
European Union dedicated questionnaire on the Encryption of Data - type0
https://blog.lukaszolejnik.com/european-union-wants-to-regulate-cryptography/
======
pbininda
I find the german answers [1] surprisingly reasonable.

High Five for the final answer:

> 11\. Are there other issues that you would like to raise in relation to
> encryption and the possible approach to these issues? Please share any
> relevant national experience or considerations arising from your practice
> that need to be taken into account.

> Yes. A regulation to prohibit or to weaken encryption for telecommunication
> and digital services has to be ruled out, in order to protect privacy and
> business secrets.

Go Germany!

[1]
[https://www.asktheeu.org/en/request/3347/response/11727/atta...](https://www.asktheeu.org/en/request/3347/response/11727/attach/html/6/Encryption%20questionnaire%20DE.pdf.html)

~~~
hannob
I come from Germany. The situation is complicated. The responsible politicians
tend to make statements that are contradicting or don't make any sense. There
have been multiple statements that at least could be interpreted as supportive
of encryption regulation. In one occasion there was a joint statement by the
french and german ministers of interior - with the slight problem that the
french and german versions of the statement were different.

Recently they created a new institution supposed to help decrypting messages.
They never explained what that actually means. (I mean you simply _can 't_
decrypt properly designed crypto systems.)

Germany isn't the privacy paradise that some people in the international
debates sometimes like to see in it.

~~~
grey-area
On the other hand, it has a larger constituency in government who oppose
undermining encryption than most other western nations and a good negative
example in the recent past (the Stasi). Just look at the recent legislation
passed in the UK, and the statements of Theresa May on encryption or the
recent lawsuits by the FBI against Apple. It may be our best hope in stopping
legislation mandating backdoors to encryption, which would damage everyone.

~~~
Barrin92
The most important difference is the parliamentary sovereignty of the UK. The
biggest protector of privacy here in Germany is the constitution, and the
Constitutional court rules fairly assertively on issues of privacy and civil
rights, so what PM's do or don't do is not that important.

The UK has no such safeguard due to governmental structure.

------
detaro
Surprisingly interesting content for the clickbaity headline: Some excerpts
from a questionnaire about how law enforcement deals with encryption answered
by various EU governments, with esp. Poland calling for backdoors or weakened
encryption.

The full answers are here:
[https://www.asktheeu.org/en/request/input_provided_by_ms_on_...](https://www.asktheeu.org/en/request/input_provided_by_ms_on_question)

~~~
pducks32
Poland...calling for weakened encryption and backdoors. Students are going to
be so confused when they see that 4 chapters after WWII in their history
books.

~~~
idlewords
Poland broke codes during WWII, wants to break codes now. No changes here!

------
pmontra
Smart criminals will use strong encryption anyway and won't give the passwords
to law enforcement both for data at rest and sent over the Internet.

I'm encrypting my disk now, but I'll give the password to police if they have
a search warrant. I'm encrypting so if somebody steals my computer they won't
read my data. I think that almost everybody is like me.

Weakening that encryption doesn't help me and doesn't help investigators.
Sure, seeing strong encryption over the wire will ring alarms and identify
sender and recipient. That works if they actually decrypt all the data sent
over the Internet. The workaround for the tenaciuos criminals will be
steganography. Narrower band but good enough in most cases. All that effort
and damage to honest citizens for nothing.

~~~
fuzzy2
> but I'll give the password to police if they have a search warrant.

That’s not right. In most countries, you don’t need to incriminate yourself.
Before making wrongheaded decisions, contact a lawyer.

~~~
loup-vaillant
On the other hand, not giving your password right away may be interpreted as
an indication that you have something to hide (which you inevitably do), and
they may tag you for even further scrutiny.

Also, UK: don't give your password, go to prison. Indefinitely.

