

What's Hungary's government's opinion on this?

EU_politics + encryption + privacy 

@jens
Thanks for this link!
The more activity, the better.
I only couldn't find out where the supporting votes will go from there. Maybe I missed this information at the website?

The petition I'm referring to is addressed directly to the EU parliament, which is the next step of the procedure to pass the resolution.

EU_politics + encryption + privacy 

@fredl99 Absolutely. I don't know where it's going either, but presumable to MEPs. Otherwise, what's the point?

FWIW, the Global Encryption Coalition globalencryption.org/ is working to address this.

The EC is pretty firmly pro-encryption because it uses consultations from experts; it's the parliament that has a, let's say, more political point of view that is interested in pursuing limited access.

EU_politics + encryption + privacy 

@fredl99 Which makes sense from a point of view of wanting to balance digital and physical security. It's not a stupid goal. It's just that it ignores the reality of cryptography.

So the work that needs to be done is convince MEPs of those facts about cryptography, and that's well underway.

The industry's position at a high level is "there are no viable solutions for providing limited access".

The point is that this EU parliament petition has got to be the...

EU_politics + encryption + privacy 

@fredl99 ... last event. What's more important is giving MEPs the facts, and letting them understand that a sufficient number of the population gets them (aside from industry, etc.)

There is still time to achieve this, and conversations such as this are going to help :)

EU_politics + encryption + privacy 

@jens
There is no doubt that the idea itself is potentially a good one. Nobody wants to live next door to attackers who can plan their activities completely hidden, for instance.
On the other hand, as has been proved lately, the attack in Vienna in November '20 has happened despite the prior knowledge and observation of the attacker by authorities. They only failed at effectively communicating their knowledge. What would be different if we had this law?

EU_politics + encryption + privacy 

@fredl99 Nothing, of course. We're on the same page there. I'm talking about how to direct action, not about whether or not we disagree.

EU_politics + encryption + privacy 

@jens
Ok, so we have a definite chief aim, some activities which should ideally get bundled. What's needed is a detailed plan to do so and a way to frequently review the process and readjust if necessary.
Any suggestions?

EU_politics + encryption + privacy 

@fredl99 Well, I joined the GEC and they're coordinating action. Amongst other things, they're collecting stories to emphasize the necessity of encryption in order to sensitize the population. I've shared two earlier.

Get people to sign either petition, read those stories, spread the word. Write to your MEP, above else.

EU_politics + encryption + privacy 

@jens
I might be wrong, but I see it a bit different. The Counsil consists of the nation's leaders and the proposal doesn't mention any expert's advices. Moreover they began with secret discussions and only made it public after approval.
The Parliament members usually have their own staff of experts, who will hopefully explain to them the technical incompatibility.
Although the idea may be good, there is no other way than to decline it if privacy is important.

EU_politics + encryption + privacy 

@fredl99 Maybe some mixup on terms. When I write EC, I'm used for that to mean the European Commission. But I should have been clearer, sorry!

EU_politics + encryption + privacy 

@fredl99 I read the doc and despite being a native English speaker, I'm confused. Where does it say "undermine encrypted communications"?

It does talk about transparency, balance, judicial oversight, establishing a dialogue with tech companies, ensuring authorities are able to access encrypted data, but how is this different from iOS & android current tech protections?

Maybe I'm missing something obvious in the 5 pages of woffly legalese.

EU_politics + encryption + privacy 

@dch
Of course it's not stated in clear wording. But what does it mean to demand access to the contents of encrypted data?
Regardless if someone has a good reason to protect his data or not, if someone who is not the intended recipient demands methods to see through the curtain then it's only possible by weakening the encryption. In other words, undermining it.
Encryption is EITHER secure OR not. Once it's breakable it's no more secure, but rather useless.

EU_politics + encryption + privacy 

@fredl99
The IETF made it clear back in 1996 that any attempt to weaken encryption means that the Internet is less secure. If governments can crack it, so can enemy countries and hackers. Encryption needs to be as strong as possible. Plus law enforcement doesn't always act on the information it already has. I see no reason to give them our private messages for a fishing trip. tools.ietf.org/html/rfc1984
@dch

EU_politics + encryption + privacy 

@onepict that is all true & I agree with it. But quoting the 1984 RFC and referring to the IETF as a voice of authority still doesn't explain if the OP doc actually say "lets weaken encryption", nor does it say "you can have all our messages". Or am I misreading the doc?

