The Belgian government has removed ‘backdoor requirement’ from new law(tutanota.com)
tutanota.com
The Belgian government has removed ‘backdoor requirement’ from new law
https://tutanota.com/blog/posts/belgian-encryption-backdoor-law-stopped/
255 コメント
Article 7 of the Charter of Fundamental Rights, which was adopted with the Lisbon treaty, reads (in its entirety):
"Everyone has the right to respect for his or her private and family life, home and communications."
On the short term a change to the treaties of the Union is not realistic, in my opinion. So I am afraid we might be stuck with having "to fight over and over again", using the above as a foundation. I guess I think of it as educating the politicians.
Fortunately the pro-privacy voices in the EU seem loud enough. For example, in this case the Belgian national privacy authority had already complained about the proposed law. And Germany seems to have adopted the right to encryption in its latest coalition agreement.
"Everyone has the right to respect for his or her private and family life, home and communications."
On the short term a change to the treaties of the Union is not realistic, in my opinion. So I am afraid we might be stuck with having "to fight over and over again", using the above as a foundation. I guess I think of it as educating the politicians.
Fortunately the pro-privacy voices in the EU seem loud enough. For example, in this case the Belgian national privacy authority had already complained about the proposed law. And Germany seems to have adopted the right to encryption in its latest coalition agreement.
Yes, but this article of the Charter (and other laws) does not prevent lawful interception.
This is the crux of the issue: the so-called "pro-privacy" camp wants absolute privacy of communications.
Law enforcement and intelligence services are not against privacy, they are against systems that provide absolute privacy because these systems prevent even lawful interception.
Voice calls on your smartphone are private but may be lawfully intercepted. This is so because mobile networks are in the hands a few licensed and heavily policed operators. On the other hands, we've reached a point where it is simple to develop and publish software apps that allow anyone to communicate in a way that is impossible to intercept as far as we know.
This is not a simple issue. There is a valid concern but at the same time the potential ways to address it (e.g. backdoors, etc) are not very satisfactory.
This is the crux of the issue: the so-called "pro-privacy" camp wants absolute privacy of communications.
Law enforcement and intelligence services are not against privacy, they are against systems that provide absolute privacy because these systems prevent even lawful interception.
Voice calls on your smartphone are private but may be lawfully intercepted. This is so because mobile networks are in the hands a few licensed and heavily policed operators. On the other hands, we've reached a point where it is simple to develop and publish software apps that allow anyone to communicate in a way that is impossible to intercept as far as we know.
This is not a simple issue. There is a valid concern but at the same time the potential ways to address it (e.g. backdoors, etc) are not very satisfactory.
> Law enforcement and intelligence services are not against privacy
Name a LE or IS that hasn't repeatedly been caught doing surveillance for personal or political reasons and we'll talk.
In the US at least, they keep telling us that there are many cases that they thwart that they can't tell us about. However, we do see lots of "known wolf" attacks and shit-shows like Epstein.
Name a LE or IS that hasn't repeatedly been caught doing surveillance for personal or political reasons and we'll talk.
In the US at least, they keep telling us that there are many cases that they thwart that they can't tell us about. However, we do see lots of "known wolf" attacks and shit-shows like Epstein.
There's no such thing as kind of private. Either you cannot decrypt private citizen communications or you can. And if you can for any reason you also can for no reason at all.
>And if you can for any reason you also can for no reason at all.
This doesn't follow. We can require law enforcement to need a valid warrant before they can decrypt this information.
This doesn't follow. We can require law enforcement to need a valid warrant before they can decrypt this information.
[deleted]
The problem with "lawful"-whatever is that the lower the apparent impact on the target, the wider the net that is thrown. So the tool ends up having an outsized impact on the innocent rather than the guilty. Unlike the lawful use of a firearm by law enforcement officers, lawful decryption of data when an innocent person is targeted is a "safe", "victimless" abuse.
Imagine the uproar if a person being shot and killed during a court approved raid turns out to be completely innocent. Now imagine the silence when the same person just has their private chats or nude pics decrypted and seen by investigators.
Imagine the uproar if a person being shot and killed during a court approved raid turns out to be completely innocent. Now imagine the silence when the same person just has their private chats or nude pics decrypted and seen by investigators.
