End-to-end encryption under fire.

These opinions are solely mine and do not represent any affiliated organization.

In a concerning move, Europol has released a joint statement of European Police Chiefs who are advocating for governments to stop the roll-out of End-to-End Encryption (E2EE) as this will limit their ability to investigate and gather evidence of heinous crimes such as child sexual abuse, human trafficking, drug smuggling, homicides, economic crime and terrorism.

In the publication of the joint-statement, Europol Europol’s Executive Director Catherine De Bolle, stated:

Our homes are becoming more dangerous than our streets as crime is moving online. To keep our society and people safe, we need this digital environment to be secured. Tech companies have a social responsibility to develop a safer environment where law enforcement and justice can do their work. If police lose the ability to collect evidence, our society will not be able to protect people from becoming victims of crime.

There is a definite rise in digital crime against people and this needs to be stopped. I started this career as cybersecurity professional in order to help make the world a little safer and to keep malicious entities out as well as I can.

I acknowledge that with technological advances, the ability to gather evidence will change and I don't necessarily have the answer to fix this. But, I disagree with these steps against End-to-End Encryption or the inclusion of backdoors in encryption standards because they will not help us solve the underlying problem.

Instead, they will make the problem worse.

End-to-End Encryption

When we're talking about end-to-end encryption, or E2EE as I'll call it from here on out, it is referring to applications using encryption standards in such a way that only the intended recipients can read the message.

Many messaging platforms, in the past, would work in a way that would (securely) send your message to a central system, and then the other person could read it. The problem is that, while reasonably safe, this did not protect your privacy as the provider could (theoretically) read all the messages you've sent, as shown in the graph below.

So, with advances in technology, privacy laws and consumer requirements, came new security methods including "End-to-End Encryption". This method is based around the idea that only the sender and receiver should be able to decrypt the message as this will ensure that it is private.

Many historical systems and tools have been used on this principle; though admittedly not in the level of complexity we see today. If the encryption standard is secure and implemented correctly, you can ensure that data integrity and confidentiality is maintained throughout the process even if you send the encrypted file to another person.

While the complexity of these type of solutions transcend this article, it is important to realize that your privacy online, especially on applications like WhatsApp, Telegram, Signal and others, is stronger if we remove the middleman from the interaction and instead embrace E2EE.

Is this news a one-time thing or not?

Unfortunately not. In the early 1990s the NSA severely restricted encryption standards for a while by considering strong encryption standards to be akin to digital ammunition that must be controlled. (https://archive.epic.org/crypto/ban/).

In the following years, we have seen a global rise in political figures trying to advocate changes in encryption standards and technologies to allow law enforcement to have access via a backdoor, in order to do their job at protecting people. And granted, with the adoption of stronger encryption standards and security measures it becomes harder for law enforcement to do their job in the traditional sense. It is therefore not strange that an organization like Europol would have an interest in changing how encryption works in the wild.

A handful of examples where this topic has come up in the world:

• In 2016, news was posted that the FBI was looking for a method to decrypt a phone owned by a mass murderer by demanding that Apple created a decryption device. ( https://www.theguardian.com/technology/2016/feb/24/the-fbi-wants-a-backdoor-only-it-can-use-but-wanting-it-doesnt-make-it-possible ).
• In 2020, the EARN IT act was proposed in the United States that would weaken the use of encryption so that law enforcement could use a warrant to gain access to devices and communication services. ( https://www.cnbc.com/2020/06/24/gop-senators-introduce-bill-that-would-create-a-backdoor-for-encryption.html )
• In 2021, the Internet Society did a review of the UK Online Safety Bill. This bill actively discourages end-to-end encryption and puts increasingly high pressure on providers to build in decryption methods. The review's conclusions are firmly against changes to encryption standards. ( https://www.internetsociety.org/resources/doc/2022/iib-encryption-uk-online-safety-bill/ )
• In 2021, the Australian Criminal Intelligence Commission (ACIC) stated that law-abiding citizens have no need for encryption; as the platforms are mainly used by "serious and organised crime groups", displaying a gross misunderstanding of the technology. (https://www.zdnet.com/article/acic-believes-theres-no-legitimate-reason-to-use-an-encrypted-communication-platform/)
• On 19 October 2023, French Interior Minister Gerald Darmanin brought up the topic again, trying to argue that backdoors were needed. (https://www.lemonde.fr/en/pixels/article/2023/10/26/encryption-backdoors-an-unenforceable-yet-recurring-political-objective_6203950_13.html)

