EU Proposes Enforcing Data Encryption and Banning Backdoors

[MacRumors]

The European Parliament's Committee on Civil Liberties, Justice, and Home Affairs has published draft proposals that would enforce end-to-end encryption on all digital communications and forbid backdoors that enable law enforcement to access private message data.

The proposed amendment relates to Article 7 of the EU's Charter of Fundamental Rights, which says that EU citizens have a right to personal privacy, as well as privacy in their family life and at home. By extension, the "confidentiality and safety" of EU citizens' electronic communications needs to be "guaranteed" in the same manner.

Confidentiality of electronic communications ensures that information exchanged between parties and the external elements of such communication, including when the information has been sent, from where, to whom, is not to be revealed to anyone other than to the parties involved in a communication.

The principle of confidentiality should apply to current and future means of communication, including calls, internet access, instant messaging applications, e-mail, internet phone calls and messaging provided through social media.

The regulation states that the disclosure of contents in electronic communications may reveal highly sensitive information about citizens, from personal experiences and emotions to medical conditions, sexual preferences and political views, which could result in personal and social harm, economic loss or embarrassment.

In addition, the committee argues that not only the content of communications needs to be protected, but also the metadata associated with it, including numbers called, websites visited, geographical location, and the time, date, and duration of calls, which might otherwise be used to draw conclusions about the private lives of persons involved.

The regulations would apply to providers of electronic communication services as well as software providers that enable electronic communications and the retrieval of information on the internet. However, the amendment goes further by stating that the use of software backdoors by EU member states should be outlawed.

When encryption of electronic communications data is used, decryption, reverse engineering or monitoring of such communications shall be prohibited.

Member states shall not impose any obligations on electronic communications service providers that would result in the weakening of the security and encryption of their networks and services.

The proposals appear to have been tabled in response to comments made by EU member states such as the U.K., which has argued that encrypted online channels such as WhatsApp and Telegram provide a "safe haven" for terrorists because governments and even the companies that host the services cannot read them.

The U.K. home secretary Amber Rudd recently claimed that it is "completely unacceptable" that authorities cannot gain access to messages stored on mobile applications protected by end-to-end encryption. A leaked draft technical paper prepared by the U.K. government was leaked shortly after Rudd's comments, containing proposals related to the removal of encryption from private communications.

The EU proposals could also put European security policy at odds with federal legislators in the U.S., who recently called on technology companies to compromise the encryption built into their mobile software. Last year, Apple and the FBI were involved in a public dispute over the latter's demands to provide a backdoor into iPhones, following the December 2015 shooter incidents in San Bernardino.

Apple said the software the FBI asked for could serve as a "master key" able to be used to get information from any iPhone or iPad - including its most recent devices - while the FBI claimed it only wanted access to a single iPhone.

The European Union proposals have to be approved by MEPs and reviewed by the EU council before the amendments can pass. It remains unclear how the laws would apply in the U.K. after Brexit, initial negotiations for which begin on Monday.

Note: Due to the political nature of the discussion regarding this topic, the discussion thread is located in our Politics, Religion, Social Issues forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.

Article Link: EU Proposes Enforcing Data Encryption and Banning Backdoors

 

[drumcat]

President Bannon, what do you think?

 

[JPLC]

"draft proposals" sounds like something that will take ten years to realize but hey, its a start!

 

[sudo1996]

When encryption of electronic communications data is used, decryption, reverse engineering or monitoring of such communications shall be prohibited.

What does "reverse engineering" mean in this context? They don't intend to make unofficial third-party chat clients illegal, do they?

Last year, Apple and the FBI were involved in a public dispute over the latter's demands to provide a backdoor into iPhones, following the December 2015 shooter incidents in San Bernardino.

They weren't asking for a backdoor. They were asking for an exploit tool. Those are entirely different things with different implications. Backdoors are built in ahead of time and pave the way for exploit tools.

 

[0098386]

Once again, I love how human-facing the EU and their policies are. Be a shame to leave the UK.

 

[mixel]

Oh man.. I respect what they're trying to do here. This makes our plans in the UK seem even more insanely inept.

 

[adamneer]

So isn't this like the exact opposite of legislation they were previously proposing? Or was that just the Brexit crowd?

 

[Garrod]

I'm just hoping the whole Brexit thing collapses in some way. I very much doubt it though sadly.

 

[FactVsOpinion]

I think this is the right move.

 

[AlexisV]

All you need to know is that the opposite should happen of anything the horrible horrible Amber Rudd says.

 

[harrisondavies]

With our current dictator in power (Theresa May) I doubt we’d see these measures, since she wants to lock down the UKs internet and open encryption North Korea style.

 

[Bonte]

I'm just hoping the whole Brexit thing collapses in some way. I very much doubt it though sadly.

Brexit can be bad or good, depending on those who are voted into office. I do see it collapsing and then England could just quit the UK and leave the EU that way, that would also follow the voting results for a Brexit.

 

[Macneck]

A draft proposal... Sounds great, but I wouldn't put the cart before the horse nor underestimate the power of the dark side.

 

[mejsric]

I think terrorist is smart enough to create thier own encryption.

 

[Scepticalscribe]

A draft proposal... Sounds great, but I wouldn't put the cart before the horse nor underestimate the power of the dark side.