~~~
stale2002
What about plausible deniability keys? 1 password hides the real stuff, and
the second one that you give to the police just gives them access to your porn
collection (which someone very well might want to hide!).

~~~
semi-extrinsic
Well, they don't matter wrt. the law. Either the prosecution is convinced you
gave up all the keys (you win), or they believe you gave them a key that was
just a distraction and they throw you in jail unless you give them the other
key (you lose).

~~~
stale2002
How do you prove yourself innocent then? You did give them the keys.

The point is that you look exactly the same as an innocent person.

You are taking the only possible pathway to being proved innocent.

It'd be like if I were to say "It doesn't matter what you do. The police are
corrupt anyway, and will take you out back and shoot you no matter what.
Guilty or innocent, if you get accused of a crime, you are dead."

And if they are going to lock you up no matter what, then you may as well use
multiple plausible deniability keys. As you said, it doesn't matter what you
do, the outcome stays the same.

~~~
semi-extrinsic
> How do you prove yourself innocent then? You did give them the keys.

Well, prosecution needs to have a legally convincing argument that indicates
it is likely you have another encrypted partition you're not giving up keys
to.

In fact, the situation is no different from this: say you're a murder suspect
and a neighbour saw you carrying several large heavy sacks into your car and
you drove away. Say what really happened is that you went and buried some bags
of toxic waste in some location, and then went and buried a dead body in
another location. When asked by prosecution, you confess to burying toxic
waste and tell them where. The rest of the outcome of the trial depends
entirely on whether you've successfully convinced them that you just buried
the toxic waste.

~~~
stale2002
That's fine, but your argument is effectively that you are screwed no matter
what.

If you are truly innocent, the prosecution might claim "oh they have extra
keys that they haven't given up", and there is nothing you can do to prove
them wrong.

~~~
semi-extrinsic
Like jbg said in another comment here, the legal system doesn't work that way,
where the prosecution can claim you did stuff and you have to disprove the
claim. The burden of proof is on the prosecution.

~~~
stale2002
So you are agreeing with me that this tactic of plausible deniability with
multiple encryption keys works then?

Which is it? Does encryption allow you to hide from the law, or can innocent
people just be proclaimed that they are hiding something and that they have to
give up keys that don't exist?

It is one or the other, because encryption plus multiple keys makes you
'indistinguishable' from an innocent person who truly cannot give you a key
that doesn't exist.

~~~
caf
You're proposing a false dichotomy.

The tactic might work, but how well it would work would depend on what other
evidence was presented that you _do_ have another encrypted area. For example,
if they analyse the partition you gave them the key to and show that it hasn't
been booted in 18 months; they cross-reference the cached DHCP leases with the
times you were known to have been online using that machine and find
discrepancies; they might even have secretly imaged your disk a month earlier
and show that a large amount of supposedly free space has changed content in
the meantime.

(Maybe they even have you recorded telling someone that you have a second
encrypted area on the machine.)

If there's _no_ such evidence, then it ought to be pretty hard to convict you.

------
kenoph
Killer use of Caps Lock and broken English. Proud of my country. On a serious
note, I really do hope that we won't follow USA steps this time. But I'm
afraid that the average person doesn't really care for or understand
cryptography. Maybe a dickpic approach à la John Oliver could be useful as a
way to raise awareness on the matter.

~~~
ferongr
When don't need inflammatory personas like John Oliver in Europe.

~~~
musha68k
What can a "hacker" possibly have against John Oliver? He and his team were
the most effective drivers for stronger Net Neutrality policies in the US.

The man is a living legend.

Edit: 12 million views on the abstract topic of Net Neutrality.

That's what I would call a feat indeed:

[https://youtu.be/fpbOEoRrHyU](https://youtu.be/fpbOEoRrHyU)

~~~
kenoph
Well I'm sure some people lost the respect for the guy after he jumped on the
"vote for Hillary" bandwagon. But yeah, things like the Snowden interview, Net
Neutrality and some other episodes are simply brilliant.

~~~
spdy
And he was right there is no 3rd option in the US election system.

