Europol Chief Warns About Computer Encryption

An anonymous reader writes The law enforcement lobbying campaign against encryption continues. Today it's Europol director Rob Wainwright, who is trying to make a case against encryption. "It's become perhaps the biggest problem for the police and the security service authorities in dealing with the threats from terrorism," he explained. "It's changed the very nature of counter-terrorist work from one that has been traditionally reliant on having good monitoring capability of communications to one that essentially doesn't provide that anymore." This is the same man who told the European Parliament that Europol is not going to investigate the alleged NSA hacking of the SWIFT (international bank transfer) system. The excuse he gave was not that Europol didn't know about it, because it did. Very much so. It was that there had been no formal complaint from any member state.

Oh For Crying Out Loud

Encryption isn't new so why are they crying about it now? It makes no sense unless they are trying to sneak another fast one by the rubes in the general public. Tell your elected officials to stop whining about encryption and embrace it. Also, tell them we're tired of all these invasions to our rights to privacy because of an existential threat.

No, encryption is NOT going away and you're not getting a back door. Eff off and get to work on something useful and stop playing games!

Re:Oh For Crying Out Loud

[Hadlock]

PGP isn't exactly known for being user friendly. Gmail does not support it out of the box. The average person just can't be expected to understand that kind of cryptography.
 
That said, if you encrypt the device, encrypt the transport method, and the receiving device, that's pretty damn secure in about 98% of situations. WhatsApp just rolled out end to end encryption for their service as well, and they only charge a dollar a year (I think). That's encryption the average person can use. When an 18 year old mother of two in Sao Paulo can review her grocery list with her mother via secure encryption and neither of them know they're even doing it, that's a whole new level of secure. Compare that to the plain text emails I get from my boss about what I might consider vastly more important things at the office.
 
The golden era of unencrypted plaintext email is just about dead, I think, is the problem for intelligence agencies. At least for those people outside of gleaming glass corporate offices.

Re:Oh For Crying Out Loud

[SuricouRaven]

Encryption isn't new, but tansparent on-by-default encryption is. Remember just how tech-dumb the average person is - you'd be lucky if you could get them to realise a web browser and the internet are not the same thing. Most governments weren't too worried (US aside) when encryption was something available only to the moderately skilled, especially in communications where the lowest standard has to rule*. After the NSA scandal though, companies are starting to design encryption into their products at a lower level, such that the user benefits without even having to know what encryption is.

*Would you like to explain to your mother how to use gnupg to encrypt emails?

Re:Oh For Crying Out Loud

[aaaaaaargh!]

They are crying now because some companies no longer want to cooperate with them by developing deliberately weak standards (e.g. cell phone encryption) and by providing illegal backdoors for wiretapping without warrant. So they want to be able to force them by law, which means that they need to convince politicians first.

In my pessimistic opinion, the most probable outcome of this debate is that companies will bow (again) to the authorities like they did before and provide the backdoors voluntarily, presumably in the form of vulnerabilities that are not published.

Re: Oh For Crying Out Loud

Here's a hint for the under-informed: If you don't know you're using encryption, someone else is managing your keys. If someone else is managing your keys, they can let cops, intelligence agencies, and other kinds of bad actors in without you knowing it.

Better than nothing? Sure. However, a little understanding of what it is and is not good for can go a long way, and that's exactly what must people don't have.

Your Fault

[Bob9113]

"It's changed the very nature of counter-terrorist work from one that has been traditionally reliant on having good monitoring capability of communications to one that essentially doesn't provide that anymore."

You backed us into a corner by monitoring non-suspects.

It's your fault.

Dickhead.

Re:Your Fault

[Bob9113]

I'm gonna pretend you're actually interested in the answer, but let's face it, we're really talking past each other, to our fellow Slashdotters. Thank you for smoking.

The reason for the mass move to encryption -- like Wikipedia and Google moving to default HTTPS, and people like me working on making encryption more approachable by the masses -- was the revelation that non-suspects were being monitored. That is why there is now a haystack within which to hide the needles, and that is why the encryption is now too strong for the intelligence agencies to break when we really want them to be able to.

Moreover, while I'm here, and since I want terrorists to get caught, let me add this: The solution is not increasing the level of distrust between citizens and government. The solution is restoring the reasonable, moderated, level of trust that we used to have in the executive branch. That starts with the ones who created the rift, and that is not the people who were sending all their traffic in the clear; it is the assholes who recorded it all and denied they were doing it.

