Archive | Cryptography
More surveillance is not the answer
The NSA, on your side? Nah.
Once again, an NSA wiretapping capability has been discovered – or made credible, in any case – that highlights the completely incompatible two faces of the U.S. National Security Agency. It turns out that the NSA has (likely) been able to wiretap a lot of encrypted traffic on the net, because of bad cryptographic implementations combined with hundreds-of-millions-dollars-worth of cracking precalculations from the NSA. Once again, this shows that the NSA cannot protect citizens from the government and protect the government from citizens at the same time.
Rick Falkvinge: Once Again, All Together Now: You Can’t Have An Agency Responsible For Citizen Security And For Government Security At The Same Time »
EU: Parliament just came out in favour of Snowden, open-source, encryption, digital freedom and anonymity
Today, the European Parliament adopted a resolution called “Human rights and technology in third countries” (2014/2232(INI)).
This is just a resolution, not legislation, but very interesting nevertheless. The European Parliament…
3. Believes that the active complicity of certain EU Member States in the NSA’s mass surveillance of citizens and spying on political leaders, as revealed by Edward Snowden, has caused serious damage to the credibility of the EU’s human rights policy and has undermined global trust in the benefits of ICTs;
Shame on the Brits, French, Germans and Swedes. (And several others.)
6. Calls for the active development and dissemination of technologies that help protect human rights and facilitate people´s digital rights and freedoms as well as their security, and that promote best practices and appropriate legislative frameworks, while guaranteeing the security and integrity of personal data; urges, in particular, the EU and its Member States to promote the global use and development of open standards, and of free and open-source software and cryptographic technologies;
Nice. This is one we should remind the European Parliament about over and over again–when it tries to make decisions going in the other direction.
9. Urges the EU itself, and in particular the EEAS, to use encryption in its communications with human rights defenders, to avoid putting defenders at risk and to protect its own communications with outsiders from surveillance;
Welcome to the real world.
10. Calls on the EU to adopt free and open-source software, and to encourage other actors to do so, as such software provides for better security and for greater respect for human rights;
This is not the first time the EP makes such a statement. But real progress seems to be very slow.
14. Draws attention to the plight of whistleblowers and their supporters, including journalists, following their revelations of abusive surveillance practices in third countries; believes that such individuals should be considered human rights defenders and that, as such, they deserve the EU’s protection, as required under the EU Guidelines on Human Rights Defenders; reiterates its call on the Commission and the Member States to examine thoroughly the possibility of granting whistleblowers international protection from prosecution;
65. Calls for the scope for international protection of whistleblowers to be extended, and encourages the Member States to table laws to protect whistleblowers;
Very nice. But still, no EU member state is prepared to grant Edward Snowden refuge or asylum.
19. Calls for the inclusion of clauses in all agreements with third countries that refer explicitly to the need to promote, guarantee and respect digital freedoms, net neutrality, uncensored and unrestricted access to the internet, privacy rights and the protection of data;
So, if the EU-US Trade Agreement (TTIP) will include copyright enforcement threatening digital freedom and privacy–the EP will vote no?
We must be sure to make a note of that one. And the next…
20. Urges the EU to counter the criminalisation of human rights defenders’ use of encryption, censorship-bypassing and privacy tools, by refusing to limit the use of encryption within the EU, and to challenge third-country governments that level such charges against human rights defenders;
21. Urges the EU to counter the criminalisation of the use of encryption, anti-censorship and privacy tools by refusing to limit the use of encryption within the EU, and by challenging third-country governments that criminalise such tools;
61. Calls for each individual to be entitled to encryption, and for the conditions needed to allow encryption to be created; takes the view that controls should be a matter for the end user, who will need the skills required to carry out such controls properly;
62. Calls for the introduction of ‘end to end’ encryption standards as a matter of course for all communication services, so as to make it more difficult for governments, intelligence agencies and surveillance bodies to read content;
As far as I can understand, the European Parliament just came out strongly against a ban on encryption.
27. Considers mass surveillance that is not justified by a heightened risk of terrorist attacks and threats to be in violation of the principles of necessity and proportionality, and, therefore, a violation of human rights;
63. Emphasises the special responsibility of government intelligence services to build trust, and calls for an end to mass surveillance; considers that the monitoring of European citizens through domestic and foreign intelligence services must be addressed and stopped;
So, what’s about EU member states continuing data retention?
40. Calls for the development of policies to regulate the sales of zero-day exploits and vulnerabilities to avoid their being used for cyber-attacks, or for unauthorised access to devices leading to human rights violations, without such regulations having a meaningful impact on academic and otherwise bona fide security research;
In your face, NSA…
45. Condemns the weakening and undermining of encryption protocols and products, particularly by intelligence services seeking to intercept encrypted communications;
…and the GCHQ.
46. Warns against the privatisation of law enforcement through internet companies and ISPs;
This ought to be seen as a clear warning not to go down that road in the TTIP.
49. Calls explicitly for the promotion of tools enabling the anonymous and/or pseudonymous use of the internet, and challenges the one-sided view that such tools serve only to allow criminal activities, and not to empower human rights activists beyond and within the EU;
Actually, I’m overwhelmed. But then again, this is not legislation.
However all of the above can be very useful as a reminder when the EU Commission and Council tries to get the Parliament to do the opposite. Or when the Parliament suddenly goes bananas on its own. (It frequently does. It surely will happen again very soon.)
/ HAX
A first sign of an EU ban on encryption?