~~~
musha68k
_Exactly_ , time to move on now that fake choice #2 _won_ the election.

Almost comical how easily and predictably we stay on track in terms of bread
and circuses politics/media - _almost_ comical - if it weren't all real and
there wouldn't be far reaching and dire consequences.

Let's not get played but stick together FFS.

------
catexception
Regulation of cryptography can help investigations but regulation is still a
bad idea. A good explanation is something that my ethics professor said. It
was something along the lines of "If a pen was used to write orders for the
army to start WW2, should pens be banned?". The war would probably happened
anyway even if pens were banned/regulated and it is certainly not the cause of
the war. Cryptography is very similar: even if it would have been regulated,
criminality will not just vanish.

------
guard-of-terra
You don't need to take on cryptography to fight cybercrime. Cybercrime usually
leaves huge trail of evidence. Usually in form of lost money (transactions)
and bricked devices.

Fighting cybercrime has different obstacles: it's usually cross-border, and
its victims are usually common people. Nobody cares terribly much when a
commoner loses $100. Even when there's a thousand of them.

What you need to take on cryptography, is "to snoop". Why would you need that,
huh?

~~~
Zigurd
> _Usually in form of lost money (transactions) and bricked devices._

This is precisely why law enforcement doesn't need to weaken encryption nor
weaken the rights of suspects and defendants. If there is a material crime,
that crime has left a trail of evidence in the real world, especially a money
trail.

And if you think Leviathan needs unbounded powers or you'll be left as a tasty
morsel in the state of nature, physics has always bounded state power, and
injustices happen when state power is pushed beyond natural bounds.

------
wiz21c
Can anybody point to organized lobbying efforts we can support to maintain all
of this as far away as possible from Europe ? My country has refused to give
the answers citing security reasons (according to the article).

~~~
lucb1e
In the Netherlands we have Bits of Freedom, they are mentioned in the article:

> Thanks to Bits of Freedom, those answers are now public. That's called
> transparency.

Another Dutch one I know is Privacy First. When elections come up we always
have a vote advice website which is quite popular. You enter your opinion on
some current topics (old example: joint strike fighter funding: continue or
not?) and it computes which party's goals align the most. Privacy First had an
interesting take on this: they looked at what parties pushed for _in the past_
and matched that with what you would have wanted (focusing on privacy-related
topics of course). Not looking at promises but at track record. Privacy First
probably does other stuff as well, just like BoF, but I don't keep up.

I don't know about other countries unfortunately.

------
pstch
What is freedom of information if countries can decide on their own whether
they will release their answers on not ? It is disappointing that rebuttals to
information requests do not have to go through any judicial system.

------
matthewaveryusa
I think this shows the state of our intel community. They've been focused on
wide-net operations. If a target is high enough of an asset, why not go the
easiest route of installing booby-trapped login screens, hardware keyloggers
and what not? It's the easiest and most effective way to spy on someone (I'm
sure they already do this.) This is all a ploy to spy on citizens. Period.

~~~
caf
You can probably read into this that their political masters are asking
questions like _" why can't you tell us who these 'lone-wolves' are before
they attack?"_.

~~~
matthewaveryusa
That's a good point, but I don't think the tools used to aggregate and analyze
all this data is sharp enough to find the needle of a lone wolf in such a
large haystack that's the internet. The signal-to-noise on the internet is
ridiculously low. Then again, I may be wrong.

------
devoply
Strong crypto is the only crypto. Everything else is an imposter.

------
alkonaut
If maths is outlawed only outlaws will have maths!

------
lgeek
I've collated the answers to some of the questions:

* How often do you encounter encryption? The most common answer is 'often'. Germany does not collect this statistic. Czech Republic and Hungary: 'rarely', Latvia has both 'often' and 'almost always' in bold, UK 'almost always'.

* Online encryption: most common one is e-comms (everywhere but Italy), followed by TOR (everywhere but Hungary and Poland). Denmark, Finland, Germany and the UK reported encountering all types of encryption on the form.

