Skip to main content

French Government May Ban Strong Encryption

Late last year, the French government was on the receiving end of a backlash when its law enforcement agencies proposed that Tor and public Wi-Fi should be banned. The government quickly retracted those proposals, saying it’s not going to do that, but now it’s coming back with a proposal that’s just as bad: banning strong encryption.

This time, the proposal is actually an amendment to the “Digital Republic” bill that was introduced in France’s lower house of Parliament by 18 politicians from the right-wing Republican party (former UMP). The whole bill will be debated this week along with over 400 amendments to it.

The amendment banning strong encryption requires “equipment manufacturers” to build in decryption capability, so when law enforcement asks the manufacturers to decrypt a device, they would be able to do so. This could be a response to recent moves by Apple and Google, who have made it so only the users can decrypt the device with their own passphrases or fingerprints.

The amendment was written with the idea that it would stop future attacks such as the recent one in Paris. However, soon after the attacks, it turned out that the Paris attackers used unencrypted SMS and phone calls, and some of them were even known to the authorities as extremists. Therefore, perhaps the reason for why the attacks couldn’t be stopped can be found elsewhere.

While France has been weakening civil liberties with new surveillance and censorship laws even since before the Charlie Hebdo attack, the Dutch government recently made public its support for encryption and at the same time committed half a million euro in donations to open source encryption libraries such as OpenSSL, PolarSSL and LibreSSL.

The European Commission’s Vice-President, Andrus Ansip, recently spoke against backdoors and the weakening of encryption, arguing that the EU needs strong data protection legislation and tools to protect users’ data.

A requirement to force companies to decrypt devices would mean those devices aren’t as well protected as they could be. When the data of millions of users is protected by a single entity, then that entity becomes an important target for attackers, and it makes the data more vulnerable to attacks. This is also why it’s better to have fingerprint data stored and encrypted locally on each individual device than in a centralized database, regardless of whether it’s stored by a private company or a government.

Lucian Armasu is a Contributing Writer for Tom's Hardware. You can follow him at @lucian_armasu. 

Follow us on FacebookGoogle+, RSS, Twitter and YouTube.

  • Gam3r01
    France no...
    This really does nothing productive than make the public mad, and their information less secure. This was partly stirred by the Paris attack (Later revealed to be not involved), however I doubt most extremists go through the trouble of encrypting data.
    A perfect example of punishing the majority for the acts of a few.
    Reply
  • innocent bystander
    I hate to break it to the French (not really), but they just aren't a big enough market to influence global product development at the likes of Apple and Google. I can see any serious manufacturer just pulling out of that market rather than giving in and building in a backdoor.
    Reply
  • clonazepam
    I would hand over source code to China or India just to have a crack at billions of consumers. Secure some footing in those potential markets, help it grow, and I could ignore the whimpers of hundreds of millions easily.

    Some folks like to say they have nothing to hide and don't understand all the fuss. Please invite a dozen random people on the street over to dinner, and allow them to browse through your filing cabinets and other financial documents. You might feel a little discomfort and an inability to control the situation. It's perfectly normal though, and you should just ignore it.
    Reply
  • Onus
    Providing a backdoor to Government whiners is one of the reasons Blackberry is croaking.
    This should be a non-starter.
    Reply
  • schultzter
    17308987 said:
    they just aren't a big enough market to influence global product development at the likes of Apple and Google.

    Except they aren't just talking about Google and Apple here. In fact they are probably irrelevant. But imagine if every piece of telecom equipment your message (voice, sms, data, etc) went through could be tapped and decrypted! They are targeting companies like Cisco that are building the backbone.

    Sure, Google and Apple might not care about France and just tell people to go to Denmark to buy their Nexus or iPhone. But Cisco et al. aren't going to pull out of the market, because someone else will step in and sell French telecoms the equipment they want to build their network. Companies, especially the national telecom provider, can't and won't circumvent this law.

    In fact, some enterprising handset manufacturers will step-in too, with modified version of Android that meet the French requirements just to capture the segment of the market that doesn't know and/or doesn't care but just wants a phone right now.

    But honestly, any one who seriously wants to protect their communications isn't going to rely on some one else's encryption. They are going to use their own - either apps on the phone that encrypt messages which you can copy & paste or good 'ol codes and ciphers like the old days, simply transmitted via mobile phone.
    Reply
  • Hydrotricithline
    Meanwhile Newsflash: Banks and ecommerce fraud and hacking in france increases by 20,000 percent...
    Reply
  • mapesdhs
    As New Scientist recently pointed out, banning encryption means the end of online commerce. Doing business online without it simply isn't safe or viable, and preventing ordinary people from using it has all sorts of knock on consequences, eg. anonymous whistle blowers within corrupt organisations, companies, and indeed governments, also people who wish to discuss distressful issues online without revealing their identity, such as spousal abuse forums.

