We are excited to share that we are set to begin a new chapter with Dropbox, Inc. Dropbox is acquiring our IP technology to embed natively into the Dropbox product, bringing end-to-end, zero-knowledge encryption to millions of business customers around the world. Check out our blog to find out more!

End-to-End Encryption With Backdoor – These Are The EU's Plans

End-to-End Encryption With Backdoor – These Are The EU's Plans

Team of authors: Lisa Figas and Christian Olbrich

The EU Commission, the Council of the European Union, and also the spy alliance Five Eyes write that they are seeking an active discussion with the technology industry to jointly figure out how to technically realize “security through end-to-end encryption and security despite end-to-end encryption.”

For this reason, we took a look at the state of the discussion and evaluate the current proposals for mitigating end-to-end encryption.

What Is Crypto Wars?

The discussion about backdoors for end-to-end encryption has flared up with renewed force. The reason is the EU Commission's efforts to grant law enforcement agencies access to encrypted chat messages (and other number-independent services). This is justified with the fight against terrorism and the protection of children.
The keyword Crypto Wars summarizes a few political efforts that have existed for many years at the national and international level. What they all have in common is that separate access points are to be set up for law enforcement agencies to enable the investigation of encrypted messages.

Good to know: A good summary of the Crypto Wars is provided by Eric Geller: A complete guide to the new ‘Crypto Wars’. It's also worth checking out the hashtag #CryptoWars on Twitter if you want to stay up to date with the latest developments.

Is the European Union Planning To Abolish End-to-End Encryption?

The discussion about undermining end-to-end encryption gained new momentum after the terrorist attack in Vienna in November 2020. Although it was already clear shortly after the murders that authority failures had a significant impact on the perpetrator's ability to obtain a weapon, Austrian Chancellor Kurz and French President Macron agreed to push the issue of chat searches back up the European Union agenda. And successfully: already on November 24 — 22 days after the attack in Vienna — the Council of the European Union published a resolution entitled “Security through encryption and security despite encryption”.

For the EU Commission, the Commissioner for Home Affairs, Ilva Johansson, in particular, is pushing the issue of online searches. She is focusing on the protection of children and wants the major network operators, such as Facebook, Microsoft, and Google, to screen messages sent searching for abuse. To that end, end-to-end encrypted messages will be opened using a master key and the information contained will be checked against a database. This practice already existed until December 2020, when an amendment to the ePrivacy Regulation came into force that prohibits such matching. Johansson is now fighting to soften data protection again to make the search legally and technically possible. Privacy groups criticize this plan.

What Technical Solutions Are Currently Being Discussed?

In December 2020, an EU paper titled “Technical solutions to detect child sexual abuse in end-to-end encrypted communications” came to light. This paper discusses 10 different methods to enable monitoring of encrypted communications by law enforcement agencies.

The goal is to examine the messages sent to determine if illegal material is being sent. A database containing the hash values of known material displaying child abuse is used to match the information. The material in the database comes from previous proceedings and investigations against pedophiles.

End-to-End Encryption, Hashes, and Security

The EU paper often talks about end-to-end encryption. However, we would like to question this. The authors seem to take the view that it is automatically end-to-end encryption as soon as a true E2EE protocol is part of the overall protocol. We take a different view in the case of the described methods since in addition to the end-to-end encrypted files, the meta-data of the respective file is also transmitted (described as hashes in the paper). However, the variant of verification by artificial intelligence is excluded from this. But more on this later.

“True” End-to-End Encryption

The requirements for end-to-end encryption are formally met using a corresponding protocol. However, this is not sufficient in practice.
The definition of cryptographic hashes states that the hash algorithm is considered broken and worthless should two different files with the same hash value be found. For practical application, this means that it is hard to find a second record with the same fingerprint. If the system finds a hash value that is already known, it is practically certain that it is the same source file.

Scenario: Let’s imagine a protocol where the end-to-end encrypted message is transmitted together with the plaintext. So, the encryption itself still meets the end-to-end standard. The protocol, with the plaintext attached, is the problem. Would you seriously still call such a system end-to-end encryption? No, of course not. It follows that: The meta-data must not undermine the security of an E2EE system.

4 Approaches to Screening End-to-End Encrypted Messages

The EU paper “Technical solutions to detect child sexual abuse in end-to-end encrypted communications” lists 4 approaches that deserve a closer look. We will not consider the obvious solutions such as (a) not using encryption at all or (b) using encryption only in transit.

Technical solutions to detect child sexual abuse in end-to-end encrypted communications

Hashes the Data on the Client (1a)

__ This is how it works __: In the all detection done on-device variant, hashes of the data are created on the user's device and checked there against the hashes of known illegal files from the database. This is possible because the database contains a greatly reduced amount of data, since only fingerprints of data are stored here – not the data itself.

Our evaluation: The approach is the safest for users. The reason is that when legal files are sent, no data (or hashes of data) are sent to third parties. The moment illegal content is detected, the data is transmitted as evidence in plain text. False positive messages can be excluded, as explained above.

The only protocol-specific weakness is the list management of prohibited content. On this point, users would have to trust the provider of the network and the operators of the database to the effect that only illegal content is searched for. Technically, such a protocol would lay the foundation for searching for all possible content.