Exactly.. That argument died when dragnet surveillance and secret courts were introduced.
We're still here, fighting.
The right to a private home is the most basic right a creature is compelled to protect.
The right to a private home is the most basic right a creature is compelled to protect.
It should be as hard as humanly possible for them to intercept anything. They cannot be trusted with that power. They should have to literally move mountains in order to do it.
> I guess I think of it as educating the politicians.
What about the other way around? What makes you think it's not police hackers who value privacy just like us, and who strive to protect us, who requested this to politicians? That seems more likely.
What about the other way around? What makes you think it's not police hackers who value privacy just like us, and who strive to protect us, who requested this to politicians? That seems more likely.
Encryption is necessary for the entire modern economy, but also worthless when keystrokes can be remote-sensed, faces and other biometrics generated by the same AI that scan for them, and displays can be Van Eck phreaked.
Our near-term future has both unbreakable encryption and omniscient surveillance in the hands of low-budget and non-technical people, and in a fight between the two, surveillance wins.
I don’t know where the world goes from here, but I’m confident the status quo won’t be for much longer.
Our near-term future has both unbreakable encryption and omniscient surveillance in the hands of low-budget and non-technical people, and in a fight between the two, surveillance wins.
I don’t know where the world goes from here, but I’m confident the status quo won’t be for much longer.
Faces and biometrics are finding a formidable opponent in one of the positive externalities of COVID:
Masking.
Masking has effectively been normalized in the western world thanks to COVID. Masking is a huge win for a free society. Before COVID, it was actually illegal to hide your face in some US States and many countries [1]
Mask + sunglasses, and you should be effectively anonymous in public.
https://en.wikipedia.org/wiki/Anti-mask_law
Masking.
Masking has effectively been normalized in the western world thanks to COVID. Masking is a huge win for a free society. Before COVID, it was actually illegal to hide your face in some US States and many countries [1]
Mask + sunglasses, and you should be effectively anonymous in public.
https://en.wikipedia.org/wiki/Anti-mask_law
>Mask + sunglasses, and you should be effectively anonymous in public.
Until you start looking at things such as height + weight + gait.
Until you start looking at things such as height + weight + gait.
Yeah, I feel like people either overlook or underestimate the uniqueness of a person's gait. I feel the only issue with it is collecting the information on it, as it requires more than just a picture.
What if I put sharp-ish rocks in my shoes?
Sure, if you change the rocks daily, while wearing a mask, and having sunglasses on. However, the context was around how mask wearing and eye covering is fairly normalized at the moment, not about how people started enjoying putting rocks in their shoes.
Still a bit more difficult to implement than facial recognition, which is now trivial to set up with AWS Rekognition. Even Photoprism does a great job.
Facial recognition for bucketing photos is much easier than for biometric security. Both might still be easy these days (I wouldn’t know, I am not as in the loop for AI as I’d like to be), but the former was good enough at least a decade before people seriously used the latter.
Would something like gait be easy to fake - just being aware of how you walk... Putting a thumbtack in your right foot, or something along those lines?
It's interesting how the most apparently compelling arguments that were made against people wearing masks turn out to be false in practice. I can think of two categories:
1) the claim that the wearing of masks would impede law enforcement, including the passing of statues especially against masks on demonstrations
2) the claim that Muslim women wearing full religious head coverings could not be tolerated in public spaces because it was obvious that it would make it impossible to judge the mood or other psychologically important signals normally exchanged in public
None of this seems to have been true. Sure, there probably is some small validity to some aspects of those claims, but they seem to have been hugely exaggerated.
1) the claim that the wearing of masks would impede law enforcement, including the passing of statues especially against masks on demonstrations
2) the claim that Muslim women wearing full religious head coverings could not be tolerated in public spaces because it was obvious that it would make it impossible to judge the mood or other psychologically important signals normally exchanged in public
None of this seems to have been true. Sure, there probably is some small validity to some aspects of those claims, but they seem to have been hugely exaggerated.
Finally someone brings this up. Here in Belgium the rules around Islamic headdress were addresses by a law that says nobody can cover their face in public except during carnival and when riding a motorbike (full face helmet), thereby avoiding any explicit references to religion (unlike in France where it caused a sh*tstorm)
I was waiting for the anti mask crowd to challenge mask wearing in court by citing this law.
