The Endless Encryption Battle
European police chiefs published a joint declaration this week highlighting their "deep concern" about tech companies’ increasing use of end-to-end encryption (E2EE). They say the technology is being used in ways that "undermine their ability to investigate crime and keep the public safe".
In one particularly sensationalist quip, Europol’s Executive Director went so far as to say that "our homes are becoming more dangerous than our streets".
If this all sounds pretty familiar, that’s because it is. For the past few years, politicians and police forces around the world have criticized E2EE while offering very little in terms of viable solutions that balance privacy with security.
So let’s take a look at some of the main criticisms facing E2EE and explore what’s next for this vital technology.
Before going any further, it’s worth stressing that the crimes the police are concerned about are concerning and deserve attention. However, E2EE is not the root cause of these problems. In some cases, the technology may enable them but abolishing E2EE would not magically prevent crime.
In the joint declaration, the police chiefs warn that the expanding use of E2EE means "companies will not be able to respond effectively to a lawful authority. Nor will they be able to identify or report illegal activity on their platforms. As a result, we will simply not be able to keep the public safe".
This hardline stance fails to acknowledge the legitimate reasons why E2EE exists and the vital role it plays in securing digital communications and protecting us all, not to mention the other ways platforms are working to maintain their users’ safety.
While law enforcement’s concerns may appear valid, portraying E2EE as uniquely responsible for enabling crime is misguided. Instead, we should strive to balance the need for public safety with the rights to privacy and secure communications that E2EE provides.
The police say they’re aware of this, writing:
We are committed to supporting the development of critical innovations, such as encryption, as a means of strengthening the cyber security and privacy of citizens. However, we do not accept that there need be a binary choice between cyber security or privacy on the one hand and public safety on the other. Absolutism on either side is not helpful. Our view is that technical solutions do exist; they simply require flexibility from industry as well as from governments.
That sounds great! But the devil is in the detail and the question must be asked: what exactly are these technical solutions?
It’s now broadly accepted that any attempt to weaken E2EE in almost any way would create vulnerabilities that malicious actors could exploit. And client-side scanning — which involves scanning encrypted communications on the user's device — has numerous drawbacks.
In an open letter a group of security and privacy researchers said the mechanism would amount to “placing a mandatory, always-on automatic wiretap in every device to scan for prohibited content”. That’s not to mention questions surrounding the technology’s accuracy and the potential to redefine the type of content being searched for.
Until such a solution exists and is made widely available for scrutiny, police officials may benefit from remembering that only last month the European Court of Human Rights ruled that the weakening of encryption violates the human right to privacy.
More on This Story
Reclaim the Net: Privacy Under Siege: Europol and the UK Crime Agency Target Encryption, Call For Backdoors
Privacy International: Securing Privacy: PI on End-to-End Encryption
Tech Crunch: European police chiefs target E2EE in latest demand for ‘lawful access’
New from Top10VPN
What Does a VPN Actually Hide: Expert Advice (Plus What ISN'T Hidden)
In our latest YouTube video, site editor Callum Tennent runs through all the ways VPNs help protect your anonymity online, while noting their limitations in certain settings.
What Is Internet Privacy, and Why Is It Important?
I'm pleased to finally be able to share something that I worked on for what felt like a lifetime: a deep dive into the "why" of internet privacy. I grappled with why online privacy is so important and debunked some common misconceptions about the topic. It's a long read but hopefully worth it!
What We’ve Been Reading
Citizen Lab: The not-so-silent type: Vulnerabilities across keyboard apps reveal keystrokes to network eavesdroppers
A study by the Citizen Lab has revealed significant vulnerabilities in cloud-based pinyin keyboard apps from major vendors, allowing network eavesdroppers to potentially access users' keystrokes in transit. Despite some vendors addressing these issues, the scale of affected users, estimated at up to one billion, highlights substantial privacy risks, prompting recommendations for users to update their software and consider non-cloud-based keyboard apps.
TechCrunch: Security bugs in popular phone-tracking app iSharing exposed users’ precise locations
Popular phone-tracking app iSharing exposed users' precise locations and other personal information to anyone using the app. A security researcher was able to easily obtain the location of a TechCrunch reporter down to a few feet by exploiting the bugs, which iSharing has since fixed after being notified.
