back to article EU: No encryption backdoors but, eh, let's help each other crack that crypto, oui? Ja?

The European Commission has proposed that member states help each other break into encrypted devices by sharing expertise around the bloc. In an attempt to tackle the rise of citizens using encryption and its effects on solving crimes, the commission decided to sidestep the well-worn, and well-ridiculed, path of demanding …

  1. Anonymous Coward
    Anonymous Coward

    A Ruddite doesn't have a backdoor

    because they don't believe in Encryption.

    1. Anonymous Coward
      Anonymous Coward

      Re: A Ruddite doesn't have a backdoor

      Oh they have a backdoor all right. There has to be a place where all the BS comes out.

      1. Solarflare

        Re: A Ruddite doesn't have a backdoor

        I think that's actually her mouth.

  2. Anonymous Coward
    Anonymous Coward

    The utter fools

    We don't need backdoors, but we'll do our best to help our neighbours create them so we keep our hand clean politically.

    And they really think people don't see through this?

    1. Dan 55 Silver badge

      Re: The utter fools

      It seems to me like they're more interested in sharing information about breaking endpoint security than breaking encryption in transit and therefore allowing bulk surveillance to happen.

      Which is a good thing, isn't it?

      1. Rameses Niblick the Third Kerplunk Kerplunk Whoops Where's My Thribble? Silver badge

        Re: The utter fools

        @Dan 55

        This is pretty much what I thought. I admit I may be somewhat naive in my reading on the article however to me this reads as rather than the universal hobbling of encryption (the Rudd Redundancy as I like to call it, mostly because it may encourage something else by the same name) and handing governments the ability to view all traffic, all the time, they appear (again, in my possible naivety) to be talking about knowledge sharing about breaking encrypted devices on a case by case basis. This means police forces have to know who they are looking for, observe that person and snatch their devices, possibly intercept their individual communications. Like police forces always have.

        Isn't this what we all wanted?

        Yes, there are those of us who will always view any development with the utmost suspicion, and rightly so, someone needs to keep these people on their toes by asking difficult questions, however personally, I choose to view this as a step in the right direction, the direction the tech industry as a whole have been pushing for.

    2. Anonymous Coward
      Anonymous Coward

      Re: The utter fools

      "In an attempt to tackle the rise of citizens using encryption and its effects on solving crimes..."

      I would like to see some numbers showing the proportion of crimes where the crims have been shown to use encryption.

      1. Dr Dan Holdsworth Silver badge
        Boffin

        Re: The utter fools

        A better way to work is to remember that when you're hunting criminals, you are not hunting super-intelligent encryption-geniuses, but rather the less-able twerps of this world. As such, you simply have to accept that some of their communications won't be accessible to you, and there isn't a magical McGuffin that will let you get around this.

        This is the same thinking process that police had to go through when DNA evidence was first introduced; all DNA actually shows is that at some point, the person whose DNA is present was in contact with whatever the DNA was detected on. Thus the old criminal trick of picking up cigarette ends outside dodgy pubs, then scattering one or two in prominent places when committing a burglary only works if you have stupid policemen around.

        Another example is of some burglars who targeted country houses and operated as a gang. Their modus operandi was to meet up at a motorway service station near the target, turn off all mobile phones then go out to rob the target. Only afterwards did they re-enable their phones. This meant they didn't leave an electronic trail to their crimes, but did mean that they left a huge great signal that they were about to commit a crime (for they never met up, turned off phones then sloped off down the pub lawfully to add distraction to the pattern).

        As I say, we're dealing with criminals, not masterminds. Criminals always make mistakes, and police have the manpower to catch these mistakes.

        So, forget the phoney prize of being able to break encryption. If it is seen as possible, people will use other methods to get around this problem; unbreakable one-time pads for instance. Or, use encryption known not to have been back-doored.

        1. Anonymous Coward
          Anonymous Coward

          Re: The utter fools

          This meant they didn't leave an electronic trail to their crimes, but did mean that they left a huge great signal that they were about to commit a crime (for they never met up, turned off phones then sloped off down the pub lawfully to add distraction to the pattern).

          You were all going down the pub?

          Oh yes officer it was pub quiz night at the All Seasons and mobile phones are not allowed to be used. Therefore the entire team turned their phones off before we got there.

