European court favors strong encryption, calling it key to privacy rights(washingtonpost.com)
washingtonpost.com
European court favors strong encryption, calling it key to privacy rights
https://www.washingtonpost.com/technology/2024/03/05/encryption-eu-human-rights-privacy-ruling/
28 comments
"International law scholars consider the ECHR to be the most effective international human rights court in the world."
https://en.wikipedia.org/wiki/European_Court_of_Human_Rights...
There are 46 state members of Council of Europe: https://en.wikipedia.org/wiki/Member_states_of_the_Council_o...
In principle human rights are considered civilizational legacy, and the opinions are highly considered by other courts. However, the public policy of particular states is often at odds with these opinions.
There are 46 state members of Council of Europe: https://en.wikipedia.org/wiki/Member_states_of_the_Council_o...
In principle human rights are considered civilizational legacy, and the opinions are highly considered by other courts. However, the public policy of particular states is often at odds with these opinions.
As of a few months ago, the UK was still discussing separating from the ECHR [1], so they may yet snatch their success from the jaws of failure either way.
Reading between the lines of their Q&A [2], it seems largely de facto and functionally voluntary for the participating nations to comply, perhaps straying into strongly-worded letter of disappointment territory in the case of a failure to comply. And they can apparently just leave. How do you push around a sovereign entity with a military? Sanctions, I guess.
[1] https://www.ibanet.org/UK-ministers-continue-to-discuss-dras...
[2] https://www.echr.coe.int/documents/d/echr/50questions_eng
Reading between the lines of their Q&A [2], it seems largely de facto and functionally voluntary for the participating nations to comply, perhaps straying into strongly-worded letter of disappointment territory in the case of a failure to comply. And they can apparently just leave. How do you push around a sovereign entity with a military? Sanctions, I guess.
[1] https://www.ibanet.org/UK-ministers-continue-to-discuss-dras...
[2] https://www.echr.coe.int/documents/d/echr/50questions_eng
The level of protection you get from the ECHR is very dependent on what country you are in and how they interpret the convention.
In some countries such as Denmark the ECHR and its rulings are considered to be absolutely binding and self executing by the national courts:
> The European Convention on Human Rights is implemented in Danish law. This means that the convention is directly applicable in Denmark. Danish law must therefore be interpreted in accordance with the convention.
In other countries rulings are routinely fully or partially ignored (for example the UK entirely ignored an ECHR ruling on prisoners voting).
In some countries such as Denmark the ECHR and its rulings are considered to be absolutely binding and self executing by the national courts:
> The European Convention on Human Rights is implemented in Danish law. This means that the convention is directly applicable in Denmark. Danish law must therefore be interpreted in accordance with the convention.
In other countries rulings are routinely fully or partially ignored (for example the UK entirely ignored an ECHR ruling on prisoners voting).
This isn't a good thing. It's a step towards regulating the kinds of encryption required to market software in the EU. Once there are rules on the kinds of encryption that must be used, then a backdoored algorithm can be required by law.
We want companies to choose the cryptographic algorithms based on what is recommended by experts in the field. The experts in cryptography inform software engineers, who implement the algorithms where they work. They pass on good software recommendations to family members and friends who ask. That leads to a world where everyone is using Signal, or a competent competitor. The chain of trust is organic and legitimate all the way from the user to the person that told them to use signal, to the domain expert that said signal uses solid cryptography to the cryptographers designing the algorithms.
If you want privacy you have to create demand for it. Markets can satisfy demand, legislating supply creates excess unwanted things (like backdoored algorithms).
We want companies to choose the cryptographic algorithms based on what is recommended by experts in the field. The experts in cryptography inform software engineers, who implement the algorithms where they work. They pass on good software recommendations to family members and friends who ask. That leads to a world where everyone is using Signal, or a competent competitor. The chain of trust is organic and legitimate all the way from the user to the person that told them to use signal, to the domain expert that said signal uses solid cryptography to the cryptographers designing the algorithms.