Dark Reading: MITRE ATT&CKED: InfoSec's Most Trusted Name Falls to Ivanti Bugs
MITRE Corporation, known for their ATT&CK glossary of cyberattack techniques, suffered a breach of their unclassified network through Ivanti edge device vulnerabilities exploited by foreign nation-state hackers. This incident allowed the hackers deep access for three months, exploiting two zero-day vulnerabilities in Ivanti Connect Secure and bypassing multifactor authentication, which ultimately allowed them to access sensitive research data and intellectual property.
NOEMA: We Need to Rewild the Internet
The article introduces the concept of "rewilding the internet," drawing parallels between the destructive simplification of ecosystems through monoculture forestry and the centralization and control found in today's internet infrastructure. The authors argue that just as ecological rewilding focuses on restoring natural processes and biodiversity, the internet needs a similar transformation to regain its original diversity and openness, counteracting the monopolistic control exerted by major tech companies.
WIRED: ShotSpotter Keeps Listening for Gunfire After Contracts Expire
ShotSpotter, a gunshot detection technology, continues to operate in cities like Chicago even after contracts have expired, raising concerns about surveillance and the removal of its sensors. Despite the termination of services, internal emails suggest that ShotSpotter still provides gunshot data to police, prompting debates over privacy and the company's ongoing involvement in law enforcement activities.
The Register: FBI and friends get two more years of warrantless FISA Section 702 snooping
The U.S. Senate has reauthorized Section 702 of the Foreign Intelligence Surveillance Act (FISA) for two more years, despite opposition and failed amendments aimed at curbing its scope. This extension allows broader compulsion of service providers to assist in warrantless surveillance activities, intensifying concerns over privacy and civil liberties.
The Hacker News: U.S. Imposes Visa Restrictions on 13 Linked to Commercial Spyware Misuse
The U.S. Department of State has imposed visa restrictions on 13 individuals linked to the misuse of commercial spyware, targeting a range of individuals including journalists, human rights defenders, and U.S. government personnel. This action, part of a broader effort to counter the misuse of spyware by authoritarian regimes, follows the U.S. government's recent policy to enforce visa constraints on those threatening privacy and freedom of expression, with commercial spyware being a primary concern.
38 North: What We Learned Inside a North Korean Internet Server: How Well Do You Know Your Partners?
A misconfigured North Korean Internet cloud server inadvertently provided insights into the country's animation outsourcing, revealing how foreign companies might unknowingly employ North Korean firms for IT projects, potentially breaching sanctions. This discovery underscores the challenges foreign companies face in verifying the origins of their outsourced work, highlighting the risk of inadvertently supporting operations within Pyongyang.
Ars Technica: Hackers infect users of antivirus service that delivered updates over HTTP
Hackers exploited the eScan antivirus service, which delivered updates via the insecure HTTP protocol, to infect users with malware through a man-in-the-middle attack over a span of five years. The attackers, potentially linked to North Korea, used sophisticated techniques including DLL hijacking and IP address masking to distribute the GuptiMiner malware and evade detection.
TechCrunch: The impact of TikTok’s ban in other countries could signal what’s ahead for the U.S.
On April 24, 2024, Joe Biden signed a bill requiring TikTok's owner, ByteDance, to sell the app within nine months or face a ban, prompting TikTok to prepare for a protracted legal battle. The global precedent set by other countries that have already banned TikTok due to various concerns illustrates potential challenges and impacts on ByteDance's operations, creators, and the broader creator economy, hinting at similar consequences for the U.S. should the ban proceed.
The Guardian: Lawsuit in London to allege Grindr shared users’ HIV status with ad firms
Grindr faces legal action in London's High Court from hundreds of users claiming the app shared their sensitive personal data, including HIV status, with advertising firms in violation of UK data protection laws. The lawsuit, spearheaded by the law firm Austen Hays, alleges that the data misuse affected thousands of UK users between specific periods before April 2020, with Grindr firmly denying the claims and highlighting its updated consent mechanisms.
Bloomberg: ACLU Sues NSA, Defense Department for AI Spy Program Records
The ACLU has filed a lawsuit against the NSA and other U.S. government entities for failing to disclose records concerning the use of artificial intelligence (AI) in surveillance, which the ACLU claims is essential for public understanding of their impact. The lawsuit seeks the release of various documents, including studies and reports on the effects of AI on privacy and civil liberties, amid concerns that AI technologies could amplify biases and expand surveillance capabilities more than ever before.