        2. Anonymous Coward
          Anonymous Coward

          Re: The utter fools

          I remember a case (not in the UK) where police lawfully had done traffic analysis of a bunch of criminals. They were able to work out who had done various 'jobs' based on who was talking to who around the time of the crimes. I think they had some initial evidence for each case that had fingered one villain. From that they were able see who that person had been in contact with to make links to other crooks. They then did surveillance to gain enough evidence to be able nab the other players in the crimes and prosecute.

          1. Jamie Jones Silver badge

            Re: The utter fools

            surveilance?? real police work? pffft, what century are you in?

            As for the proposal, it sound good - my only worry is they start stockpiling/hoarding vulnerabilties they find, ala NSA/GCHQ rather than alerting the people responsible.

      2. Anonymous Blowhard

        Re: The utter fools

        "I would like to see some numbers showing the proportion of crimes where the crims have been shown to use encryption."

        I'd like to see some numbers showing the number of violent crimes where the criminals would NOT have been able to commit the crime WITHOUT encryption.

        I suspect it will be a small number, probably pretty close to zero, and should indicate how pointless the whole anti-encryption argument is in preventing real crime (as opposed to thought crime) and improving public safety (we're pretty safe already I think).

    3. streaky Silver badge

      Re: The utter fools

      We don't need backdoors, but we'll do our best to help our neighbours create them so we keep our hand clean politically.

      Wouldn't worry about it, this [capability] is so secretly guarded as state secrets it doesn't even pass around Five Eyes, there's no chance the Germans (who are most capable in this field in the remaining states when the UK leaves) are going to help the French or the Spaniards or whatever to break crypto that's protecting their own security services and as an afterthought citizens. Hell will freeze over first.

      Commission doing what it does best and wasting everybody's time.

  3. jmch Silver badge
    Thumb Up

    Refreshing

    How very refreshing to hear this from the EU:

    “The commission’s position is very clear – we are not in favour of so-called backdoors, the utilisation of systemic vulnerabilities, because it weakens the overall security of our cyberspace, which we rely upon”

    US and UK take note!

    1. Redstone
      Devil

      Re: Refreshing

      Maybe I'm just too old, but when I see statements like this from BigGov I can't help thinking of the classic line:

      [loud] "We come in Peace!"

      [whisper] "Shoot to kill, shoot to kill"

      1. Doctor_Wibble
        Angel

        Re: Refreshing

        > I can't help thinking of the classic line

        It might be classic but I only know it from the only musical masterpiece anyone ever needs to know, courtesy of The Firm.

        1. Redstone
          Happy

          Re: Refreshing

          That is indeed the classic line to which I was referring...

    2. AndyS

      Re: Refreshing

      > How very refreshing to hear this from the EU...

      If only there was some way we could benefit from the relative sanity of this massive, powerful union, standing up to the sort of nonsense that May and Trump spout. Oh well.

      1. Tomato42 Silver badge
        Meh

        Re: Refreshing

        @AndyS: well, if May will want to end up with a "deal", she will have to follow it anyway (having EU nationals on UKs land and all), but probably they'll go for the pyrrhic victory of "no deal" devastating the country and slipping it into irrelevance

        so "oh well" indeed

        1. AndyS

          Re: Refreshing

          > the pyrrhic victory of "no deal"

          Ah yes, the "stabbing yourself in the head just to prove how independent you are" victory.

          1. Cynical Observer
            Facepalm

            Re: Refreshing

            @AndyS

            Or as I heard it described this week...

            Shitting on the Cake and then threatening to eat it.

            Icon for your stab wound

  4. mark l 2 Silver badge

    They are not in favour of backdoors but are in favour of having undocumented ways of circumventing the encryption that they would have Europol to be sharing with all member states.

    This sounds like they will be looking for vulnerabilities in the software that they can use but won't disclose them to the application provider when they find them, so how is that any safer than asking for a backdoor in the first place?

    1. Anonymous Coward
      Anonymous Coward

      how is that any safer than asking for a backdoor in the first place?

      It's safer for them as this stance prevents the development of any framework legislation to control what they get up to. It's not safer for you, but you don't matter anyway as a mere voter.

    2. Nick Kew Silver badge

      This is government doing the Right Thing, and not getting in the way of industry and society. They're looking at the story of the FBI and the Iphone, and pooling expertise as and when such cases arise and the maker can't or won't help law-enforcement.

  5. arthoss

    makes sense!

    there are plenty of other ways to do it - CPU operations, hardware transplants, etc, should go in that direction. And good ol' police footwork!