Because obviously..

[Altrag]

Of course, terrorists are well known as the most law abiding citizens on the planet.

Or maybe this guy thinks the universe will just make prime numbers and whatnot stop working because he doesn't like what they can do.

Both are equally likely to produce useful counter-terrorism results.

When every citizen is a potential terrorist...

[MindPrison]

...then we have a problem with government.

Re:When every citizen is a potential terrorist...

[Zocalo]

I suspect that's actually the underlying problem for the security & intelligence services. It's not so much the fact that regular citizens are starting to use encryption that they have a problem with so much as through the use of encryption by default they're losing the ability to find the more interesting chatter by simply looking for people that are even using encryption in the first place. When your entire haystack is made out of needles, finding the few you are actually interested in becomes that many orders of magnitude harder.

Well, screw that. What they are basically saying is "make our jobs easier for us", but what they are failing to point out is that by doing so they are also leaving people exposed to everyone else that might want to eavesdrop on random communications, and in particular all those people/organizations/countries that they are meant to be securing each other against. If *you* have access to it, then so do your opponents - so the real question, and the one that really needs to be addressed, is which is the lesser of the two evils - having your nation secure from outsiders, or making the job of securing your nation against internal threats slightly easier? Given the complete failure of the security & intelligence services to demonstrate they can achieve the latter even before encryption become a big issue I'd say that's a complete no brainer.

How many people called it here?

[Thanshin]

Someone should make a query that extracts the Slashdot commentaries that have predicted this exact situation for a decade.

The prediction goes like this : "If you keep doing stupid shit like that, people will start encrypting their computers and communications to protect themselves from your unimportant shit and this will help the very few people who encrypt their computers and communications to hide serious crimes."

The more you turn everyone into a criminal, the harder it will be to find the actual criminals.

It's time to decriminalize the population, so people become once again able to distinguish between the guilty and the innocent.

Re:How many people called it here?

[Pi1grim]

But the point is not to catch real criminals, the point is to dig up dirt on anyone and everyone, so when the time is right - you could use it to your advantage.

"Don't you see it's for your own protection, and for your children, protecting all of your from pedophiles, terrorists and the scary monster in your closet. And if you don't buy this argument, then obviously you are an enemy of the state, because if you don't have anything to hide - you have nothing to fear. Oh, and don't forget - arbeit macht frei."

Snooping agencies will fight tooth and nail to keep their snooping powers because they don't give a rat's behind about the read bad muthus out there - because that's entirely different playing field, you can't go after them directly, they are well protected and shifting balance includes a lot of political play, but the smaller fishes can be caught with a wider net, and to get leverage all you need is a right to snoop on anyone at any point in time. It's too convenient to give up.

boo hoo

You are more likely to die by crossing the street, falling down the stairs, heart attack, or cancer than by terrorism.

Re:He thinks it is bad now?

[N1AK]

Rather, what actually happened is that the spy agencies watched everybody, and by and large didn't care about people who weren't throwing up red flags. If it weren't for Snowden and the Internet-fueled rage he spurred, you'd never know that you'd been investigated at all.

And if you never found the camera your neighbour installed in your bathroom you'd never know he'd been watching you and your family naked, but that probably wouldn't stop you being pretty pissed about it when you found out.

When your government begins using mass surveillance on the entire population, and does so in secret and against the protections your government tells you that you have, it should be a pretty obvious sign that you can't trust them.

There's an old saying....

[BravoZuluM]

When encryption is outlawed, only outlaws will have encryption. And the government, but then I'm being redundant.

They abused the privilege, now they pay

[msobkow]

They abused the privilege, now they pay the price. I've no sympathy for any of the intel agencies out there who've claimed they're only interested in identifying endpoints and sessions, yet now are crying about the traffic content being encrypted. Encryption simply limits CSEC, GCHQ, NSA, et. al. to the endpoint identification they said they want.

It's too late to change your mind. I use RSA2048 exchange of AES256 keys, hard coded into all my applications. If you don't have the Java export-strength encryption enabled, I don't want to bother supporting your code. You're just begging to be intercepted without export-strength encryption.

I'm tired of being snooped on. I'll take my right to privacy seriously, thanks. I don't even trust pre-generated keys for the RSA2048 server encryption -- I generate them on the fly at server startup so that even the person running the server doesn't know what the keys are.