* Offline encryption: it's not very clear what is an encrypted device (it includes computers) and what is an encrypting application (they give disk encryption tools as examples), but all countries except Poland selected devices and all countries except Italy selected applications

* It sounds like the accused can only be compelled to disclose passwords or keys in the UK, but Italian LE would also like that very much, despite having reported that 'the current national law allows sufficiently effective securing of e-evidence when encrypted'.

* In Croatia, Latvia and Poland they consider that the current national laws don't allow effective securing of encrypted evidence. The answer to this question is not available for Czech Republic and the UK.

A few other interesting things I've noticed:

Croatia: 'There is no practical experience' regarding 'intercepting/monitoring
encrypted data flow'; 'Tools for decryption are used in less complex case
[...]. Foreign companies’ services were not used so far.'

Czech Republic: 'Additional intentional encryption is quite rare in most cases
although encrypted mobile phones are more and more popular among members of
certain organized crime groups.'

Denmark: 'The main issue with trying to decrypt encrypted data is of a
technical nature. Furthermore the equipment needed to break encryption is
costly and the process itself takes a lot of time.'; 'In general terms, we can
inform you that commercial software is among the tools used to decrypt data';
'Decryption typically requires large hardware resources (processing power) as
the encryption offered by service providers is very strong.'

Estonia: 'The main problem is that communication or data are encrypted and if
key is not available, it is not possible to decrypt them.'

Finland: 'In case of full-disk encryption, which is rare, we have to either
use brute force attacks, or try to obtain the credentials some other way'; 'We
do not usually use private sector companies for decryption purposes, but of
course a large part of the software/hardware used are commercial products';
'Wireless criminal intelligence gathering can be challenging, because the LE
sector has limited legal rights to gather for example WIFI data'; 'Sometimes
insufficient computational capacity of our password-breaking platforms make
the decrypting process too lengthy'; In general they talk about C&C servers
for botnets quite a lot.

Germany: Regarding intercepted encrypted comms: 'In many cases, analysis of
actual communication content is not feasible.', 'A regulation to prohibit or
to weaken encryption for telecommunication and digital services has to be
ruled out, in order to protect privacy and business secrets.'

Hungary: it sounds like they gave the form to the wrong dept? 'Our unit is not
dealing with decryption, therefore we do not have any practical experience in
this field.', 'Our unit is not dealing with such techniques.'

Italy: covered in the OP

Latvia: 'LV sees as clear added value of EC3’s encryption/decryption platform;
LV also highly values the availability of the Europol Platform for Experts.';

Poland: mostly covered in the OP, I'll add 'The specialised computers (GPU
clasters[sic]) which can decrypt encrypted e-evidences are very expensive.'

UK: It reads like a polished PR piece, at least relative to the others.
Provides non-answers. It's probably worth taking a closer look. For example to
'Under your national law, is it possible to intercept/monitor encrypted data
flow to obtain decrypted data for the purposes of criminal proceeding?' they
responded with 'Section 17 of the Regulation of Investigatory Powers Act 2000
prevents intercepted material from being used as evidence in legal
proceedings.', which doesn't actually answer the question.

------
jb613
"wants to regulate cryptography"??? - I suggest it's already in place. For
example, if you wish to create crypto software or hardware (or in some cases
even simply importing a crypto library) - for 2 sides to communicate requires
sharing either the source, software binaries, or hardware itself - and if 1 of
those is outside of the country then obviously export and/or import of the
source/sw/hw occurs and therefore crypto controls come into effect.

------
Mesfehr
Still, the ALL CAPS LOCK answer by Italy rocks.

~~~
andybak
It's a worrying testament to technical literacy of whoever compiled the
answers.

------
Qlarto
lol
[https://twitter.com/lukOlejnik/status/801498851957993474](https://twitter.com/lukOlejnik/status/801498851957993474)