No idea if it's been amended or not. But it definitely used to be illegal to cover one's face.
I was waiting for the anti mask crowd to challenge mask wearing in court by citing this law.
No idea if it's been amended or not. But it definitely used to be illegal to cover one's face.
Except remote sensing keystrokes isn't as scalable as mass intercepting unencrypted network traffic
Indeed, you would need a rootkit in each target, logging and transmitting the keys. Something like a proprietary instant messaging client or keyboard application.
Remote sensing in this case is listening to the individual sound a key makes when pressed by the victim, and wear on the keys means that frequently used keys (such as 'e' or the space bar) would make a slightly different sound than the other keys, as does the hand/finger position used to press a key.
But you don't need that, you'd only get too much information you don't need. You need to intercept suspect network traffic only, otherwise you're most likely to fail to find anything useful at all.
Quantity has a quality all of it's own. Wiretaps against a specific individuals is a lot different than dragnets covering an entire nation.
Is Van Eck phreaking really a concern since moving from CRT? I know there is a paper showing it was possible for CRT but it seems impossible now. It would be easier to install a custom cable to wirelessly send the display currently.
https://www.cl.cam.ac.uk/~mgk25/pet2004-fpd.pdf
Electromagnetic Eavesdropping Risks of Flat-Panel Displays
Electromagnetic Eavesdropping Risks of Flat-Panel Displays
Heh, who would have thought that HDCP would actually be useful for something? (Yeah, yeah, I know -- the authors of the papers did...)
Everytime something good happens someone have to come up with something to make our efforts seem hopeless.
I'll say our efforts are not without hope for now.
I'll say our efforts are not without hope for now.
If it's a "fight over and over" situation, the ratcheting dynamics are important.
IE, "we" need to walk away from a win with something more than "status quo defended." Otherwise, the situation is "hold ground until we fail."
IE, "we" need to walk away from a win with something more than "status quo defended." Otherwise, the situation is "hold ground until we fail."
Came to say this. It's only temporary victory, sadly.
The efforts to ban encryption won't stop here.
The efforts to ban encryption won't stop here.
> The efforts to ban encryption won't stop here.
How is this supposed to work? Can't the bad guys just send each other encryped emails anyway? Or hack together some peer-to-peer messenger?
How is this supposed to work? Can't the bad guys just send each other encryped emails anyway? Or hack together some peer-to-peer messenger?
Time for all companies to stop providing online services in Belgium, then.
Right after winning a battle is the worst possible time to give up.
The above applies to every single country in the planet. Time for all companies to stop providing online services anywhere period?
We need actual workable ideas, not empty statements. It is frustrating that this fight doesn't end. If you have real suggestions, I'd like to hear them.
We need actual workable ideas, not empty statements. It is frustrating that this fight doesn't end. If you have real suggestions, I'd like to hear them.
Well I'm not aware of any such efforts in my country. I thought the comment above about "the current administration" was about Belgium.
Which country is that? You probably haven't dug deep. If you live anywhere in north america, the EEA, china, russia, india or australia, then I'm aware of such efforts and I don't exactly follow this closely. I just live in Belgium...
I'm Czech. I'm really not aware of any "efforts to ban encryption", and given our history with the StB (https://en.wikipedia.org/wiki/StB), local population really wouldn't react well to that. I just don't see any possible parliament composition willing to pass a law along any such lines.
You're affected by EU-wide encryption-related laws and discussions. The EU is less insane than the US on that front, but issues like this still appear once in a while, and have to regularly be defeated…
As I said, the chances of anything like this being adopted on a national level are virtually zero. Good luck to any such directive coming from Brussels. Hell, I wonder if this couldn't trigger yet another constitutional amendment like the last one if it comes to that.
Even constitutions only offer very limited protection. There was a recent case in Germany where the government simply ignored the ruling of the supreme court (Federal Constitutional Court). And keep in mind that this is the government with leading influence on the EU. I don't know about everywhere else but at least in Europe rule of law isn't as strong as people assume.
