 And now the talk, five FBI Europe, these organizations have been trying to abolish end-to-end encryption and this talk from Erich Möchler will give us an insight in this world, describing what has been happening in the last five years and he will also explain what will happen in the next couple of days, especially last two months have been very intense. I greet all of you, all of the ladies and gentlemen, so let's go right into the middle of it. You probably have noticed those pushes by the parliament to get rid of end-to-end encryption from the net again. And I have packaged this talk into several articles that I wrote, but they're over time. So let's start with something very current. There was a resolution that was not apparently non-binding or at least that's what they claimed. And it has already spawned off a new implementation law like an ordinance. So a non-binding resolution by the Commission was already put into an ordinance. So it's about a super secure encryption standard that they have turned. And it's the same all the time for the EU. There's a non-binding resolution. And there's another decision by the Council. And this is the normal process. We're at this stage in the process where already this is being tied into other legislation that is happening right now. And this is concerning the high security encryption standards and monitoring that is important for us. It is basically a reenactment of all well again. And I want to show you today that this basically didn't come out of thin air. It was already started in 2014. And I want to refer to the basically the history of it that was laid down by net politic. He, Matthias Monroy, basically laid down a similar timeline with a very granular, finely detailed history of the whole affair. Whereas I want to do a high level bird's eye view over the whole process. And beginning 2014, everybody's running around like chicken. This diagram shows the network traffic. 2015. And you can see it wasn't even a third. And before that, it was even less. So it was the leaks by Snowden, that the golden age of monitoring in the internet stopped. And the global siphoning off of data in the internet had to end. And they immediately went at it. And the encryption increased massively. And then police had a major issue because they used to take a lot of data from the telephone networks, metadata, content. They had, yeah, they basically got a decree by a lawyer by a judge and they were allowed to take anything out that they could find. And now we're going where it started. It wasn't in Europe. It wasn't the USA. For example, the W3C, the hardening of the internet, the TL as the ITF, they've been pushing encryption back then. And in the time after Snowden, there was a bit of a break where legislation about surveillance wasn't very popular. And they basically all went at it at the same time, Europol, GCHQ, FBI directors in the USA. And another one, I'm going to talk about later. They all said we need access to encrypted communication, even including mobile phones, because we cannot do our work without it. And then there was the crypto plugin for the W3C browser was already ready. It was the foundation for the encryption on the web magnet. And 2015, there was a few EU council commissions that said we need secure encryption, which basically went the opposite direction of what the others were saying. And the EU council dealt with it in the year 2015. And they wanted to weaken encryption. And in these two years, there was, there was this guy, and a director, Rogers, came out from the dark. And he said that there was these assassins that could not be caught because they couldn't hack the phone. And that was when the first technical problems occurred. And then it was discovered that there was this security vulnerability called FREAK that was used by the NSA. And that was used to and the detection was really embarrassing because the NSA was asking for this, which this happened. And those of you who were part of the first crypto wars know that this was an issue back then. And if you look at these ratings, you see that this browser has supporting these technologies. And and there was this old RC4 key, which was really obsolete, totally outdated, but it was still supported. And that was a really embarrassing moment for the NSA. October 2015. Let's Encrypt was, yeah, the Let's Encrypt certificates were recognized by all major browsers. That was an enormous push against the NSA. And directly after the Revelations 5 Snowden, Let's Encrypt has been founded the FBA campaign that said, oh, we can't get access to the iPhone of the assassin. And they complained. Yeah, but but here we are. There was the next demand to get some backdoors. And they wanted backdoor keys for all iPhones. Otherwise, it couldn't do investigations. And there was a huge vulnerability in the firewall of a device that is currently unclear. Let's Encrypt started at the end of December yesterday. So it started and here we see after a short while, with regard to encryption, 50% of Internet traffic is encrypted. With some imagination, you can imagine that that those people who work at the switches who were doing the surveillance, they were really unhappy about this. There was only encrypted traffic. So they couldn't just steal the data. 2016, not that much happened, except that there was another embarrassing thing about the FBI because they locked themselves out out of the iPhone that they were investigating. And so they couldn't access the data. And the first campaign that they tried was really ridiculous. But that didn't stop them. Did not stop them to continue their demands. And now we are at the end of the first part. At the end at the end of 2016, they tried to attack encryption or Europe. It was a concentrated campaign from the beginning and the only objective of that campaign was to push out end-to-end encryption from the Internet. It was not possible for the Secret Services to just say we forbid end-to-end encryption. And obviously that's not possible because even they knew that they couldn't just ask for end-to-end encryption to be removed. Maybe in the 90s, but it's too late for that now. Yeah, so the investigators were rather unhappy that they couldn't access the data and netpolitik.org reported that for the first time that remarked from the translation I did not. Yeah, okay, so they had less telephone surveillance at this point because it was not possible to obtain the data. Because now all the traffic, even in the phone lines, is encrypted or basically the phones are