EU_politics + encryption + privacy 

@dch
I think it's more the vague wording. As well as trotting out the arguments that we need to be able to track terrorists and look at their encrypted communications, without detailing what that means. Folks on here are suspicious. Especially when we have past examples of EU proposals that become law to go on.

EU_politics + encryption + privacy 

@dch
We also have the examples of law enforcement outside the EU arguing for access to criminal and terrorists data. While the proposal can seem innocent enough, there's no transparency to detail what access LEO want. How far into private communications do they want to go. LEO can already access messages in the US if backed up to central storage. So do LEO want more access, how to they want to enable that? Do they want carte blanche ?

EU_politics + encryption + privacy 

@dch
If they want that do they get it through weakened encryption? This isn't something that politicians should be voting on without more information. Which is the point of the resolution. But it does mean that more of us need to front up, look at it and help to provide more information.

EU_politics + encryption + privacy 

@onepict I think that's my point - the resolution as it stands causes *fear* that the *implementation* might include weakened encryption.

This was very much the concern over similar legislation in Australia, and in practice I don't think that concern has been borne out.

If there is sufficient public oversight outside LEO, & encryption is not weakened, then I am not, per se, opposed to the EU collaborating on ways to catch the bad guys.

Am I naive?

EU_politics + encryption + privacy 

@dch
I think there's a level of trust in law enforcement and other public servants that does you credit but my experience and the experience of many others on here doesn't bear it out. Particularly some of the activitists on Mastodon from the 80s onwards. I'd be personally very uncomfortable with additional powers given unconditionally to LEO.

There are bad actors in the ranks of our public servants, as well as in the public.

EU_politics + encryption + privacy 

@dch
Plus we also have to consider where the data contracts for that data goes to. Palintir for example.

EU_politics + encryption + privacy 

@onepict we have arrived in the cyber dystopian future of the exciting novels of my youth. And the reality is grimmer than I had ever anticipated.

EU_politics + encryption + privacy 

@dch
We didn't even get the cool cyberdeks and plugin brain ports. 😜

re: EU_politics + encryption + privacy 

@onepict @dch elon is trying

re: EU_politics + encryption + privacy 

@icedquinn
Yeah but his taste kinda blows.
@dch

re: EU_politics + encryption + privacy 

@onepict @dch is there somewhere better working on the stitching robot?

re: EU_politics + encryption + privacy 

@icedquinn
Propably not.
@dch

EU_politics + encryption + privacy 

@dch
Looking again at the resolution the wording of balance is what worries alot of us. It says we want to protect people's privacy, but Law enforcement needs to be able to do its job. The trouble with this wording is the balance part. Its as others say, you have encryption or you don't. It's not a matter of balance of access. Which is also why I quoted the RFC. The argument of balancing the needs of privacy v LEO was the same then.

EU_politics + encryption + privacy 

@dch
For example The police being able to exploit a weakness in encryption and not telling anyone else about it to be able to keep exploiting it, doesn't mean it's a secure communication mechanism. In fact it would be worse, as who knows who else knows. In reality there can be no balancing act of user privacy vs law enforcement in terms of encryption. To use that phrasing is a little dishonest, and ultimately undermines security for everyone.

EU_politics + encryption + privacy 

@onepict I think you conflate (perhaps reasonably!) balancing needs as weakening encryption.

If, on production of suitable warrant incl oversight approvals, LEO can obtain limited information to do their jobs, then that's fine. If we weaken encryption (for anybody) to achieve this so-called "balance", then that's not ok.

I'm pretty sure we agree on the latter.

For the former, our personal experience influences whether we believe that's achievable or not.

EU_politics + encryption + privacy 

@onepict
True. When they fail to effectively make use of already available meta-data and observation results then what's the point of gathering even more information to only be overhelmed by it?

@dch

EU_politics + encryption + privacy 

@fredl99
Ultimately the gathering of the information is evidence or a fishing trip against future suspects. The question also has to be asked are LEO the only authorities who can access communications? For example see local authorities and schools enforcing the hostile environment in the UK.
@dch

EU_politics + encryption + privacy 

@fredl99 this is unbelievable... and coming from the supposed gods of in a constantly surveilled world.

Hoping, double hoping that this resolution does not pass.

Sign in to participate in the conversation
Fosstodon

Fosstodon is an English speaking Mastodon instance that is open to anyone who is interested in technology; particularly free & open source software.