The US constitution also offers limited protection - it's subject to interpretation by judges, and re-interpretation by a growing body of people who think that it "needs to be updated" and "is a living document" and "is not absolute". Your fight for your rights will never end, as evil people will always be elected to office. Just because your officials are not literally Hitler doesn't mean that they won't be trying to infringe upon your rights.
Since you (or realistically anyone) downvoted me rather than engaging, i feel like I should elaborate.
Our modern understanding of rights is not wholesale received from the time that the constitution was written. The concept itself has evolved over time into what you cherish now. 200 years ago, the constitutional protections one received were far more limited than they are now.
Our modern understanding of rights is not wholesale received from the time that the constitution was written. The concept itself has evolved over time into what you cherish now. 200 years ago, the constitutional protections one received were far more limited than they are now.
It’s normal for interpretation to change over time as the society within which we live changes.
You’d likely be disappointed by the 18th century interpretation of the first amendment, for example.
You’d likely be disappointed by the 18th century interpretation of the first amendment, for example.
Agreed, I think we need to change the narrative to get the politicians to "get it". Instead of all the talk about protecting us from __________ (random evil), we need to highlight the consequence of these plans. We need journalists to ask politicians to hand over their unlocked phones with the "promise" that they won't share anything they learn. That is what these backdoors would enable. We need to make them understand the downside because all "save the kids" will always have public support.
I don't think encryption backdoors will ever be enforceable, even if it becomes a legal requirement. What's to stop someone from just doing it anyway if we use protocols that allow for plausible deniability?
Wouldn't a company such as WhatsApp (Facebook) drop the Belgian user base in a heartbeat if they would actually be confronted with a law like this? My guess is they would much rather lose a few million users than having to deal with the bad publicity and the intrusive technical challenges that come with a requirement such as this.
Belgium isn't as small as people think.
Both in total GDP and GDP per capita it is around top 20 country globally.
Facebook isn't allowed to track non-Facebook users in Belgium. As a response, all Facebook pages are now behind a login wall in Belgium.
Lootboxes (random rewards in videogames) are not allowed in Belgium, games no longer provide "random" drops (EA, Valve, ...)
Facebook isn't allowed to track non-Facebook users in Belgium. As a response, all Facebook pages are now behind a login wall in Belgium.
Lootboxes (random rewards in videogames) are not allowed in Belgium, games no longer provide "random" drops (EA, Valve, ...)
I totally agree that it's probably worthwhile to implement some country specific logic for a user base of that size and ad revenue per user. But specifically with regards to this, I really can't imagine they would agree to do this. Suppose they do, it's probably not a bad guess that they would lose more users globally due to the bad publicity it would generate than they would lose by cutting off Belgium.
On the technical front, your examples are good and valid, but they seem like features that are pretty straight forward to feature flag per country. Something like disabling end-to-end encryption looks a lot more intrusive to me (without being a subject matter, feel free to correct me). Whatever WhatsApp built, they built it to enable end-to-end encryption on a global scale, to enable anyone from around the globe to send an encrypted message around the globe. Poking a hole in that seems non-trivial.
On the technical front, your examples are good and valid, but they seem like features that are pretty straight forward to feature flag per country. Something like disabling end-to-end encryption looks a lot more intrusive to me (without being a subject matter, feel free to correct me). Whatever WhatsApp built, they built it to enable end-to-end encryption on a global scale, to enable anyone from around the globe to send an encrypted message around the globe. Poking a hole in that seems non-trivial.
As a Belgian I guesstimate that WhatsApp has more than 80% of IM market share here.
> it's probably not a bad guess that they would lose more users globally due to the bad publicity it would generate than they would lose by cutting off Belgium.
But this is what all the tech companies do in China.
I don't think its hard to "defend" complying with the Belgian government that faces a terrorist network and drug cartel problem bigger than any other 1st world country (in relative terms).
> Poking a hole in that seems non-trivial.
They operated without E2E for many years though. I doubt that non-encrypted chat is even revoked. And even if they pulled, there's many alternatives available. It's not like Belgium is worried about Meta's revenue.
> it's probably not a bad guess that they would lose more users globally due to the bad publicity it would generate than they would lose by cutting off Belgium.
But this is what all the tech companies do in China.