I noticed that UK Prime Minister Camerons idea that governments should be able to circumvent encryption (the “backdoor” concept) has been echoed by the leader of the Swedish parliamentary opposition, the centre-right partys (Moderaterna) Anna Kinberg Batra.
At a glance this seems to be rather insignificant. But you should know that under the former Swedish centre-right government Sweden established itself as a very close partner to US NSA and British GCHQ. The Snowden files reveals that Sweden (code name: Sardine) is in so close cooperation with the US lead “five eyes coalition” that you could actually talk of a “six eyes coalition”. When the Swedish electronic surveillance organisation Försvarets Radioanstalt (FRA) was given extended mandate it is said that the US helped the Swedish government to draft the new law. And many of the shady details of the FRA law seems to be copied from the US legislative framework.
The Swedish opposition leader wouldn’t do anything concerning mass surveillance without consulting with the US and the UK. (And the present Swedish red-green government is just as compliant.)
This is what is significant. When Swedish politicians echo what is being said in Washington and London – you can be almost certain that there is some coordinated political action going on. And when it comes to Big Brotherism, Sweden is a really bad influence on other EU member states.
This might very well be the first sign that a ban on encryption is to be coordinated at a European level. (It is open to question if this is within EU competence. But if not, the member states probably will do as usual: Coordinate national legislation after an informal conclusion in the Council.)
/ HAX
Experts: No to encryption back doors
From the New York Times…
“An elite group of security technologists has concluded that the American and British governments cannot demand special access to encrypted communications without putting the world’s most confidential data and critical infrastructure in danger.”
“Such access will open doors through which criminals and malicious nation-states can attack the very individuals law enforcement seeks to defend,” the report said. “The costs would be substantial, the damage to innovation severe and the consequences to economic growth hard to predict. The costs to the developed countries’ soft power and to our moral authority would also be considerable.”
Raed more:
Security Experts Oppose Government Access to Encrypted Communication »
UK: Cameron sticks to a ban on encryption
In the House of Commons, UK Prime Minister David Cameron has reaffirmed his commitment to ban encryption.
Or, at least, to demand “back doors” to all encrypted communication tools.
Is this political posturing or genuine ignorance?
Practically everyone who knows anything about encryption can tell you that “back doors” to encrypted communications is a contradiction in terms. Either you have encryption where only end users with proper keys can read our messages. Or you have non secure systems where not only the government but also foreign governments, criminals, corrupt officials and terrorists will be able to interfere with peoples communications.
And how would the British government enforce a ban on encryption? They would need to scrutinise and pre-approve all communication tools and apps on the market. Even non UK ones. And they would need to scan everything to make sure no one uses stand alone encryption tools in combination with ordinary communication tools such as e-mail.
The only way to uphold a ban on encryption is to control all our electronic communications. And even that will not work.
Furthermore, a ban on encryption would need to be world wide.
Link: David Cameron is going to try and ban encryption in Britain »
/ HAX
UK to escalate the war on encryption
The announced UK Investigatory Powers Bill is said to “force some of the world’s biggest internet companies including Google, Apple and Facebook to hand over encrypted messages from terror suspects”. (The Telegraph »)
To be fair, it should be pointed out that this specific part of the bill is said to be limited to “suspects under investigation”. So it’s not about blanket mass surveillance. But I’m sure that is being covered in other parts of the same bill, said to…
…”address ongoing capability gaps” that are hindering the ability of the security services to fight terrorism and other serious crime. (…)
A Home Office spokesman said the bill was a “landmark piece of legislation to cover the whole investigatory powers landscape in modern communications”.
I guess it’s going to be pretty bad. But back to the encryption issue. Ars Technica points out that…
In the face of these demands, some companies might decide to re-design their systems such that it would be impossible for them to break the encryption even if required to do so by law. This facility is already available from companies offering peer-to-peer encryption. If the UK government goes ahead with this plan, we are likely to see this approach being adopted by more communications providers and messaging apps, which would undermine the effectiveness of the proposed law.
So, the effect of far reaching legislation might actually be that it will be harder for authorities to obtain the information they want. Even in legitimate cases.
In the UK, you can be put in prison if you don’t surrender your encryption key to the authorities. But that isn’t much use when it comes to covert surveillance, is it?
With P2P encryption you can legislate as much as you want. It will not work.
This leaving the UK government with one option: To demand all P2P encryption to – somehow – be corrupted by back doors.
That would be a terrible idea. And if at all possible, it would only work with big, commonly used communication apps and systems. I cannot see how anything other than traditional and time consuming code breaking could be used against open source encryption software in P2P communications.
The only option left for the UK government might be to make such encryption illegal. And trust me, this is an option that will be taken under consideration…
The war on encryption is now entering the madcap phase.
/ HAX
• The Telegraph: Google and Whatsapp will be forced to hand messages to MI5 »
• Ars Technica: New UK law would give government access to encrypted Internet messaging apps »
• Ars Technica: The new war on encryption is based on a lie »
“The new war on encryption is based on a lie”
Glyn Moody at Ars Technica: We do not need to weaken security for all in order to deal with a few criminals »
Dear Google…
I appreciate Googles concerns when it comes to our online security. However, I think we might have a case of unintended consequences.
If you log on to your Google services from a new (or unknown) piece of hardware or from a new place, Google seems to block this attempt — often demanding that you change your password. I can see the logic behind that.
But if this happens often (and for some it does) it will lower the quality of the chosen new password. Having to figure out a new password/phrase (that you can remember) on the go simply doesn’t give you time to consider a strong and impregnable one.
Just sayin’.
/ HAX