The European Council wants to declare war on cryptography

Under the guise of seeking "a better balance" between investigations and the security of our devices, the Council seems to be forgetting about the risks to our digital lives.

London, UK - July 19, 2018: The buttons of Whatsapp , Messenger, Telegram, Pinterest Whatsapp and Telegram (Getty Images) The Austrian broadcaster Orf.at obtained a copy of an internal document of the European Council dated 6 November which shows a draft resolution in which the umpteenth attack is put in black and white to the encryption of smartphones.

The purpose of the resolution is to reaffirm and guarantee the need for competent authorities to have "access to data in compliance with the law and in a targeted manner", including therefore also respect for fundamental rights and computer security of devices. Bringing all these things together is almost a mission impossible. The document talks about "technical solutions to gain access to encrypted data" without za go into detail on which strategies and techniques to use.

In the text, however, reference is made to two obstacles: the encryption that protects the data we have saved on our devices - therefore those data that are protected, for example, with full disk encryption and by our codes and passwords unlock - but also to all those apps that use end-to-end encryption (e2e) to send messages and calls, an encryption that allows you to read data only to people who are communicating, keeping out prying eyes and ears, both of companies and law enforcement agencies. In the first case it is almost all modern smartphones, in the second of apps such as WhatsApp, Signal, Wire, but also the secret chats of Telegram and those of Messenger.

These solutions, the document continues, must be developed in close collaboration with communication service providers, recognizing that "there shouldn't be a single technical solution prescribed to provide access to encrypted data. "

Security with and despite encryption

The document had been in the works since before the terrorist attack in Vienna. We read that some changes received before and during the informal videoconference meeting of the councilors for Justice and Home Affairs which took place on November 3, 2020 have been included. The meeting, however, was already scheduled for at least October 29, as shown by a document of the meeting agenda.

European Council resolutions have no legal effect but are usually used to point the way forward on specific issues and areas of work, but they can clearly be used to invite the European Commission to produce a bill. The title of the resolution winks at the dichotomies that have accompanied the debate on privacy and security for years: Security with encryption and security despite encryption.

Opening the Council praises cryptography as it is effectively the instrument that guarantees the protection of "governments, critical infrastructures, civil society, citizens and industry, guaranteeing privacy, confidentiality and data integrity communications and personal data. ”He goes so far as to state that“ it is evident that all parties benefit from a working encryption technology. “Given this preamble it seems wicked to even think about introducing solutions that weaken the encryption.

Don't you dare do any illegal math. https://t.co/iPUwticjjO

- Sarah Jamie Lewis (@SarahJamieLewis) November 8, 2020

Previous

The tragedy , however, it always seems to unfold with the usual script. Already in October, ministers from the United States, United Kingdom, Canada, Australia and New Zealand (the countries that make up the intelligence alliance known as the Five Eyes ed) published a request to tech companies to develop a solution that would allow the forces order to access encrypted messages. Basically, we ask to leave the back door of our communications house open to allow law enforcement to enter when they need it.

Similar requests were already made years ago by the United States against Apple for the possibility of unlocking and accessing the data of the iPhone 5C of the attacker who carried out the massacre in San Bernardino, California. But also in Europe, France and Germany have already made similar requests in 2016 after the attacks in Paris the previous year and in Nice the same year. In the attack on the Bataclan, however, investigators discovered that the Islamic cell communicated with simple text messages.

Attacking the cryptography does not solve any problem

The request to break the cryptography stems from the declarations of the law enforcement and intelligence services who find it difficult to intercept messages. Yet, lacking sufficient data to support these statements, the picture that emerges from journalistic investigation activities and reports of associations is the opposite.

In the case of San Bernardino, the police unlocked the mobile phone thanks to the intervention of specialized hackers. In addition, there are companies around the world that sell devices and software for extracting data from devices: the company GrayShift has been caught unlocking even the latest generation models such as the iPhone 11 Pro Max. Europol itself operates a research platform to find solutions against encryption both in terms of the threat of ransomware and in terms of data extraction.

Given these capabilities, the idea described in the Council resolution of finding "a better balance" does not seem to be balanced at all but risks pushing the balance completely on the side of law enforcement.

In September, the Politico newspaper obtained a copy of a preliminary draft assessment of technologies to circumvent cryptography in investigations against the sharing of child pornography. Among the solutions analyzed, the ones that seem to be the most promising are those that involve analyzing the chat contents directly on smartphones before sending messages: it is like finding a filter that monitors our every message.

Screenshot from the report obtained by Politico on the technologies to be used to combat Child Sexual Abuse Materials which illustrates a solution to analyze the content of the conversations.

New risks

The European Council document underlines how the "digitization of modern society brings with it some vulnerabilities and the potential to be exploited for criminal purposes," but at the same time does not realize that introducing forms of universal unlocking keys, introducing systems for real-time monitoring of messages before they are sent, or any other technological solution one can think of - such as secretly introducing a third party into the encrypted chat - only increase those risks for modern society they seem to care so much about. Vulnerabilities and tools kept hidden by the US National Security Agency (NSA) have been discovered and exploited repeatedly even by foreign criminals.

The same happened with the software of the elite CIA team that had been published by Wikileaks under the name of Vault7. An internal report showed that the CIA had been naïve in internal security practices. The same thing happened with the NSA's EternalBlue exploit which was one of the pieces that allowed the spread of NotPetya, what has been called the most devastating cyber attack in history. If the largest surveillance agencies fail to keep their arsenal under control, how can we hope to entrust them with the keys to our private communications?

But the biggest problem seems to be that the European Council is aware of the technical difficulties and for this reason it seems to suggest that, where the technology does not reach because of laws that are a little too stringent - those on fundamental rights? - then those laws need to be changed. Result: the resolution also calls for "reviewing the effects deriving from the different regulatory frameworks in order to further develop a coherent regulatory framework across the EU".

The war on cryptography therefore cyclically wakes up again after each terrorist attack and each time it demonstrates the laziness of states in seeking quick solutions to complex problems, not caring about the rights of their citizens. Member States are invited to send further comments on the draft resolution by 12 November, but given the ongoing actions on the issues of sharing child pornography and the European regulation against the dissemination of terrorist material online, it seems that we must now prepare for the yet another direct attack on our safety.