I don't think its hard to "defend" complying with the Belgian government that faces a terrorist network and drug cartel problem bigger than any other 1st world country (in relative terms).
> Poking a hole in that seems non-trivial.
They operated without E2E for many years though. I doubt that non-encrypted chat is even revoked. And even if they pulled, there's many alternatives available. It's not like Belgium is worried about Meta's revenue.
Meta doesn't operate in China though, for not wanting to comply with their requirements of state-controlled censorship. I could see them applying similar reasoning here on principle (my god, I just used 'Meta' and 'principle' in the same sentence, I must be high). Another tech company might jump in that hole of course.
With regards to E2E, I wonder how it would work when you want to chat with someone outside Belgium though. If I'm the person outside Belgium, I wouldn't want E2E to be disabled just like that. And if WhatsApp can only be used between Belgians, that's quite a hinderance.
Belgium doesn't care about Meta revenue and rightly so, but if a law would be the reason that Meta pulls the plug on Belgium, that seems like a cause for a possible serious political backlash.
With regards to E2E, I wonder how it would work when you want to chat with someone outside Belgium though. If I'm the person outside Belgium, I wouldn't want E2E to be disabled just like that. And if WhatsApp can only be used between Belgians, that's quite a hinderance.
Belgium doesn't care about Meta revenue and rightly so, but if a law would be the reason that Meta pulls the plug on Belgium, that seems like a cause for a possible serious political backlash.
I wouldn't give FB/Meta _too_ much credit. I'm pretty sure they would comply with China's regulations if they were able to. It seems much more likely that FB cannot effectively moderate the amount of content people post and cannot comply.
For your second point, to me that's the same kind of feature work GP was talking about: Just add a little UI that says "Hey, you're speaking with someone in a country that doesn't support encryption. Your messages are unencrypted".
Also agreeing with GP, screw Meta! As a Belgian I could care less about one company when it comes to the rights and laws of my country. They can definitely make suggestions like everyone else, but they also need to follow each country's laws like everyone else.
For your second point, to me that's the same kind of feature work GP was talking about: Just add a little UI that says "Hey, you're speaking with someone in a country that doesn't support encryption. Your messages are unencrypted".
Also agreeing with GP, screw Meta! As a Belgian I could care less about one company when it comes to the rights and laws of my country. They can definitely make suggestions like everyone else, but they also need to follow each country's laws like everyone else.
Meanwhile there's a high likelihood that there's a backdoor in the Intel processors (and maybe now also AMD ones ?) that was put there by the NSA... and hardy anyone seems to care ?
https://blog.invisiblethings.org/2015/10/27/x86_harmful.html
https://blog.invisiblethings.org/2015/10/27/x86_harmful.html
Intel's processor's ME does not have a backdoor and the chance there is a remotely exploitable vulnerability is minimal.
Hardly anyone cares because it is mostly schizo people who fall for these conspiracy theories.
Hardly anyone cares because it is mostly schizo people who fall for these conspiracy theories.
"Intel's processor's ME does not have a backdoor"
Can you prove it? It would at least raise confidence if
* It was open source.
* It could be disabled.
* NSA hadn't requested from intel for their own undocumented way to disable ME.
"the chance there is a remotely exploitable vulnerability is minimal"
https://www.intel.com/content/www/us/en/support/articles/000...
"Hardly anyone cares because it is mostly schizo people who fall for these conspiracy theories."*
I can't appreciate the slur against people with schizophrenia. In addition to that, it feels like you would say the same about NSA spying before the Snowden revelations.
Although I do wonder, if there was a backdoor in intel processors for the law enforcement to access, would you support it?
Can you prove it? It would at least raise confidence if
* It was open source.
* It could be disabled.
* NSA hadn't requested from intel for their own undocumented way to disable ME.
"the chance there is a remotely exploitable vulnerability is minimal"
https://www.intel.com/content/www/us/en/support/articles/000...
"Hardly anyone cares because it is mostly schizo people who fall for these conspiracy theories."*
I can't appreciate the slur against people with schizophrenia. In addition to that, it feels like you would say the same about NSA spying before the Snowden revelations.
Although I do wonder, if there was a backdoor in intel processors for the law enforcement to access, would you support it?