A challenge with these bills is that these are often put forward by people who have insufficient understanding of the technology and the implications if we were to change those encryption standards. The sponsors of these bills often refer to the most heinous of crimes, such as child pornography, to push the bill by appealing to our collective disgust for such crimes

Do I really want to trust people in power who don't understand the topic?

It is a bad idea, but why?

Lets start with the elephant in the room. Breaking encryption and building backdoors into cryptographic tools will not stop organized crime online.

Why? Because every criminal organization that is targeted by this type of move will just move towards more obscure applications or build their own without a backdoor inside of it. They don't have the same moral framework as the rest of us, resulting in a constant battle for access with more far reaching control of law enforcement. This turns this into a game of digital whack-a-mole with the privacy and security of "law-abiding citizens" as the collateral damage.

Backdoors can be exploited.

A second reason why this is a terrible idea is that every backdoor is eventually found by someone. State-sponsored actors are constantly searching for new zero-day vulnerabilities to be able to exploit them to fulfill their objectives. A backdoor into existing communication protocols would be a goldmine for them to gain access to sensitive information; including the private political conversations that these advocates of legislation may have.

Does this turn into a Surveillance State?

Thirdly, a consideration is that this easily spirals into a full-blown surveillance state in the hands of the wrong governments. History has shown that some countries would be happy to use tools like this to establish total control over their population. This rises a series of questions:

1. Who is responsible for maintaining this backdoor?
2. Is that backdoor accessible by one government only?
3. Can another government across the globe gain access to your data without legitimate reason?
4. How about journalistic freedom to report news and be independent? If communications can be read, how do we prevent a less ethical governments from destroying press freedom to establish control?
5. What happens with the data observed via this backdoor?
6. What stops a government from abusing this access by circumventing legal restrictions?

These questions are the tip of the iceberg. In the end, we see countries such as Russia, China, Iran, North Korea and others to actively implement measures to monitor their population beyond the scope of preventing crime. These same countries are increasingly active in cyber warfare to gain access to sensitive information, and often these countries don't have the same ethical and moral guidelines as we do. Do we want those type of governments to have unfettered access to communications?

As such, I think a lot of political leaders don't understand what they are asking when they raise bills that weaken E2EE or other security measures.

Personal Privacy

There are many personal situations where I wouldn't want to have someone able to look at my conversations without my approval. No one needs to know that you enjoy a spicy evening with your partner even if you're half way across the country, or that you have a fantastic new business idea but want to keep it on the down low until the name is registered.

By removing protection mechanisms as suggested by Europol, or undermining them as suggested by multiple political leaders, we effectively give up personal privacy as a society to deal with a (relatively small) number of people abusing others.

I think that is unacceptable; we can not keep trading privacy for security without there being an end to that exchange.

Conclusion

Political leadership and law enforcement would love to have more access to data sources and while I understand the desire to do this from a security perspective, it must not come at the expense of security and privacy of data.

Any measure taken that weakens the security and privacy of communications will both force organized crime to use more obscure methods to communicate, at the expense of law-abiding citizens, while simultaneously offering these same citizens up on a silver platter as the new criminal goldmine that these organizations can exploit.

I'd like to pose the following question to you, as reader:

If we sacrifice our privacy, security and constitutional right to confidential communications for the purpose of fighting crime, does that justify the goal? Or do we sacrifice more than we get in return?

I think these suggestions do not justify the goal and that such a change is too large a sacrifice. Especially if we consider that there are still nations out there that actively protect and shelter cyber criminals within their borders.