If you want privacy you have to create demand for it. Markets can satisfy demand, legislating supply creates excess unwanted things (like backdoored algorithms).
We regret to inform you but we have run out of pure good things. (Also pure bad things too, so yeey?)
It's a step, but precedent is (was) already established (US export controls on crypto), and regulations can take two steps at once. (It's not a nice discrete process.) And yes, of course, it's a trade off. Mandating strong encryption and sane security (no preset password in IoT/other devices), and the usual nice things (security updates) for things sold in the EU definitely puts these things in the regulated sphere. (Also, a hypothetical "right of the people to keep and bear Cryptography" law is also regulation, it's just a trivial one. And then folks start talking about what is and what is not Cryptography. And we're back to square whatever.)
It's a step, but precedent is (was) already established (US export controls on crypto), and regulations can take two steps at once. (It's not a nice discrete process.) And yes, of course, it's a trade off. Mandating strong encryption and sane security (no preset password in IoT/other devices), and the usual nice things (security updates) for things sold in the EU definitely puts these things in the regulated sphere. (Also, a hypothetical "right of the people to keep and bear Cryptography" law is also regulation, it's just a trivial one. And then folks start talking about what is and what is not Cryptography. And we're back to square whatever.)
What in the article motivates you to write such comment? The only thing that this court rules does is to reaffirm the right of privacy, and that non-broken encryption is one of the guarantees that citizens have to obtain the right.
> The court praised end-to-end encryption generally, noting that it “appears to help citizens and businesses to defend themselves against abuses of information technologies, such as hacking, identity and personal data theft, fraud and the improper disclosure of confidential information.”
> The court praised end-to-end encryption generally, noting that it “appears to help citizens and businesses to defend themselves against abuses of information technologies, such as hacking, identity and personal data theft, fraud and the improper disclosure of confidential information.”
>it would have to install a back door that would work against everyone
Right, what's the point in e2ee if you can just receive a backdoor in the official client and you can't have an independent client, because hello it's a walled garden?
Right, what's the point in e2ee if you can just receive a backdoor in the official client and you can't have an independent client, because hello it's a walled garden?
meanwhile most European countries are surveilling their own people.
EFF press announcement https://news.ycombinator.com/item?id=39609256
[dupe]
More over here on EFF post:
European Court Confirms: Weakening Encryption Violates Fundamental Rights
https://news.ycombinator.com/item?id=39609256
More over here on EFF post:
European Court Confirms: Weakening Encryption Violates Fundamental Rights
https://news.ycombinator.com/item?id=39609256
[deleted]
[deleted]
[deleted](1)
About f time. Europe was leaning heavily into the we need watch everything to keep you safe there for a bit
This won't stop them and the respite from "ChatControl" is only temporary. This isn't over, they will try again and again. It'll come back under a different name, just like Google keeps coming up with tracking initiatives when they're shut down. They just perk it up, add some 'privacy safeguards' and a cool new branding, perhaps find some way to tie it in to the latest scandal in the news, and try again and hope the next one sticks.
It's not even a conspiracy, there's just a huge lobby profiting from this and they will keep pushing. It's business.
And this was far from a decisive victory. It came very close to being implemented, unlike previous attempts. This was already attempt 2 and that's in this particular push only https://european-pirateparty.eu/chatcontrol-the-sequel-nobod...
We have to stay vigilant. Don't forget this is the organisation that tried to push software patents through during a meeting of farming ministers.
The European court is on our side here but the commission is not.
Ps I don't really understand the downvotes. I don't think I'm saying anything untoward. And in EU privacy circles (which I follow strongly) the feeling is very much "we won this battle but not the war". I'm not complaining, just wondering.
Don't forget here in Europe freedom isn't as huge a selling point as it is in the US. And even that has made several attempts over the years including the infamous clipper chip.