>Can you prove it?
I can't prove it. But Intel has gone on record stating there is no backdoor. People who have reverse engineered it have not stated there is a backdoor.
>* It was open source.
You could say the name thing about Windows. People and business have reasons why they want to restrict access to the source come.
>* It could be disabled.
The ME is required for your computer to properly boot. If it was disabled, then your computer wouldn't work.
>* NSA hadn't requested from intel for their own undocumented way to disable ME.
The government can be overly paranoid. Just look at the procedures they have had for disposing harddrives when simply zeroing the drive was enough.
>linked vulnerability
That vulnerability required someone to have physical access to your machine no they could attach a flasher to it. Once an attacker has physical access to your machine most people would consider this game over. That vulnerability was not remotely executable.
>In addition to that, it feels like you would say the same about NSA spying before the Snowden revelations.
I don't know enough about the Snowden revelations to answer this.
>if there was a backdoor in intel processors for the law enforcement to access, would you support it?
If access could be implemented in a secure way and it required a warrant then yes I would support it. It would be a better alternative than someone breaking down your door to physically take your computer leaving you without one for months or never being able to retrieve it.
I can't prove it. But Intel has gone on record stating there is no backdoor. People who have reverse engineered it have not stated there is a backdoor.
>* It was open source.
You could say the name thing about Windows. People and business have reasons why they want to restrict access to the source come.
>* It could be disabled.
The ME is required for your computer to properly boot. If it was disabled, then your computer wouldn't work.
>* NSA hadn't requested from intel for their own undocumented way to disable ME.
The government can be overly paranoid. Just look at the procedures they have had for disposing harddrives when simply zeroing the drive was enough.
>linked vulnerability
That vulnerability required someone to have physical access to your machine no they could attach a flasher to it. Once an attacker has physical access to your machine most people would consider this game over. That vulnerability was not remotely executable.
>In addition to that, it feels like you would say the same about NSA spying before the Snowden revelations.
I don't know enough about the Snowden revelations to answer this.
>if there was a backdoor in intel processors for the law enforcement to access, would you support it?
If access could be implemented in a secure way and it required a warrant then yes I would support it. It would be a better alternative than someone breaking down your door to physically take your computer leaving you without one for months or never being able to retrieve it.
"I can't prove it."
I would suggest not using slurs and claim that people who think otherwise are schizophrenic then.
"But Intel has gone on record stating there is no backdoor"
It would not be much of a backdoor if they said otherwise.
"People who have reverse engineered it have not stated there is a backdoor."
I am curious about that. Got a link?
"The government can be overly paranoid."
No reason for civilians not to be as paranoid.
"People and business have reasons why they want to restrict access to the source come."
Obviously, one of them is hiding backdoors. Not saying that closed source software has to be backdoored, it just does not raise confidence.
"It would be a better alternative than someone breaking down your door"
Why not let the government have a master-key of every door then? Sounds like a solution in similar spirit.
"If access could be implemented in a secure way and it required a warrant"
Got any technical suggestion regarding its implementation? How would you make sure that a warrant would be required and that the private key would not leak?
I would suggest not using slurs and claim that people who think otherwise are schizophrenic then.
"But Intel has gone on record stating there is no backdoor"
It would not be much of a backdoor if they said otherwise.
"People who have reverse engineered it have not stated there is a backdoor."
I am curious about that. Got a link?
"The government can be overly paranoid."
No reason for civilians not to be as paranoid.
"People and business have reasons why they want to restrict access to the source come."
Obviously, one of them is hiding backdoors. Not saying that closed source software has to be backdoored, it just does not raise confidence.
"It would be a better alternative than someone breaking down your door"
Why not let the government have a master-key of every door then? Sounds like a solution in similar spirit.
"If access could be implemented in a secure way and it required a warrant"
Got any technical suggestion regarding its implementation? How would you make sure that a warrant would be required and that the private key would not leak?
>I would suggest not using slurs and claim that people who think otherwise are schizophrenic then.
I'm not sure what you expect from me. I similarly can't prove that almost every piece of hardware and software isn't backdoored, but it would be silly to think that it all is especially if you have experience designing hardware or software products.