not used. But of course you could still get the mobile location data you could still obtain. But it wasn't like before. For that reason, for that reason, the powers that typically don't like to work with each other have joined forces and published So this is really new half an hour ago. So about the current planes in the council. So there has to be some possibility to get at the contents of the end-to-end encryption so that there is like a secondary key that decrypts the data. Something that is also not uncommon that it's common that happens in some companies where there is a secondary encryption key or decryption key. Because it shouldn't be that for companies that only the employee can decrypt. And that's what they demand now. And now the stream. And this is the new guideline. So they want to have a successor for the network so that the duty to report information. And the council said we're going to do a resolution. So the EU commission basically said they understood and we're going to do it. So they started and started some random measures even before the resolution was signed. And in this resolution about high-class security encryption and it seems like this was a yeah it wasn't it wasn't a fair dealing. So with the resolution that they were proposing they're waiting for the bill. They're not going to publish it now because it was always propelled forward by a terror act and you can see the the growth in WhatsApp over the time frame that this talk covers from August 14 to in the 19 and more and more traffic emerged that none of them could access. And all of these surveillance measures always cover the basic legislation about surveillance always cover telephone networks and it didn't cover all of these over the on top services that we now use how they over the top that's what they call them basically anything that is TCP IP is already over the top for a telephone network. So now we're in 2017 and this is where the direction emerges where the council only passed the resolution now but they've been preparing it back then already and you can see it here already in January there is a new Etsy standard for surveillance of social networks and Etsy they prepared the interface for getting the data out of the social networks they need a certain format for the surveillance you know to be able to process the data so this is what standardizes it and they've already prepared everything for transporting the data that they that they need for the surveillance but it's nothing new really it this is the way it always works for surveillance in the EU frame basically there's always there's a whole host of small measures that get that work together to have more tools for surveillance basically they always use the same cover up reasoning like terrorism or breaking down of society in order to justify this and this is already in the council so it's all happened at the same time a lot of these measures and at the end of 2017 they reached a state it was the presidency of Austria at that time the only thing I can say is that the only thing I can say is that basically Austria was competing for the worst or last place with Germany they they basically only passed surveillance legislation it was the complete agenda of the Austrians was geared toward passing more surveillance laws so don't feel too bad about your German politicians ours are even worse probably so the biggest priority was surveillance regarding facebook our minister published the information and yeah obviously that when the news got out it was all over the media they basically already created the interfaces the technical interfaces which had one small problem basically the the main one being that none of these internet companies that we're interested in never really sit in our countries so when you want information from them basically they have to ask the law enforcement in Ireland to pass it on to them and to course them to comply so over the years this became more and more complex and all of these surveillance standards they became less and less usable and they became more and more complex and there were more and more requirements for that but in 2018 what started in 2017 finally came to pass on all layers of the EU it started at the same time the Austria said that it's a valent that facebook needs to have priority over everything else it was an e-government ordinance and the EU was really insistent on having an agreement with the u.s regarding the cloud surveillance in essence you can you can have surveillance on my cloud services if you grant me surveillance on your end more or less all of the cloud services all u.s companies so the u.s basically passed on the agreement and said we're just going to have our own legislation since all of the internet provided so the the service providers are all our companies we can just unilaterally get that it and they have passed a law that allows them to get data off of facebook it was basically out of the question that it would pass in 2018 it didn't have the time to prepare it and now they have surveillance that transcends borders in a bill basically if you if you get an order to do it then you have six hours to comply with that so if the the austrian government says look we need the data and talks to you as the german government then you have to comply and pass it on within a few hours so any major law that you break should be enough pollution has never passed until now so law enforcement across borders hasn't passed yet so the austrian children communication is still secure to agree and then there was a lawsuit regarding um access to encrypting messengers with regards to facebook and it was about the implementation of the st e5 protocol they look at the the encryption negotiation that happens in the beginning where you try to settle on a protocol they send it across the facebook server and that's an invitation to just catch the key when it passes there okay so what what does this have to do with encryption a lot actually so in 2015 there was there was a ghc 2 um if they could have a third key for the providers so that if they could do the decryption for the secret services and on the same day and when that was revealed there was the demand that we need this because otherwise the system will collapse and the police said the same thing so all of the law enforcement basically said that and the ec said that they could of suggest a new security standard for encryption it is a tls one two successor that can be so so they suggested a successor that is broken basically but and then there was