    1. John Brown (no body) Silver badge

      "there are plenty of other ways to do it "

      Like going through unpatched IME, or unpatched WPA2 WiFi or cracking weak RSA key provided by buggy TPM modules, or unpatched Chrome Browsers, or anyone who has Flash installed?

  6. 0laf Silver badge
    Facepalm

    Much more sensible than installing backdoors. But hard, expensive and relies on nation states trusting each other with intelligence technology and techniques.

    So I expect that Rudd et al will continue to bang on about backdoors.

    1. Doctor Syntax Silver badge

      "Much more sensible than installing backdoors."

      It sounds more like looking for backdoors that weren't intended, keeping the information from the vendor but then sharing the information out among themselves so that it'll leak out further still. Remind me again, how did we come to have Wannacry?

      How does this differ from black hat hacking?

  7. John Smith 19 Gold badge
    WTF?

    f**k me sideways. "EU Commisioner accepts backdoors weaken everybodies security"

    Shock horror.

    I'll leave aside how long it's taken the EU to accept this fact and note that IRL Euro plods have always had multiple ways to compromise crim comms (at different levels) provided they had actual evidence of a crime being committed.

    Actual secure comms within a criminal group is very difficult if you're

    a)Involved in large scale crime

    b)The authorities are aware you are involved in large scale crime.

    Once that happens using cheap PAYG phones won't cut it.

    Don't expect any change from the data fetishists of the centre for most evil in government UK Home Office any time soon, who will continue not to give a f**k about privacy or (personal) security.

  8. Lysenko

    Inspired by the recent cryptominer ruckus...

    ... and also the various "@HOME" grid computing projects (Folding, Einstein, LHC etc) over the last couple of decades, they could leverage the Daily Mail readership and assorted other "think of the children!" merchants to assist.

    Register with "paedos@home" or "terror@home" or to contribute your computer resources to the war against [bogeyman du jour], or include "[bogeyman]miner.js" on your web site to enlist your visitors from all over the world as well[1]!

    [1] Yes, I know there isn't enough computing power on the planet to brute force AES in a sensible time frame, but like I said: I'm discussing Daily Mail readers and political venality/stupidity here.

  9. Anonymous Coward
    Anonymous Coward

    The hysteria about encryption seems to be mainly

    from people who don't understand encryption.

    In the real world what we actually have is:

    1) amateur/cheap encryption: people relying on whatever apps or tools claim to keep their smut safe

    2) professional/paid for encryption; generally implemented according to best practice

    3) homebrew undocumented encryption

    4) the real deal: truly unbreakable encryption.

    Without pussyfooting around, the 5-eye spook centres will have a handle on 1,2 and 3. I would be mildly surprised if they were not able to gain sight of any plaintext they wished by leveraging subtle flaws in either algorithm or implementation.

    That leaves (4). Which at a guess will be a tiny fraction of the total encrypted traffic in the wild.

    So small, in fact, as to be it's own security risk. After all, it's much easier to organise surveillance on 5 people, than 5,000,000.

    (btw, I left off 5. But that's because it's the de luxe version of secure communication, and is impossible to monitor in the first instance, so nothing 5-eyes can do about it).

    1. 0laf Silver badge
      FAIL

      Re: The hysteria about encryption seems to be mainly

      The spook centres might well have the capability for cracking proper crypto but it doesn't mean that the capability will be shared with other parts of government like the police.

      Rudd et all are talking about more work-a-day access to encrypted comms for police investigations that aren't of national importance (the more usual drugs and murder stuff). Access to comms there might be possible now but it's expensive and time consuming. They want a cheap solution i.e. footpad has the universal key to encryption and types in "p@ssw0rd1234" and can access anything.

      And clearly because it's only for the 'good guys' it'll never be leaked or found out by the 'bad guys'.

      1. DJO Silver badge

        Re: The hysteria about encryption seems to be mainly

        Pretty much anything can be decrypted given enough time and resources.

        The trick is to use encryption appropriate to the value of the data so it always costs more to decrypt than the data is worth.

        1. Prst. V.Jeltz Silver badge

          Re: The hysteria about encryption seems to be mainly

          "Pretty much anything can be decrypted given enough time and resources."

          Yes , and also the sun will die given enough time. If that happens before your decryption is complete , you will probably have more pressing things to worry about.

          1. Bronek Kozicki Silver badge
            Big Brother

            Re: The hysteria about encryption seems to be mainly

            The thing is that 1 and 3 are dying out, thanks for availability of good grade encryption in the form of open source projects such as OpenSSL etc. Yes they have their problems (my heart bleeds for poor developers ...) but they generally do follow industry practices and, importantly, are under scrutiny of cryptographers who understand the math. While most crypto in category 2 aspires to 4, I think 4 is actually an empty set - just as there are no non-trivial programs with exactly zero bugs.