It's not even a conspiracy, there's just a huge lobby profiting from this and they will keep pushing. It's business.
And this was far from a decisive victory. It came very close to being implemented, unlike previous attempts. This was already attempt 2 and that's in this particular push only https://european-pirateparty.eu/chatcontrol-the-sequel-nobod...
We have to stay vigilant. Don't forget this is the organisation that tried to push software patents through during a meeting of farming ministers.
The European court is on our side here but the commission is not.
Ps I don't really understand the downvotes. I don't think I'm saying anything untoward. And in EU privacy circles (which I follow strongly) the feeling is very much "we won this battle but not the war". I'm not complaining, just wondering.
Don't forget here in Europe freedom isn't as huge a selling point as it is in the US. And even that has made several attempts over the years including the infamous clipper chip.
> This was already attempt 2
Agree with almost everything else, but if you're counting attempt number one as the one a couple years ago allowing services to do the scanning if they wanted it's a bit disingenuous to put it in the same category as mandating that they do
Agree with almost everything else, but if you're counting attempt number one as the one a couple years ago allowing services to do the scanning if they wanted it's a bit disingenuous to put it in the same category as mandating that they do
The fundamental problem is that the EU's regulatory bodies do not understand technology. Regulation in the EU has turned into a bona-fide industry, and it's a massive train of the blind leading the blind.
Whether it's with Article 45 trying to break PKI [1], or with the AI Act trying to regulate the transformer model itself [2], or with ChatControl trying to surveil everyone, EU regulation is clearly a clownshow at this point where you get cheered on as long as you propose some regulation, any regulation!
[1]:https://www.eff.org/deeplinks/2023/11/article-45-will-roll-b...
[2]: https://twitter.com/arthurmensch/status/1725076260827566562?...
Whether it's with Article 45 trying to break PKI [1], or with the AI Act trying to regulate the transformer model itself [2], or with ChatControl trying to surveil everyone, EU regulation is clearly a clownshow at this point where you get cheered on as long as you propose some regulation, any regulation!
[1]:https://www.eff.org/deeplinks/2023/11/article-45-will-roll-b...
[2]: https://twitter.com/arthurmensch/status/1725076260827566562?...
There have been positive changes at EU commission lately regarding this Article 45 thing:
https://securityriskahead.eu/wp-content/uploads/2024/02/Mozi...
https://securityriskahead.eu/wp-content/uploads/2024/02/Mozi...
eIDAS is also a bad thing for privacy in my opinion because it's going to make it much easier for websites you request identification online. I believe identification should remain a barrier, the same way you don't ID yourself at every physical store you enter. eIDAS doesn't mandate this but it does prepare the technological foundations to do that online.
And it doesn't have much to do with PKI breaking, though it's nice that tangential link was removed, it's indeed good that that attempt was called out.
Removing the most objectionable content doesn't make it a good thing though.
And again this is a big business lobby championed by Thierry Breton. This is not something the voters asked for, it's something the industry wants.
And it doesn't have much to do with PKI breaking, though it's nice that tangential link was removed, it's indeed good that that attempt was called out.
Removing the most objectionable content doesn't make it a good thing though.
And again this is a big business lobby championed by Thierry Breton. This is not something the voters asked for, it's something the industry wants.
[deleted]
osigurdson(1)
Although digital rights advocates said they don’t expect Russia, one of the signatories to the human rights convention, to change its laws, they said the United Kingdom, also a signatory, is likely to modify pending legislation that had sought to bring similar pressure on companies there.
“This will have to be taken into account,” said Ioannis Kouvakas, an assistant general counsel at the U.K.-based rights group Privacy International, which intervened in the Telegram case. “It would be the U.K. setting itself up for failure if they think this doesn’t apply.”
That's a 'likely' followed by a quote by an advocate who also sounds a bit circumspect - not, say, 'this would be a violation of UK's obligations and subject to legal challenge' but just 'setting itself up for failure', whatever that means.