this protest because it was not a secure transfer layer so the name was misleading of the successor and the the United States wanted to have a date exchange with itself and then of course the terror debate came back that were the attacks in Christchurch New Zealand that triggered these calls for breaking encryption and of course the government trojans are getting more expensive and on the first of december 2019 the club of burn no one moment it's the epic briefing of the ministers and so they they argued that they really need this and they were referring to an agreement made in 2016 that they made across different institutions and on this day there was a briefing of the club of burn for the ministers and that is the club of 26 or 27 countries with their secret services who were discussing important matters on an informal basis yeah but what did they discuss or what did they say to each other but in February of this year there was the plague there was a new law in the us senate the urn it act and and and that contained if platforms are not able to identify all of their all of the content they are hosting then they lose lose the right to just say they are innocent or not involved and that's why it was argued that end-to-end encryption should not be supported and and then there was also someone from the EU that said we need to do something against the EU and we don't want back doors we want front doors that was something that was already demanded in 2015 golden keys but it's just like new language it's it's nonsense just because there are no doors in technologies and the the EU guys said in the council in air quotes um so this is what the law says that we need to investigate if child pornography can be identified in the data stream and then they did a study about this and it wasn't really clear what so you should be able to identify them according to the hashtag used in the encryption and then the german council presidency had the idea where they there are seven methods that they put down in a document where they wanted to have seven properties or seven methods that where you can identify encrypted traffic but it turns out that none of them actually worked what they did was they took the method by the gchq and used it completely differently and basically a second key using it during the encryption process and they added a lot of nonsense about child pornography and how to identify it and it was highly misleading and they wanted to prove that this was the only way to do it so so in the u.s.a. they passed a law about accessing encrypted data for a signal and whatsapp and that's the same that k-hope is trying to do in europe it's basically there was a choreography just like in belay in july there was a new regulation against secure encryption but nothing concrete has been announced yet the basically there's a lot of pedophogging the issue saying that the the problems will increase so much that we're not going to be able to handle it and in the u.s.a. they so much that fighting enter an encryption is not the name i would use anymore it's just two weeks for that now maybe i missed one thing here i don't know it's not that it's missing oh maybe i need to add one more step to this this is where it is so this is a clear case of misinformation by an eu commission member so i have a little bit of time left let me explain this in july she announced that several platforms need to be searched for internet for child pornography on a regular basis including encrypted communication because the the availability and the transmission of this kind of video has exploded over the recent time and this is the result yet there has been an increase but it's not an explosion in the traffic but rather microsoft rolled out a software called photo DNA already in 2009 and it's basically a photo db with all sorts of videos lagging basically they marked every video and photo that they could find and gave it a hash and they basically based their filters on that and they're already the filters are already running but it only started marking up videos in 2016 because that's when they gained the capability and that means the explosion of the pedocriminal content is more or less can be traced back to a software update it was just not possible to find them before they were able to mark the videos and since more and more platforms are integrating the toolbar microsoft and check every upload against that database yeah so they all integrated it and more and more videos were being highlighted as containing problematic content that doesn't mean that the the amount of video content increased it's just that we can find more now so yeah i'm just clicked sorry yeah i'm back yeah i have an overview over this where you can so this was all wrong it was all misinformation and then we get to the upload filters and the ministerial council was demanding they demanded upload filter even though the only solve a miniscule part of the the issue so they're claiming that if we can filter against terrorists on your platform then you're not being allowed to provide that service anymore so none of this had anything to do with if you look at the latest terror attack basically the guy had had no contact to any inciting sources on the internet nothing on the phone completely clean but it was enough so there was another bill within five days they got it through the council because they basically said now and never we have to do it now so this is basically always the same process since 2014 yeah whenever there's a terror attack push another piece of legislation so beginning of november in that bill they reference the international statement that was published earlier so the international statement is nothing but a declaration by the five eyes ministers to have a very close contact and and have a continuous dialogue with them especially with the uk regarding this matter because the third key scheme originated within the gchq and was published in 2017 for the first time and that's when i when i met the guy in in the university of cambridge during a talk where he was already trying to publish this and where he was saying that the law enforcement branch needs extra keys for their for their work and this is what it's all about propaganda lies more lies behind the scenes agreement and a lot of theater where they brought it all together this is more or less all i wanted to say about this in breakneck pace but you can read it all if you go to my website have a look at it 400 000 keys of text and there's a lot of images on it and this is where