The possible end of end-to-end encryption

A new draft bill plans to limit or reduce/disallow end-to-end encryption on websites as well as apps. Background is that Facebook among other services now "mainstreaming" E2EE.

What does it mean, if the draft takes place:

• Companies could be punished if they use E2EE in their products or websites.
• CIA etc could get your data if you use services like WhatsApp, Signal, Telegram, Facebook (assuming they are secured and that they "comply" with the new "rules" - which means work directly with them together or even remove the encryption layer).
• This is not a backdoor argument (it's clickbait in the article), but it legitimizes and allows authorizes to request and get data more quickly.
• Facebook and possible partners (one example) could read all your stuff and sell or exploit it e.g. social engineering, targeting ads or to "catch you" (in case you do criminal activities).
• Other countries could imitate / adopt / follow and also disallowing/restricting E2EE.
• The bill does not mention internet protocols, I assume future TLS versions are not affected by itself. However, downgrade attacks are under specific circumstances possible (assuming the protocol is designed to have weaknesses -> controlled by Mozilla Corp, Google, Cisco, Microsoft etc.)
• I'm unsure if that also means that services like GitHub/GitLab are then forced to remove all projects related to E2EE (it's unclear). But I assume bigger projects like VeraCrypt might be a bigger target then. It's unclear if the government can then force services to use backdoors (software weaknesses) to obtain access, this is for now speculation. I moreover assume from the context that services/hoster are forced to hand over data and that they do it only (like it already is) on request only and not all the time 24/7.

My Comment:
This is horrible news but actually I'm surprised that it took so long to put an end to it.

I mean the encryption discussion started already 30 years ago but this time it's serious because there is now a bill (which might will take place or might not). The overall problem is that politicians have no clue about encryption and other countries like EU, England, Swiss, etc might see the new draft and also trying to adopt it, which would be the end of encryption. Russia, as well as other countries already banning and blocking a lot of services (a recent example is that Putin already banned ProtonMail/VPN service - because they can't look behind it and Proton do not want to hand over the data).

Background + Article:

• A new bill could punish web platforms for using end-to-end encryption
• Congress Must Stop the Graham-Blumenthal Anti-Security Bill

 

That's pretty naive point of view.

The main argument is "because of crime reasons". So let's show an example that this also affects people that are not directly involved into any crime. Let's say your friend or a friend of a friend did some crime, planned a crime or whatnot. What the police is going to do is to analyze metadata (like his contacts which might lists you or your friend) and then you're automatically a possible crime suspect. They then watch your connection, see what you write or write in the past on social media, or forums and create a profile about you, without that you ever know. They can use the data to give it away to e.g. airports and block your flight once they scanned your ID and the monitor shows a warning. This is not unrealistic, and already happened very often to people who are not even involved into crime, they could not get into the plain because of "fear" that you might involved into something, or they want you to stay in the country. This happened to a friend which was in Boston when the bomb exploded during marathon, he was not involved in any of this.

Hacking problems:
It's also naive to think that hacker will not abuse possible encryption weaknesses to obtain data, to sell use or analyze it. If your account is hacked or someone which can read what you're doing right now on the banking page (while there is no E2EE) he might even can compromise you directly with the information.

It is the right time for panic, better now than after the draft takes place, you should now vote the correct people and hope that they have a clue to prevent it. You also could support organization like EFF, who are fighting for web security and privacy since years for us.

 

This time it's serious because there was never a draft before and as said politicians absolutely have no clue about encryption or "how the internet works". They see one aspect and that is terrorism (it worked after 911 as "fear argument" pretty well to legitimate lots of bulls**t).

Encryption is needed for various range of people:
* Whistleblower
* A normal user who do not want to automatically share his entire life with the ISP or other providers (social media, Amazon etc).
* Everyone has something to hide, this is 100% true - this is nothing negative but imagine someone exposes everything you did in the past on the www, if it's good or bad, but people and their point of views/interest might have changed already.
* Prevent hackers to steal your data or to listen into your connection to obtain critical data.
* You simply have the human right for privacy.
* and many more....

I agree that "bad people" also could abuse it to hide but just because of the actions of a view, everyone shall suffer? That's not fair.

We as voters have to act now and not when the bill already passed.

 

- Edward Snowden, Permanent Record