I wouldn't underestimate the EU.

It may take them time - often, quite some time - to bring such policy initiatives into force, but, when they are finally enacted and enforced, their effects are felt world wide.

This very week, the EU has addressed (at last) the issue of data roaming charges.

And, remember, 12 years ago, the EU banned the export of of products used for execution to countries such as the US - leading to a shortage of such pharmaceutical products in the US.

 

[djcerla]

Great news.

And basically, the only possible way. Everything else would lead, with absolute certainity, to a digital apocalypse. Imagine a law-mandated backdoor on every single cell phone exploited at scale by a bad actor.

 

[mrxak]

While this is a nice idea, the fact is any sort of government regulation of the internet, created by people who frankly don't know anything about it at a technical level, is only going to cause more harm than good, by forcing standards that in many ways may be less secure, or less useful to the user. While this may, in theory, force international companies to encrypt more stuff (which is a good thing), I'd prefer the free market, and academics who are far smarter than any politician, figure out how to make the internet more secure for everyone.

A better piece of legislation, if I was writing it, would simply force greater transparency from companies on how they secure user data, what encryption schemes they use to do it, and then let the market figure out what's actually best. Non-profits like the EFF and academia will figure out how to translate this information for public consumption.

 

[unlinked]

Macron was fairly anti encryption during his campaign. Wonder if he will follow up on it now that he is in power.

 

[meaning-matters]

I don't trust the EU with its unelected elites deciding on our lives.
It's the same EU that wastes billions, lets in (or even (let) picks up at the other side of the Mediterranean Sea) illegal immigrants by the thousands, ...

 

[Toutou]

Sounds fishy. This goes pretty much against the current course of tight control, regulation and omnipresent surveillance. I'm definitely not believing there isn't some hidden agenda behind this, to the tune of "only one method of encryption allowed, everything else banned, new Encryption Enforcement Bureau created, unfortunately the operation costs €332 000 000 000 000 daily, internet service providers, web hostings, developers, infrastructure owners bullied to adopt appropriate new technologies and forced to deploy expensive hardware"

 

[Porco]

The debate has erroneously centred (at least outside of tech-literate circles) on the 'balance' or 'compromise' between e-to-e encryption and people being kept safe, as if the two things were in conflict.

On the face of it I think that this EU draft sounds good, but just as important (because it's a global matter) is to impress again and again that encryption is not in opposition to our safety, rather that it is vital in order to secure it.

The number of terrorist incidents is too high. Obviously. Even one is one too many. But the spectacular and sensationalised nature of such attacks (which is half the point) against relatively tiny numbers of people should not let us disproportionately damage aspects of digital infrastructure that keep us all safe every day in countless ways.

To be clear, any kind of backdoors or compromises in encryption only do real, lasting harm to we, the law-abiding and innocent. Whilst some 'low-hanging fruit' criminals and potential terrorists could be disrupted or caught by monitoring communications that has had its encryption broken, any vaguely competent bad guys will avoid detection altogether by other means. Meanwhile internet commerce, important (and in some cases vital) physical infrastructure would be put at risk, eveyone's privacy would compromised, and authoritarian states around the world would continue to be enboldened to crush dissent and political opponents by the poor example set by the supposedly enlightened free democracies.

Also, intelligence agencies already have a wide array of capabilities to monitor communications and metadata. I'm sure this gives them lots of leads and evidence, which is good (and I'm not sure whether the EU proposals go too far in this respect). But they only get that because bad guys think the content itself can't be decrypted. If encryption was gone, what would they do? Continue to send stuff and just hope no-one reads it? Come on, it doesn't pass the 'smell test', does it?

Except for those small fraction of people involved in perpetrating it, we all want terrorism and criminality to stop. But removing everyone else's protection whilst causing minor inconvenience to the bad guys wouldn't achieve that.

I hope the EU enacts something like this proposal, and that others follow.

 

[entropys]

smells fishy to me. if there is one thing eurocrats like it is pressing the thumb on the little people.

 

[Toutou]

… internet service providers, web hostings, developers, infrastructure owners bullied to adopt appropriate new technologies and forced to deploy expensive hardware"

And I was ****ing right!

Amendment (37):
Service providers who offer electronic communications services should process electronic communications data in such a way as to prevent unauthorised access, disclosure or alteration, ensure that such unauthorised access, disclosure or alteration is capable of being ascertained, and also ensure that such electronic communications data are protected by using specific types of software and encryption technologies. The requirement to inform end-users of particular security risks does not discharge a service provider from the obligation to take, at its own costs, appropriate and immediate measures to remedy any new, unforeseen security risks and restore the normal security level of the service. The provision of information about security risks to the subscriber should be free of charge.

Translated:
Do **** for us, pay for it yourself, be responsible for any **** up in the security area OR ELSE….!!!!!!!!

 

[smallcoffee]

President Bannon, what do you think?

He probably thinks the same thing that Obama thought, or Nancy Pelosi.

 

[nwcs]

As much as I like the idea of this proposed rule the reality is that it is not in the best interest of governments. Whether benevolent or not, governments want to keep tabs on people and will abuse such power. It's human nature. In the end it will be watered down to the point that it doesn't mean as much as people think.