            Back to topic - spooks are not blind, they see that category 2 is getting more popular and accessible by the day. Since they do not understand the math, they feel they cannot compete with cryptographers and hence, for the same reason, issue silly demands. Or perhaps that's just a cover, to make us think that they do not understand the math and cannot really hack what's out there ...

            1. Anonymous Coward
              Anonymous Coward

              Re: 4 is actually an empty set -

              No. 4 is completely undetectable, and unbreakable.

              It's been detailed in comments on El Reg before now, only no one was paying attention.

              1. Bronek Kozicki Silver badge
                Joke

                Re: 4 is actually an empty set -

                ... only no one was paying attention.

                must be something to do with "undetectable" part

              2. Anonymous Coward
                Anonymous Coward

                Re: 4 is actually an empty set -

                Scattered encrypted messages posted over various USENET fora. Requires pre-arrangement, but once in place, messages can be exchanged safely, as they will be lost in the noise (especially in a binary NG).

                Has the added advantage of not identifying the recipient(s), which is the biggest problem with any point-to-point messaging. If the spooks know WHO is talking to WHO, then half their work is done.

                This isn't a new idea, by the way. It's at least as old as USENET itself.

                (Is that a rush of "da kidz" having to look up "USENET" ?)

        2. Adam 1 Silver badge

          Re: The hysteria about encryption seems to be mainly

          > Pretty much anything can be decrypted given enough time and resources.

          I've got a million bucks for you if you can prove that...

          Unless you are accepting solutions that require more energy than we have at our theoretical disposal and in timeframes that exceed the life of our species by a couple of billion years.

          And in the case of a one time pad, generated from a truly random source (IE, a QRNG/measurements of radioactive decay, not a classic RNG), time will not help you. It can't, there simply isn't enough information in the cyphertext to learn anything about the key.

    2. Anonymous Coward
      Anonymous Coward

      Re: The hysteria about encryption seems to be mainly....

      Quote: "...the 5-eye spook centres will have a handle on 1,2 and 3..."

      *

      Well...I wonder. Suppose a homebrew implementation is built simply for messaging. Suppose the scheme is a book cipher. Suppose some sort of randomisation is used. Suppose the book and the random seed are both changed regularly. The result would look like the sample below. How long before "the 5-eye spook centres" can tell us what this (real) message says?

      *

      sforzato pharyngo- woadman mecometer semihysterical veratrize fiercenesses Ranquel lepidotic Kawaguchi eyeservice fringiness half-plane piligerous saskatoon straddle-fashion sharecroppers colibertus bilobular unsacrilegiousness Gallicolae snake-eyed hydrophorous rain-soaked entoplasm eschewing brulyiement Erastianize acetphenetid recheat hout alada superaffiuence sweet-scented Altingiaceae researchful unegregiously unregenerately blighted Marlette nonbeauties Ossetian perversite artcraft Staley physiognomonic keawe kentallenite acroataxia yodles Rhabdomonas mournfulness VC loose-lived self-purifying tornadoesque uroo slopmaking annalists undeferrable ammonitic WAN pokable limbs Composaline gasified Chibcha elephantiases guerdonless orchestras whoop-de-doo commercialised periclean half-reclined naturata haemonchosis bug-juice theorically demonstrant premarrying honduras knickknack Adrianople -aceous inductees counter-faller cervicorn yowe adenomata kutch jardon eradicable nonfervidly cribriformity totoaba Marduk Muscadine mangrate Californian Mignonette Stroessner fisherpeople So. gibble-gabble cayuses Wallinga squab-pie fancywork niftiness

      *

  10. m-k

    hard to fault the idea of sharing expertise

    sharing data with hackers, be it willing or accidental is likewise hard to fault.

  11. Andy The Hat Silver badge

    What's the EU law?

    Wasn't it made illegal under EU law to *attempt* to reverse engineer or defeat encryption mechanisms except for specific research purposes? I thought Mr Murdoch was instrumental in lobbying for that particular law (along with other broadcasters) to stamp out attempts to hack encrypted tv channels such as Sky?

    1. Prst. V.Jeltz Silver badge

      Re: What's the EU law?

      In that case why make it strong?

      or if encryption is secure why need a law?