At least the people who do talk to me about being afraid of the ME often are overly paranoid and don't have a good understanding of hardware / software. These people often think ARM's TrustZone is an equivalent to ME.
>It would not be much of a backdoor if they said otherwise.
Intel is kind of in an impossible situation then. They can't prove there is no backdoor because it wouldn't be much of a backdoor if they showed you. You have to trust Intel that they are developing a secure product. It is Intel's best interest to develop a secure product.
>I am curious about that. Got a link?
I can't link to something that doesn't exist, but there have been a few people / teams who have attempted reversing it which you can find by googling.
>No reason for civilians not to be as paranoid.
Sure people can be paranoid, but it can get in the way of them living their life.
>Why not let the government have a master-key of every door then?
This seems like a logistical nightmare, but something similar already exists for emergency purposes such as for fire fighters.
>Got any technical suggestion regarding its implementation?
People who sign warrants have a hardware device which holds their private key. If this device gets lost or stolen the key can be invalidated. The private key wouldn't leak because you can't access the key itself. The hardware device could potentially also have a rate limit like 100 machines per day to limit abuse.
I'm not sure what you expect from me. I similarly can't prove that almost every piece of hardware and software isn't backdoored, but it would be silly to think that it all is especially if you have experience designing hardware or software products.
At least the people who do talk to me about being afraid of the ME often are overly paranoid and don't have a good understanding of hardware / software. These people often think ARM's TrustZone is an equivalent to ME.
>It would not be much of a backdoor if they said otherwise.
Intel is kind of in an impossible situation then. They can't prove there is no backdoor because it wouldn't be much of a backdoor if they showed you. You have to trust Intel that they are developing a secure product. It is Intel's best interest to develop a secure product.
>I am curious about that. Got a link?
I can't link to something that doesn't exist, but there have been a few people / teams who have attempted reversing it which you can find by googling.
>No reason for civilians not to be as paranoid.
Sure people can be paranoid, but it can get in the way of them living their life.
>Why not let the government have a master-key of every door then?
This seems like a logistical nightmare, but something similar already exists for emergency purposes such as for fire fighters.
>Got any technical suggestion regarding its implementation?
People who sign warrants have a hardware device which holds their private key. If this device gets lost or stolen the key can be invalidated. The private key wouldn't leak because you can't access the key itself. The hardware device could potentially also have a rate limit like 100 machines per day to limit abuse.
This seems to be talking about bugs that could be exploited. If there was evidence for a backdoor then it would be global news.
You might believe there's a backdoor but unless you can prove it what do you want people to do?
You might believe there's a backdoor but unless you can prove it what do you want people to do?
> bugs that could be exploited
That's how you hide a backdoor in open source software.
That's how you hide a backdoor in open source software.
Those MINIX cores have been a subject of scrutiny for many years, just not by the people who you'd encounter in your day-to-day. There are definitely people who care, but they've basically started waving the white flag at this point. Pretty much every modern CPU (as well as the software running on it) has some degree of government oversight/intervention, trying to circumvent it is a hobbyist effort, and an often unsuccessful one at that.
They fought against a law and changed one article. "They fought" but there were many others in that fight. The article is very poorly worded, I guess they contributed to a change in the law but not repealed the law (like the title suggests) and they were not the major contributor. They need a better writer.
Well tutanota is a small company with around two handful employees afaik, I'd assume their budget for maintaining their blog is very limited. Obviously they use their own media channels to portrait themselves as positive as possible, nothing wrong with that in my eyes. It's not that they were spreading any lies or so
[deleted]
hmm... reading western news for a while you would think china is the only one that has back doors.
Thanks!
Not to downplay this result, after all this was achieved in Belgium, home of Brussels & EU institutions, which probably have great influence over local politics. However it's still sad that we have to celebrate such small victories and we're not fighting towards establishing law that promote positive rights towards protecting privacy both against private and public entities.
We're on the back foot here, and the general public is not even aware of this.I used to think this was about technological literacy but i don't think that's the case: most people don't know what's going on, they don't necessarily care how it happens, they just need to know the end "result", which they don't.Another issue is "law language" being hard to swallow, and politicians can always wrap this language as a candy and pretend it's to : protect the children, against terrorism, or some other minuscule reason that won't justify the abuse and also logistically can't be enforced in an online medium.