    Worse, such measures won't make the slightest bit of difference to catching terrorists or preventing terrorist acts, certainly not any that's islamic related anyway. It's a stupid knee jerk reaction to a populist outcry which politicians don't have the guts to stand up against, despite the evidence already being available that it won't work. The problem we face is and has always been the nature of the religious dogma itself that supports and encourages violent thinking; meddling with how our information systems function will have no impact at all in that regard. It's sticking-plaster politics at its most ludcirous. As usual, western govts keep picking about the edges, rather than facing up to the inevitable near term confrontation which will occur if the wider islamic community doesn't stand up and fight for a peaceful, reformed, enlightened version of what is atm an incredibly brutal belief system (they don't because they're either too afraid to speak out or they agree with the daft ideas their faith promotes); I don't know if serious reform is remotely possible, but without a doubt, our ditching basic notions of what democratic nations are built on is not going to make any difference at all.

    It's sad that a Republic such as France, given its history, would be one of the first nations to consider such silly measures.

    Also, as NS stated, one cannot undo the basic math that underpins encryption, so anyone can make use of the same methods from the ground up if need be, via 3rd party tools, or their own coding.
    Reply
  • Hydrotricithline
    17309830 said:
    17308987 said:
    they just aren't a big enough market to influence global product development at the likes of Apple and Google.

    Except they aren't just talking about Google and Apple here. In fact they are probably irrelevant. But imagine if every piece of telecom equipment your message (voice, sms, data, etc) went through could be tapped and decrypted! They are targeting companies like Cisco that are building the backbone.

    Sure, Google and Apple might not care about France and just tell people to go to Denmark to buy their Nexus or iPhone. But Cisco et al. aren't going to pull out of the market, because someone else will step in and sell French telecoms the equipment they want to build their network. Companies, especially the national telecom provider, can't and won't circumvent this law.

    In fact, some enterprising handset manufacturers will step-in too, with modified version of Android that meet the French requirements just to capture the segment of the market that doesn't know and/or doesn't care but just wants a phone right now.

    But honestly, any one who seriously wants to protect their communications isn't going to rely on some one else's encryption. They are going to use their own - either apps on the phone that encrypt messages which you can copy & paste or good 'ol codes and ciphers like the old days, simply transmitted via mobile phone.

    There's also the work arounds like purchasing a phone in germany, switzerland, or Italy, then taking it back to france. Aswell this wouldn't cover the 'cloud' encrypted data. Setup a secure connection to America for example, they use 10 billion bit encryption. The french laws couldn't apply to things over seas. It's a horrible implementation/suggestion of a fix, that wouldn't even fix the problem.
    Reply
  • Hydrotricithline
    17309876 said:
    As New Scientist recently pointed out in its editorial, not allowing encryption means the end of online commerce. Doing business online without it simply isn't safe or viable, and preventing ordinary people from using it has all sorts of knock on consequences, eg. anonymous whistle blowers within corrupt organisations, companies, and indeed governments, also people who wish to discuss distressful issues online without revealing their identity, such as spousal abuse forums.

    Worse, such measures won't make the slightest bit of difference to catching terrorists or preventing terrorist acts, certainly not any that's islamic related anyway. It's a stupid knee jerk reaction to a populist outcry which politicians don't have the guts to stand up against, despite the evidence already being available that it won't work. The problem we face is and has always been the nature of the religious dogma itself that supports and encourages violent thinking; meddling with how our information systems function will have no impact at all in that regard. It's sticking-plaster politics at its most ludcirous. As usual, western govts keep picking about the edges, rather than facing up to the inevitable near term confrontation which will occur if the wider islamic community doesn't stand up and fight for a peaceful, reformed, enlightened version of what is atm an incredibly brutal belief system (they don't because they're either too afraid to speak out or they agree with the daft ideas their faith promotes); I don't know if serious reform is remotely possible, but without a doubt, our ditching basic notions of what democratic nations are built on is not going to make any difference at all.

    It's sad that a Republic such as France, given its history, would be one of the first nations to consider such silly measures.

    Exactly; and as google and most intelligence agencies will confirm, you don't even need the content; you need the metadata.. which the french should already have,

    Steward Baker (NSA) “metadata absolutely tells you everything about somebody’s life. If you have enough metadata, you don’t really need content.” ... “We kill people based on metadata.”

    They don't need the content; they need the metadata, which they already have, unless their intentions are something else than which is stated, like illegally tapping phone lines for example, which in cases like the 'silk road' incident, obviously the proper way to deal with these is by court order with a judge. Not by allowing law enforcement unrestricted access to private domain.
    Reply
  • surphninja
    This is what happens when lawmakers are tech-illiterate.
    Reply