  12. fluffybunnyuk

    For anyone who hasnt read the crypto-anarchists manifesto...

    A specter is haunting the modern world, the specter of crypto anarchy.

    Computer technology is on the verge of providing the ability for individuals and groups to communicate and interact with each other in a totally anonymous manner. Two persons may exchange messages, conduct business, and negotiate electronic contracts without ever knowing the True Name, or legal identity, of the other. Interactions over networks will be untraceable, via extensive re- routing of encrypted packets and tamper-proof boxes which implement cryptographic protocols with nearly perfect assurance against any tampering. Reputations will be of central importance, far more important in dealings than even the credit ratings of today. These developments will alter completely the nature of government regulation, the ability to tax and control economic interactions, the ability to keep information secret, and will even alter the nature of trust and reputation.

    The technology for this revolution--and it surely will be both a social and economic revolution--has existed in theory for the past decade. The methods are based upon public-key encryption, zero-knowledge interactive proof systems, and various software protocols for interaction, authentication, and verification. The focus has until now been on academic conferences in Europe and the U.S., conferences monitored closely by the National Security Agency. But only recently have computer networks and personal computers attained sufficient speed to make the ideas practically realizable. And the next ten years will bring enough additional speed to make the ideas economically feasible and essentially unstoppable. High-speed networks, ISDN, tamper-proof boxes, smart cards, satellites, Ku-band transmitters, multi-MIPS personal computers, and encryption chips now under development will be some of the enabling technologies.

    The State will of course try to slow or halt the spread of this technology, citing national security concerns, use of the technology by drug dealers and tax evaders, and fears of societal disintegration. Many of these concerns will be valid; crypto anarchy will allow national secrets to be trade freely and will allow illicit and stolen materials to be traded. An anonymous computerized market will even make possible abhorrent markets for assassinations and extortion. Various criminal and foreign elements will be active users of CryptoNet. But this will not halt the spread of crypto anarchy.

    Just as the technology of printing altered and reduced the power of medieval guilds and the social power structure, so too will cryptologic methods fundamentally alter the nature of corporations and of government interference in economic transactions. Combined with emerging information markets, crypto anarchy will create a liquid market for any and all material which can be put into words and pictures. And just as a seemingly minor invention like barbed wire made possible the fencing-off of vast ranches and farms, thus altering forever the concepts of land and property rights in the frontier West, so too will the seemingly minor discovery out of an arcane branch of mathematics come to be the wire clippers which dismantle the barbed wire around intellectual property.

    Timothy C. May (mid 1988)

    Arise, you have nothing to lose but your barbed wire fences!

    1. Anonymous Coward
      Thumb Up

      Re: For anyone who hasnt read the crypto-anarchists manifesto...

      > mid 1988

      Holy shit. That's quite prescient. Reading that prediction is intellectually humbling.

    2. Anonymous Coward
      Anonymous Coward

      Re: For anyone who hasnt read the crypto-anarchists manifesto...

      er ...

      Just as the technology of printing altered and reduced the power of medieval guilds and the social power structure,

      well, you'd think Except in 2017, when the populus should be the most well-informed ever, it's probably one of the least informed.

      And getting worse.

      The medieval guilds and social power structure pretty quickly worked out that flooding the media with Celebrity-Bake-Strictly-X-Dine-<insert current opium of the masses here> is a perfect antidote to people learning the truth.

      Plus the (re) emergence of "fake news, fake news" when that fails.

  13. Aodhhan Bronze badge

    How about this...

    Spend money on training and hiring detectives who aren't so effing lazy to actually dig a bit to find other evidence? Stop coddling law enforcement and make them get off their azz.

    There is more to solving a crime than pooling a huge amount of resources into breaking encryption. If it's all you have to go on, then the case is likely weak to begin with... move on.

    Not to mention the fact... the more law enforcement gripes about this subject, the more it's publicized; motivating people to learn more about encryption. Thus in the long run, making the job a lot tougher.

    If you can't think 3 moves ahead on this fact, how do you ever expect to solve complex crimes?

  14. Doctor Syntax Silver badge

    "There is also the question of whether law-enforcement agencies will be happy to share their knowledge."

    This will be got round by sharing it without intending to. And not necessarily with each other.

  15. Anonymous Coward
    Anonymous Coward

    Enlightenment

    "the commission is probably by now aware it’s onto a losing bet if it trots out the tired idea of simply banning or scuttling encryption"

    Do you think they could give Amber Rudd a call?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019