Collateral damage through the back door: there is no such thing as a bit of encryption

At the end of 2020, the European Council officially decided to support a project that would enable security authorities to read encrypted data.

"Security through encryption and security despite encryption" - that is the official motto. Yet the text of the so-called European Council resolution, number 12863/20, is very vague. Messenger services are in particular focus, as they are suspected of being frequently used by criminals. For investigative authorities, this would fulfill a long-held desire to tap into private encrypted communications and read them. However, other data services are not explicitly excluded.

This is precisely the issue at hand, because it makes a difference whether a communication channel is encrypted end-to-end or whether data is encrypted on cloud storage, for example. Regardless of the fact that in the latter scenario it would be negligent anyway to entrust this service to a cloud provider, because companies should always organize their encryption autonomously and on their own if possible - comparable to the management of a banking PIN in the private sphere. In light of the aforementioned EU Council initiative, this will be even more important in the future.

The basic idea of the paper is to hold service providers and software vendors accountable who offer encryption as an integrated part of their offering. One is particularly interested in what is produced in the popular messengers such as WhatsApp, Telegram or Threema. But services like Slack or MS Teams, which are used more in the area of corporate communication, would not be excluded - because nothing is explicitly excluded at the moment.

Incidentally, there is nothing in the resolution about the often cited "master key" that is supposedly required for security authorities. Such a key is currently only being interpreted into the draft. The background to this interpretation is, however, quite substantial, since there are technically no sensible alternatives to a "key copy" to achieve the specified goal. Today, encryption is always based on a so-called key procedure. One uses a key to encrypt data and one also uses a key to decrypt data. A distinction must be made between symmetric and asymmetric encryption.

In symmetric procedures, both parties to a communication use the same key. This means that both parties can encrypt data and make it readable again. In asymmetric encryption, two different keys are used, but they belong together. One part of the key is publicly visible (a so-called public key) and is used to encrypt messages. Data made unreadable in this way can only be made readable again by the recipient, who has the secret counterpart (the private key). Regardless of which method is used, a suitable key is required in each case to break an encryption. So the corresponding key must always be protected particularly well.

Many hacker attacks on IT systems that protect their data or communications with encryption are therefore also attacks on the key itself. Theoretically, there are also other ways for security authorities to penetrate communications that are encrypted end-to-end. For example, spyware could be installed on a specific end device to intercept the data before it is encrypted or to copy the secret key in this way. However, this is not only legally problematic, but also not trivial to implement. For the security authorities, therefore, a paradisiacal state of affairs would result if a much more convenient path were now opened up to them by law: It is planned to quite simply oblige service providers and software manufacturers to make a copy of every private key and to hold it in trust until an investigating authority demands legally legitimate access to the corresponding data. If implemented in this way, this model could also be described as a jackpot for hackers. Because if unauthorized persons were able to gain access to these keys, then nothing that was once protected with these keys would be safe anymore. There is no such thing as being a little bit pregnant when it comes to data security: Either you can read data or you cannot.

In secure end-to-end encryption, the data stream is encrypted or decrypted at exactly two points: at the device that sends the data and at the receiving end device (example: two cell phones when using a secure messenger). Dear politicians, if you build a predetermined breaking point with an existing key copy outside the end-to-end system into such a procedure, you should not be surprised if this very point is soon exposed to massive attacks. It doesn't matter whether it's intelligence agencies or criminals - it's better not to imagine what the consequences might be. The need to equip security agencies with appropriate tools and powers in the digital world to fight crime or terrorism is justified and undeniable. However, the technical implications of this project are highly problematic and very risky.

In addition, it is not yet clear which applications of encryption are to be used, i.e., only for messengers or also for data storage by a cloud provider? We can only hope that policymakers will not only seek information from the intelligence services before passing laws with the potential side effect of fundamentally endangering democracy. Because nothing else will happen if the door is all too lightly opened for the creation of tools that enable almost unrestricted surveillance. In the worst case, these tools will become barely controllable weapons that can be efficiently and effectively directed against democratic societies.

Comments

Post a Comment

Popular posts from this blog

Chrome targeted by criminals: Why users need to update quickly now

A security vulnerability in Google Chrome is currently being exploited by cyber criminals. Malware could land on your PC through it. Read here how you can protect yourself. The Google Chrome browser is currently struggling with some security vulnerabilities. In a blog post , Google warns about a total of seven vulnerabilities, with the majority of these gaps being classified as a "high" threat to users. The vulnerabilities have been fixed in the latest version of Chrome for Windows, Linux and macOS. If you have Chrome version 90.0.4430.85 installed, it can no longer be exploited. If you have an older version of the browser installed, you should update urgently. You can find the download of the new version below these lines. Smartphone users do not have to be afraid of the security vulnerability. Google has not had to take any security measures here for the time being. The security vulnerability probably remained undiscovered by cyber criminals for the time being. So far, noth...
Read more

Face and voice recognition: Why TikTok wants to be allowed to collect biometric data in the USA

TikTok's privacy policy for the US now mentions the collection of biometric data from faces and voices. The background is likely to be a legal dispute that cost the company $92 million. Neue Datenschutzbestimmungen sind oft eher etwas für Juristen, doch die jüngste Aktualisierung von TikTok sollte alle Nutzerinnen und Nutzer in den USA aufhorchen lassen. Denn in den am 2. Juni aktualisierten Datenschutzbestimmungen für die USA ist ein Abschnitt enthalten, den es zuvor nicht gab. Er lautet übersetzt: »Wir sammeln möglicherweise biometrische Identifikationsmerkmale und biometrische Informationen, wie sie im US-Recht definiert sind, wie etwa von deinem Gesicht und deiner Stimme, aus deinen Inhalten.« Im englischsprachigen Original ist von »faceprint« und »voiceprint« die Rede. »Bevor wir damit anfangen«, frage man jedoch nach dem Einverständnis, wenn dies gesetzlich nötig sei, fügte noch TikTok hinzu. In response to an initial inquiry from "TechCrunch" about the ba...
Read more

Microsoft Teams, Zoom, WebEx: Berlin authority warns against popular video systems

After an initial data protection audit, some video service providers have made improvements to their offerings. But the Berlin data protection commissioner still sees serious shortcomings. The State Commissioner for Data Protection in Berlin (Germany), Maja Smoltczyk, advises against using leading video conferencing systems such as Microsoft Teams, Skype, Zoom, Google Meet, GoToMeeting, Teamviewer and Cisco WebEx. The reason is a retest of various offerings. After a number of services had already failed a test of data protection requirements last year, a new test of the major providers did not reveal any substantial improvement. Smoltczyk said that she was pleased "that our comments had persuaded so many providers to improve their offerings, in some cases very significantly, in terms of data protection". There are now enough legally compliant services for a wide range of purposes that there is no reason to break data protection law for video conferencing. However, if a provid...
Read more