EU: No encryption backdoors but, eh, let's help each other crack that crypto, oui? Ja?

You scratch my PKCS, and I'll scratch yours

The European Commission has proposed that member states help each other break into encrypted devices by sharing expertise around the bloc.

In an attempt to tackle the rise of citizens using encryption and its effects on solving crimes, the commission decided to sidestep the well-worn, and well-ridiculed, path of demanding decryption backdoors in the stuff we all use.

Instead, the plans set out in its antiterrorism measures on Wednesday take a more collegiate approach – by offering member states more support when they actually get their hands on an encrypted device.

“The commission’s position is very clear – we are not in favour of so-called backdoors, the utilisation of systemic vulnerabilities, because it weakens the overall security of our cyberspace, which we rely upon,” security commissioner Julian King told a press briefing.

“We’re trying to move beyond a sometimes sterile debate between backdoors or no backdoors, and address some of the concrete law enforcement challenges. For instance, when [a member state] gets a device, how do they get information that might be encrypted on the device.”


WHY can't Silicon Valley create breakable non-breakable encryption, cry US politicians


How exactly... we don't know. Maybe someone has an RSA-cracking supercomputer up their sleeve they're keeping secret. Maybe someone's particularly good with a soldering iron and can read off keys from extracted flash memory chips.

What we do know is that the thrust of the plan boils down to asking member states to help each other by sharing their knowledge on dealing with encryption and creating a observatory to keep an eye on the latest tricks of the trade.

Share the wealth

“Some member states are more equipped technically to do that [extract information from a seized device] than others,” King said.

“We want to make sure no member state is at a disadvantage, by sharing the tech expertise among the member states and reinforcing the support that Europol can offer.”

It's possibly hard to fault the idea of sharing expertise – indeed security researchers The Register contacted said it was a sensible suggestion – and the commission is probably by now aware it’s onto a losing bet if it trots out the tired idea of simply banning or scuttling encryption.

Instead, as Alan Woodward, security professor at the University of Surrey, England, put it: “What they can do is try to level the playing field by ensuring that all member states have access the latest tools and techniques that might have help when encryption is encountered.”

But he added: “This doesn’t mean decryption will be any easier than it is at present for the best equipped. As recent experience has shown, some of the commonly used encryption can be remarkably resistant to analysis.”

There is also the question of whether law-enforcement agencies will be happy to share their knowledge.

Thomas Rid, professor of strategic studies at John Hopkins University in the USA, said that, although it was a sensible suggestion, it was possible “the bigger states would be extremely reluctant to share that kind of capability, because it is so fragile.”

Rid added that, overall, “public key encryption is practically saving the internet from itself,” and that it was disappointing for governments to “treat this most crucial technology as a problem.”

Data slurping measures due out next year

Elsewhere in the commission’s antiterror proposals, it confirmed that measures governing access to “electronic evidence” will be published in 2018.

This, said King, would “ensure law enforcement can get access to information, encrypted or not, when it’s held elsewhere – another member state, another jurisdiction, or in the cloud.”

The commission’s Eurospeak-filled proposals also included a smidge more funding for training investigators – a mere €500,000 from the ISF-police fund in 2018 – and support to boost Europe’s decryption capabilities.

These measures were first discussed back in June, and at the time The Reg was told talks had focused on possible “production orders” that would require technology companies based in one member state to hand over data when it is requested by cops in another. A more extreme proposal, that would allow police to copy data directly from the cloud, was also floated.

Another idea was to oblige member states holding information on a terrorist suspect to share that data on Europe’s border intelligence exchange, the Schengen information system.

"I hope that they will agree that this autumn," King told us.

Europe earlier warned that if the world's tech giants did not make enough progress in removing extremist content as soon as possible from the web, the commission had left itself room to legislate against the internet corps – and this will be reviewed at the start of next year. ®

Other stories you might like

  • Telegram adds paid tier as it cracks 700 million users
    Without so much as a mention of encryption, but with a pastel-hued emoji-heavy nod to ‘sustainable monetization’

    Messaging app Telegram, which came to prominence for offering end-to-end encryption that irritated governments, has celebrated passing 700 million active monthly users with a pastel-hued announcement: a paid Premium tier of service.

    A Sunday post celebrates the 700 million user milestone by announcing a $4.99/month tier. The Premium tier distinguishes itself from the freebie plebeian tier with the ability to upload 4GB files, unthrottled downloads that come as fast as users' carriers will allow, and the chance to follow up to 1000 channels, create up to 20 chat folders each containing up to 200 chats, and to run four accounts in the Telegram app.

    Paying punters will also get exclusive stickers and reactions and won't see ads once they sign up to hand over coin each month.

    Continue reading
  • Crypto sleuths pin $100 million Harmony theft on Lazarus Group
    Elliptic points to several indicators that suggest the North Korea-linked gang was behind the hack

    Investigators at a blockchain analysis outfit have linked the theft of $100 million in crypto assets last week to the notorious North Korean-based cybercrime group Lazarus. The company said it had tracked the movement of some of the stolen cryptocurrency to a so-called mixer used to launder such ill-gotten funds.

    Blockchain startup Harmony announced June 23 that its Horizon Bridge – a cross-chain bridge service used to transfer assets between Harmony's blockchain and other blockchains – had been attacked and crypto assets like Ethereum, Wrapped Bitcoin, Binance Coin, and Tether stolen.

    According to blockchain analytics company Elliptic, the attacker immediately turned to Uniswap, a decentralized exchange, to convert most of the assets into 85,837 Ethereum, which researchers said is a common method used by hackers to avoid the stolen assets from being seized.

    Continue reading
  • Intel demands $625m in interest from Europe on overturned antitrust fine
    Chip giant still salty

    Having successfully appealed Europe's €1.06bn ($1.2bn) antitrust fine, Intel now wants €593m ($623.5m) in interest charges.

    In January, after years of contesting the fine, the x86 chip giant finally overturned the penalty, and was told it didn't have to pay up after all. The US tech titan isn't stopping there, however, and now says it is effectively seeking damages for being screwed around by Brussels.

    According to official documents [PDF] published on Monday, Intel has gone to the EU General Court for “payment of compensation and consequential interest for the damage sustained because of the European Commissions refusal to pay Intel default interest."

    Continue reading

Biting the hand that feeds IT © 1998–2022