i'm going to end my talk and i'm really curious if there's any questions about this if people are interested we can have a long q and a in a different room if you want and thank you ladies and gentlemen thank you for your attention and now let's open for questions yeah erich thank you very much for this comprehensive explanation and and there's so much information and that's some really heavy stuff we have some questions and if you want to ask questions you can send them on irc or with twitter rc three and then one o and e rc three one as the hashtag to ask questions from irc the question what about changing of governments as a german i don't know changes of government yeah so this actually changed yes so the parties just do what they want and so this time i have to say that they have a different approach it wasn't like the big outcry that we need to do more um surveillance no because the thing is that um that that they had the terrorists on the radar they were surveilling them but they did not capture them and that was basically the reason why it had these headlines that they just could not decrypt the information but they were aware of the people and they so in that with that regard this was like a positive development so the next question from the irc what where do you see the surveillance or what what's the surveillance going to be like within the next five years okay well that's hard to say i can't honestly not answer that question so i'm doing this for 25 years and i'm reporting on but if you know a lot of history then you can predict or extrapolate history into the future but not that much so more than 10 years i don't dare to make predictions so what will happen in the next five years on the EU level is that they that they will repeat the demands that they and of course there will also the counter protest from the security researchers and it will be a long fight because the politicians and the secret services really really want this and the secret services are really desperate because in earlier years they just directly tapped on the internet lines but it's no longer possible and they they they are really nostalgic about the good old times and that's and that's no longer the case and that's why they want to reestablish their powers or their capabilities but i'm already old enough to just look at this with a bit of sports spirit and we will basically catch them whenever they try to whenever they have the next demand coming up we will have an eye on the surveillance people and we caused a lot of bad press before the whole thing took off because we're keeping an eye on the new legislation so thanks a lot from the isc community great talk even i have more questions so i'm wondering why is why is this how could we make this more or less effective so the way i see it is there is enter an encryption how can you actually abolish that because can't you just can't you just put in an extra layer of encryption on top or below which could hardly be broken that is true i actually think that they are fighting and withdrawing but it's not like they can do whatever they want they have they have a different they have additional people institutions against them so so it's because they no longer dare as to propose such something like this as a single country they they basically try to push their demands as as a collection of countries and we are ourselves in a good position because there's always some way we can protect ourselves or defend ourselves and or if they actually try to attack signal we don't know if they will do this but i believe those those people that just want to communicate normally being social or maybe just do business so we i think we're not in a bad position and the united states is also trying to attack the big corporations so when they're really busy then yeah new basically new demands come up slowly yeah another question from isc are there specific instructions what we can do to stop this public make it public you need to involve the people on all levels trade associations they're all affected and they really don't like it is american services or clandestine services that are really active where they didn't know exactly it's not just the chinese that are grabbing for trade secret it's only the NSA claims to be so holy as to not do that but i believe the economy isn't trusting them at all and those are all points that we have to do this one thing that i took away from the crypto wars where anderson was really important so basically the crypto wars 10 from 94 to 2000 and something when we won we were the group that really was protesting and we had a huge silent comrade do you know who supports us well where we get our money from for the conference basically the banksters the the banks were supporting us because we we were really surprised we we really couldn't believe it they were trying to get digital banking going and what they needed was secure encryption and that's why they said it was it's great that there are so many banking groups because that saves us a lot of effort and time and we don't need our own astroturfing do you know what that is basically this is like a yellow union and we're a whole group for being on the internet is actually trying to yeah standing for for the interests of some not so public organization that has sinister motives or at least their very own agenda so if you by any chance we're probably not going to be perpetual friends with google apple or facebook or whoever but if we if we can work along on certain issues that's actually really helpful yes what what do you think of the google's the amazon's the apples if you believe apple they they are reputations on the line is what do you think about them so how can we prevent them from smuggling in backdoors into our open source software yeah i'm i'm a i'm a linguist not a computer scientist and i'm not qualified to answer here but i'm asking you to solve that problem yourself you're the hackers not me i'm i'm just um yeah an apprentice at best what what's regarding the it but i'm really i've been educated by the community and i'm really grateful for that but i'm really sorry i can't answer that one it's certainly possible a little build or something that they um they poison some software but this is it's not possible to do that on a large scale or to an extent where you cover most of the software so i'm pretty sure that uh members of the ccc would notice pretty quickly and i don't think this is a very persistent threat all right then i think this is the end again thank you very much