Once again, the EU member states demand the weakening of encryption, associations and activists protest vehemently
The German EU Council Presidency wants to pass a resolution to give police forces and secret services easier access to encrypted communications. Operators of end-to-end encrypted services are to provide the authorities with opportunities to intercept. This would apply to platforms such as Signal or WhatsApp, which encrypt their data streams in general. Telegram also offers its users this option, but the end-to-end encryption must be set separately in the app.
On December 3, the resolution drafted by the German Federal Ministry of the Interior is to be discussed and adopted at the Council of Interior Ministers in Brussels. The British civil rights organization Statewatch had put a first draft online, and on Sunday the Austrian Broadcasting Corporation (ORF) published a new version. It functionalizes the recent attack in Vienna as a necessity for competent authorities to read encrypted communication.
This is not the only reason why the ORF’s publication has provoked strong reactions from political parties, associations and activists. “Those who soften encryptions weaken IT security as a whole,” criticized the spokeswoman for the German industry association BITKOM, for example. The German IT association Eco warns of a deep intervention that “bears no relation to the still unproven benefits in the fight against crime and terror”. The Chaos Computer Club (CCC) believes it is likely that experienced users will find other ways of encrypting, but that these are too complicated for the general public. Then “only criminals would have true protection”. Eight major European organizations from the field of network policy express similar views in a jointly written letter to the German Presidency.
The clear statements are reminiscent of the “crypto wars” of the past. In the 1990s, the US government wanted to ban the export of encryption programs and demanded that manufacturers install a “back door” for their own authorities. However, this did not stop the worldwide spread of the encryption software “Pretty Good Privacy” (PGP). In the European Union, the attacks of 2015 in France led to a new debate. But even this “crypto war” was lost by the governments, because as a lesson from the revelations of Edward Snowden, providers such as WhatsApp had meanwhile also introduced the basic end-to-end encryption.
Messages sent via PGP are currently considered secure if the users themselves encrypt them. This is possible in mail programs like Outlook or Thunderbird. If, on the other hand, servers of external platforms are used, this harbors a potential weakness, because there the communication could be decrypted by the operators and made accessible to the authorities. Providers like Signal want to disprove this suspicion by publishing the program code of the software.
Although the resolution that has now been leaked does not specify a specific method for reading the encrypted communication, the authorities want to enter into a “permanent dialogue with industry” and work on “proposed solutions”, according to the German Federal Ministry of the Interior. However, these are already on the table. For example, the magazine “Politico” published a paper by the EU Commission in the summer, which shows ten technical possibilities for breaking or weakening server-based encryption.
The ORF also quotes from this paper and considers the use of “Exceptional Access” to be the most likely solution. According to this, the procedure was developed by the British secret service and inserts a secret “secondary key” into the encryption process of chat participants. In the future, the messenger services could be asked for help for this or even be forced to do so by a later directive.