Late last year, the French government was on the receiving end of a backlash when its law enforcement agencies proposed that Tor and public Wi-Fi should be banned. The government quickly retracted those proposals, saying it’s not going to do that, but now it’s coming back with a proposal that’s just as bad: banning strong encryption.
This time, the proposal is actually an amendment to the “Digital Republic” bill that was introduced in France’s lower house of Parliament by 18 politicians from the right-wing Republican party (former UMP). The whole bill will be debated this week along with over 400 amendments to it.
The amendment banning strong encryption requires “equipment manufacturers” to build in decryption capability, so when law enforcement asks the manufacturers to decrypt a device, they would be able to do so. This could be a response to recent moves by Apple and Google, who have made it so only the users can decrypt the device with their own passphrases or fingerprints.
The amendment was written with the idea that it would stop future attacks such as the recent one in Paris. However, soon after the attacks, it turned out that the Paris attackers used unencrypted SMS and phone calls, and some of them were even known to the authorities as extremists. Therefore, perhaps the reason for why the attacks couldn’t be stopped can be found elsewhere.
While France has been weakening civil liberties with new surveillance and censorship laws even since before the Charlie Hebdo attack, the Dutch government recently made public its support for encryption and at the same time committed half a million euro in donations to open source encryption libraries such as OpenSSL, PolarSSL and LibreSSL.
The European Commission’s Vice-President, Andrus Ansip, recently spoke against backdoors and the weakening of encryption, arguing that the EU needs strong data protection legislation and tools to protect users’ data.
A requirement to force companies to decrypt devices would mean those devices aren’t as well protected as they could be. When the data of millions of users is protected by a single entity, then that entity becomes an important target for attackers, and it makes the data more vulnerable to attacks. This is also why it’s better to have fingerprint data stored and encrypted locally on each individual device than in a centralized database, regardless of whether it’s stored by a private company or a government.
Lucian Armasu is a Contributing Writer for Tom's Hardware. You can follow him at @lucian_armasu.
This really does nothing productive than make the public mad, and their information less secure. This was partly stirred by the Paris attack (Later revealed to be not involved), however I doubt most extremists go through the trouble of encrypting data.
A perfect example of punishing the majority for the acts of a few.
Some folks like to say they have nothing to hide and don't understand all the fuss. Please invite a dozen random people on the street over to dinner, and allow them to browse through your filing cabinets and other financial documents. You might feel a little discomfort and an inability to control the situation. It's perfectly normal though, and you should just ignore it.
This should be a non-starter.
Except they aren't just talking about Google and Apple here. In fact they are probably irrelevant. But imagine if every piece of telecom equipment your message (voice, sms, data, etc) went through could be tapped and decrypted! They are targeting companies like Cisco that are building the backbone.
Sure, Google and Apple might not care about France and just tell people to go to Denmark to buy their Nexus or iPhone. But Cisco et al. aren't going to pull out of the market, because someone else will step in and sell French telecoms the equipment they want to build their network. Companies, especially the national telecom provider, can't and won't circumvent this law.
In fact, some enterprising handset manufacturers will step-in too, with modified version of Android that meet the French requirements just to capture the segment of the market that doesn't know and/or doesn't care but just wants a phone right now.
But honestly, any one who seriously wants to protect their communications isn't going to rely on some one else's encryption. They are going to use their own - either apps on the phone that encrypt messages which you can copy & paste or good 'ol codes and ciphers like the old days, simply transmitted via mobile phone.
Worse, such measures won't make the slightest bit of difference to catching terrorists or preventing terrorist acts, certainly not any that's islamic related anyway. It's a stupid knee jerk reaction to a populist outcry which politicians don't have the guts to stand up against, despite the evidence already being available that it won't work. The problem we face is and has always been the nature of the religious dogma itself that supports and encourages violent thinking; meddling with how our information systems function will have no impact at all in that regard. It's sticking-plaster politics at its most ludcirous. As usual, western govts keep picking about the edges, rather than facing up to the inevitable near term confrontation which will occur if the wider islamic community doesn't stand up and fight for a peaceful, reformed, enlightened version of what is atm an incredibly brutal belief system (they don't because they're either too afraid to speak out or they agree with the daft ideas their faith promotes); I don't know if serious reform is remotely possible, but without a doubt, our ditching basic notions of what democratic nations are built on is not going to make any difference at all.
It's sad that a Republic such as France, given its history, would be one of the first nations to consider such silly measures.
Also, as NS stated, one cannot undo the basic math that underpins encryption, so anyone can make use of the same methods from the ground up if need be, via 3rd party tools, or their own coding.
There's also the work arounds like purchasing a phone in germany, switzerland, or Italy, then taking it back to france. Aswell this wouldn't cover the 'cloud' encrypted data. Setup a secure connection to America for example, they use 10 billion bit encryption. The french laws couldn't apply to things over seas. It's a horrible implementation/suggestion of a fix, that wouldn't even fix the problem.
Exactly; and as google and most intelligence agencies will confirm, you don't even need the content; you need the metadata.. which the french should already have,
Steward Baker (NSA) “metadata absolutely tells you everything about somebody’s life. If you have enough metadata, you don’t really need content.” ... “We kill people based on metadata.”
They don't need the content; they need the metadata, which they already have, unless their intentions are something else than which is stated, like illegally tapping phone lines for example, which in cases like the 'silk road' incident, obviously the proper way to deal with these is by court order with a judge. Not by allowing law enforcement unrestricted access to private domain.