Conclusion: With this variant, we can still speak of true end-to-end encryption. This is because there is only a check before the message is transmitted to determine whether the data is permissible for end-to-end encrypted transmission. However, the authors draw attention here to the problem that this solution can easily be circumvented by criminals. The security is therefore rated as low.

Hashes the Data on One or More Servers (1b, 1c, 3a)

This is how it works: In these proposed solutions, a hash comparison is also made with the database before or during the encrypted file is sent. However, this does not take place on the user's device, but on one or more external servers.
Our evaluation: Approaches 1b, 1c, and 3a all have in common that a hash value of the data is transmitted to the operator of the transmission network used (e.g. chat app). The operator then compares the data with the database of known illegal content. The problem is that the hashes can also be used to check the identity of messages that contain legal content.

Example: If I have a form with a single input field, fill it out, and calculate a hash for it, then the transmission platform operator can generate the same form with all possible input values and also calculate a fingerprint from each generated file. Now, to find out what is in my encrypted document, all that needs to be done is to check which fingerprints match.

This means that not all documents are protected efficiently, and it is no longer easy for users to find out which files have been transmitted securely and which files are completely insecure despite encryption.

Conclusion: In our opinion, one can no longer speak of end-to-end encryption with these proposals because the sending of the hashes represents an integral part of the protocol, and as already mentioned, the complete contents of the encrypted file can be partially inferred by sending the hashes.

Hashes the Data on One or More Trusted Independent Servers (2a, 2b, 2c)

This is how it works: These variants use the same system as mentioned in variant 2 (hashing the data on one or more servers). However, the matching of the hashes does not take place at the operator's site, but at another, independent site.

Our evaluation: The idea here is not to leave the verification of the hashes to the operator of the platform itself, but to assign this process to other providers. The approach of having several servers each check only a portion of the hash is also being discussed. However, the basic problem remains the same, it just shifts. In this variant, the platform operator no longer must be trusted, but other parties do. The approach of sharing the hash makes the process more secure. Nevertheless, one or more external sources must be trusted.

Conclusion: As with the previous variant, it is theoretically physically possible for third parties (besides the sender and the recipient) to draw conclusions about the content of the transmitted data. Thus, this approach also does not fulfill the security guarantees of true end-to-end encryption.

Detecting Illegal Content Using AI on the Client (1d)

This is how it works: An artificial intelligence algorithm evaluates the data before it is encrypted on the client as legal or illegal.

Our evaluation: AI is susceptible to "false positives." By this is meant that content might be recognized as illegal, although it is not. Accordingly, using such a system is like playing Russian roulette. One can never know what data will be falsely detected, and consequently transmitted in plain text to the service provider.

Conclusion: This approach does not meet the security requirements for data worth protecting.

For the “Active Debate With the Technology Industry” We Are Gladly Available

We have the crypto experts who know end-to-end encryption, and we have the trust of hundreds of thousands of users. We are happy to engage with the EU Commission to contribute with our know-how to make the European Union a cybersecurity zone. For the "active discussion with the technology industry" (as stated in the paper), we are gladly available.

What Speaks Against the Weakening of End-to-End Encryption

The "solutions" currently being discussed at the EU level represent a profound intervention in end-to-end encryption protocols. Technically, the proposals are all implementable, there is no doubt about that. But the significance of such serious changes cannot be overstated.

First the Little Finger, Then the Whole Hand

Softening end-to-end encryption for the prosecution of certain criminal acts (child abuse depictions) clears the way for an expansion of powers toward other crimes. The protection of children is being used as leverage to remove inhibitions to mass surveillance. This must be prevented at all costs.

The Toolbox for Autocrats Must Remain As Small as Possible

How quickly democracies falter has been observed recently, both worldwide and within the European Union. Even if no one is currently aiming for total surveillance of all EU citizens, looking at the contents of private messages is a powerful tool that can be used to cause great damage in the future. History teaches us that it is wiser not to create such a tool in the first place.

Criminals Are Switching to Other Networks

Those with criminal energy and who want to hide their messages from law enforcement can set up their own end-to-end encrypted communication channels with little effort. These networks would then remain just as hidden from the eyes of the authorities as the encrypted messages that are currently being sent. There is nothing to be gained here. But normal citizens who neither commit crimes nor have technical know-how are then forced to communicate via insecure networks.

Cybersecurity Must Have Top Priority

For many years now, we have been experiencing ever new cyber threats. From personal information being spied on to entire corporations being forced to shut down, there are numerous threats we face. Creating additional backdoors from the government side seems to be a risky endeavor in this situation. We demand: No playing with fire.

Partager cet article

Articles similaires


Our New Chapter with Dropbox: What Boxcryptor Users Need to Know

Last week we already announced that we sold important technology assets to Dropbox. What our customers need to know now, we explain in detail here.


A letter from our Founders: We’re joining Dropbox!

Almost 12 years ago, we set out to make complex security solutions easy to use. Now we are excited to share that we are set to begin a new chapter with Dropbox, Inc.

Dummies Book Cover and Back

CLOSED We Celebrate Our Book Release: Your Chance to Win

We have published our first book to get even more people excited about the cloud and data security. Celebrating the official launch, you can win printes copies and Boxcryptor licenses in our raffle. Read about the details in our blog post.