Look who's joined the anti-encryption posse: Germany, come on down
Sie werden diese Nachrichten entschlüsseln!
Germany has joined an increasing number of countries looking to introduce anti-encryption laws.
Speaking on Wednesday, German interior minister Thomas de Maizière said the government was preparing a new law that would give the authorities the right to decipher and read private encrypted messages, specifically citing encrypted messaging apps such as WhatsApp and Signal.
Such services were allowing criminals and terrorists to evade surveillance, de Maizière said, adding: "We can't allow there to be areas that are practically outside the law."
He did not specify how the encryption breaking would be achieved, but did note that among the options under consideration was forcing phone operators to install software on phones that would effectively bypass encrypted apps by granting access to the phone itself.
That stance reflects a very similar one taken earlier this week by Australian prime minister Malcolm Turnbull, who told Parliament: "The privacy of a terrorist can never be more important than public safety – never."
Turnbull revealed that the Five Eyes nations would be meeting next month to discuss how to prevent "terrorists and organized criminals" from "operating with impunity ungoverned digital spaces online" – the exact same line pushed by the German interior minister.
In addition, earlier this month, German chancellor Angela Merkel argued in Mexico City for global restrictions and "sensible rules" to deal with online content, stating that Germany would use its presidency of the G20 to develop a concrete set of digital policies at the forthcoming summit in Hamburg next month.
Britain – leading the way
When it comes to encryption issues, much of the focus has been on the UK's Investigatory Powers Act, which introduced a placeholder for a subsequent "technical capability notices paper" that would oblige telecom operators and ISPs to provide content access to law enforcement and require them to unencrypt content wherever possible.
A draft of the paper that was provided only to the telecom industry was leaked, and it revealed that the UK government wants real-time access to the full content of any named individual within one working day, as well as any "secondary data" relating to that person.
The system would oblige operators to provide real-time interception of 1 in 10,000 of its customers: in other words, the government would be able to simultaneously spy on 6,500 folks at any given moment.
That law has been spoken of favorably by the Australian government and it is reportedly considering introducing a similar version.
This rash of anti-encryption legislation comes in the wake of new terrorist attacks in Europe and a determined push by the security services to be able to maintain their current spying capabilities into modern smartphone technologies.
In Germany's case there is also the added factor of an election in September, and the expectation that the country will become a target of terrorist activity as a result of that.
There is a big problem at the heart of the issue however, and that comes in two parts: first, the apps that offer hard-to-crack, end-to-end encryption to users are almost all based in the United States and so outside the legislative reach of Europe and Australasia; and second, encryption is a mathematical process, so introducing a backdoor into any system also leaves that door open for others.
Broadly speaking there are three ways to read people's private, encrypted messages:
- Force the companies providing the encryption to introduce backdoors.
- Focus huge computing resources on a specific set of encrypted messages in order to crack the encryption.
- Force the operating system and mobile phone companies to come up with a way to grant third-party access to someone's device so they can pose as the user and bypass encryption.
It is clear from the German interior minister's comments that it is focusing on the third, most pragmatic solution: gaining access to someone's phone or other device.
No doubt someone in the NSA is currently putting together a PowerPoint presentation that outlines how it has been able to hack into people's phones and bypass protections (including the Russian ambassador to the US?).
We'll have to wait until the next Snowden to find out exactly how it does that, but in the meantime, you can expect new legislation built around successful phone hacks to find its way in the capitals of most Western nations. ®
PS: A German court has ordered Google to stop linking to Lumen Database, formerly the Chilling Effects website.
- Black Hat
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Digital certificate
- Identity Theft
- Kenna Security
- Let's Encrypt
- Palo Alto Networks
- Privacy Sandbox
- Trusted Platform Module
- Zero trust