We're on the back foot here, and the general public is not even aware of this.I used to think this was about technological literacy but i don't think that's the case: most people don't know what's going on, they don't necessarily care how it happens, they just need to know the end "result", which they don't.Another issue is "law language" being hard to swallow, and politicians can always wrap this language as a candy and pretend it's to : protect the children, against terrorism, or some other minuscule reason that won't justify the abuse and also logistically can't be enforced in an online medium.
1337shadow(5)
1337shadow(6)
I wish we would just come up with a strong, transparant legal decryption framework already.
We moved our lives completely digital before e2e encryption came around, claiming that we cannot go without e2ee is false.
The "new law" is actually an update of an existing law and it would've forced "apps" (e.g. WhatsApp) to provide the same kind of text logs on request like the telcos have been doing for call log/SMS/location.
The "new law" is actually an update of an existing law and it would've forced "apps" (e.g. WhatsApp) to provide the same kind of text logs on request like the telcos have been doing for call log/SMS/location.
It took governments a while to catch up, and now they have. In the arms race between privacy and surveillance, E2E is the next shield against the weapon of mass surveillance.
Governments have always had warrant requirements, until they decided they didn't need them. If you want my data, get a warrant.
The US had it's own top secret database breached.. because they used a discount contractor. I choose to keep my data in higher regard.
Bulk SMS/location is also a horrible failure of justice and it harms innocent people so that a few criminals may be caught. This is backwards.
It is better that a criminal go unpunished than for a single innocent person to be harmed wrongfully by the government.
Governments have always had warrant requirements, until they decided they didn't need them. If you want my data, get a warrant.
The US had it's own top secret database breached.. because they used a discount contractor. I choose to keep my data in higher regard.
Bulk SMS/location is also a horrible failure of justice and it harms innocent people so that a few criminals may be caught. This is backwards.
It is better that a criminal go unpunished than for a single innocent person to be harmed wrongfully by the government.
> It is better that a criminal go unpunished than for a single innocent person to be harmed wrongfully by the government.
That really depends on the number of criminals and the total harm they cause to our society versus the harm caused by the government.We've been having "liberty versus security" debates for centuries and the balance is always changing.
Tomorrow, we decide to re-instate the death penalty for people who commit murder.
Our very well trained seers (who are always right) tell us that this will reduce murder by 90%.. but 1/20 people we execute will be innocent of the crime.
Do we take the bargain?
Our very well trained seers (who are always right) tell us that this will reduce murder by 90%.. but 1/20 people we execute will be innocent of the crime.
Do we take the bargain?
That's a really interesting ethical question. It's what the right wight asks: most immigrants are fine, but 1/20 will be radicalized, even commit terrorism acts such as mass murder, do we take the bargain? French president Francois Hollande testified in court that he knew and took the bargain, then, we had Bataclan, Samuel Paty, and so on (please don't make me do the exhaustive list).
Now the question is, what would make one decide to apply whatever answer they give here, but not there? Definitely food for thought!
Now the question is, what would make one decide to apply whatever answer they give here, but not there? Definitely food for thought!
Yes, I would take that bargain.
Reducing 193 murder victims (Belgium 2017) to 19.3 victims. Assuming there's a 1:1 victim/killer ratio, that would mean ~20 executed killers of which 1 is innocent.
So, "accidentally" killing 1 person to save 173 lives.
Reducing 193 murder victims (Belgium 2017) to 19.3 victims. Assuming there's a 1:1 victim/killer ratio, that would mean ~20 executed killers of which 1 is innocent.
So, "accidentally" killing 1 person to save 173 lives.
Are you ok with being the sacrificial lamb?
The USA has secret courts that are happy to issue secret warrants to spy on every single customer of a major telco.
Your "legal decryption framework" will be abused precisely the same way - it would be laughably naive to expect anything else.
Your "legal decryption framework" will be abused precisely the same way - it would be laughably naive to expect anything else.
I am very pleased to see that the _current_ administration came to their senses and listened to reason. However, this is a fight i am afraid we will always have to fight over and over again unless right to encryption is codified in EU constitution or a similar document.