Why Encryption Matters And How To Protect It Right Now
This is a post that outlines why I think encryption in important, why it's under threat in Europe and what you can do about it.
For a few weeks now I've wanted to write a blog post that lays out most of the important developments in the fight to protect strong encryption (end-to-end encryption, or E2EE) in Europe. I wanted this post to have links to news stories that have deeply troubled me when it comes to online privacy, to outline what the current threats to encryption and secure communication are in Europe and to give people concerned by this topic practical advice as to what they can do.
This post is in three parts as follows:
- Why Secure Communication Is Important
- Why Is Secure Communication Under Threat In The European Union?
- What You Can Do
You can skip to whatever part interests you most as this post is quite long. I mostly wrote this all to get it out of my mind and to have a post I can easily reference news stories if I ever need to share them when I inevitably end up talking to someone about this in public. I hope you learn something from this rambling post. There is very little to no mainstream media coverage on this topic. Despite this, I want anyone reading this to feel like there is still hope; that after reading this anyone can influence this unfolding story and help keep secure communication safe in Europe and elsewhere.
Why secure communication is important
For decades, our individual rights in Europe have been held for granted. We mostly live in open, free societies and rarely need to worry about any government agency coming down on us for any reason. This has lead many people, myself included, to become complacent in guarding our basic civil rights to privacy.
Discussions and blog posts about the end of secure encrypted messaging might also seem wander to exaggerated hypothetical scenarios and hyperbole. For this reason, I want to share some news stories that report actual events within Western countries to show what is at stake. This is not an issue that relies only on some principled stance or somewhat vague notions of not wanting to feel watched. If we see the end of the mass adoption of strong encryption, it will impact the lives of innocent individuals. People will be affected in ways that some of these news stories can give us glimpses of, yet the greatest danger lies in what we can only guess at. What kinds of false positives, unintended consequences and data breaches are in store for us if we don't act now?
It is good to keep in mind that these are only reports of known instances where privacy violations have had life-altering effects on people. I offer these stories as examples of why it is important that individuals have easy access to secure communications. The reason I am so adamant in my stance that we need to protect secure communication and strong encryption is that I do not want to see these kinds of headlines becoming the new normal.
Laws are not always just and you might need to break them
This article talks about a Nebraska teenager named Celeste who had an illegal abortion after the US Supreme Court overturned national abortion laws and abortion was outlawed in her state. The state police were able to subpoena Facebook to give them the messages she sent to her mom Jessica where they planned it out.
"While Celeste told police that she had suffered a miscarriage, they continued to investigate, serving Facebook with a search warrant to access Celeste and Jessica’s Facebook accounts. They subsequently found messages between the mother and daughter allegedly detailing how Celeste had undergone a self-managed abortion with Jessica’s help."
As evidenced by this event, laws change and one day you may see yourself in a situation where you need to break the law. Without secure communication between individuals, the State can freely look for and prosecute people as they incriminate themselves while using messaging apps.
It is unlikely you will ever end up in a situation where you need to break the law in the best interest of yourself or your family. However, if that dark day were to ever come, wouldn't you want to be able to communicate with your loved ones without having to fear that the State is reading along?
Emily Baker-White
You may be flagged as a criminal by AI
When given the ability to scan all data between users, there need to be automated ways to detect what is being shared as there can never be enough people to manually review so much material. AI tools have been the go-to means to look for harmful user content and flag abusive social media accounts.
The following articles details the plight of a father that took a picture of his son to send to his doctor with his Android phone. The picture was flagged as child sexual abuse material and his Google account was permanently frozen, meaning that this father lost years of pictures and documents. He has little recourse and his appeals to Google were ignored.
"Two days after taking the photos of his son, Mark’s phone made a blooping notification noise: His account had been disabled because of “harmful content” that was “a severe violation of Google’s policies and might be illegal.” A “learn more” link led to a list of possible reasons, including “child sexual abuse & exploitation.”"
Even though this article deals with a corporation's use of AI scanning, similar tools would are created by countries that surveil private messages. If we are to allow every one of our pictures and private messages to be subjected to indiscriminate scanning by AI algorithms, we can only guess at what kinds of false positives people will be subjected to. A family picture of a summer picnic might flag you as a sexual predator that needs to be investigated.
You may be flagged as a threat by just knowing the wrong person
The best book I ever read about the Snowden revelations was Dark Mirror: Edward Snowden and the American Surveillance State by the journalist Barton Gellman. Gellman is an articulate and intelligent writer who was one of the first people Snowden approached with this trove of leaked documents.
The books goes into impressive technical detail about what Snowden offered journalists and the legal ramifications that needed to be discussed in the newsrooms of publications who wanted to publish the story. This is the book to read if you want to know what it requires to investigate and write about the highest levels of state power.
Gellman writes about the terrifying surveillance systems the NSA built to monitor Americans without their consent or knowledge. He describes programs that automatically record every phone call being made that were built up in the US after 9/11 and how that data was used to map out who knows who and how well. In the article below, he describes why collecting so much data is inherently dangerous and will likely lead to unexpected and terrible outcomes:
"Even by that account, the scale of collection brought to mind an evocative phrase from legal scholar Paul Ohm. Any information in sufficient volume, he wrote, amounted to a “database of ruin.” It held personal secrets that “if revealed, would cause more than embarrassment or shame; it would lead to serious, concrete, devastating harm.” Nearly anyone in the developed world, he wrote, “can be linked to at least one fact in a computer database that an adversary could use for blackmail, discrimination, harassment, or financial or identity theft.” Revelations of “past conduct, health, or family shame,” for example, could cost a person their marriage, career, legal residence, or physical safety."
Gellman also warns us of relying that "..the rules will never change in dangerous ways".
"But history has not been kind to the belief that government conduct always follows rules or that the rules will never change in dangerous ways. Rules can be bypassed or rewritten—with or without notice, with or without malignant intent, by a few degrees at a time or more than a few."
Imagine a future where every group chat you are in can be looked into by the police. Even if you yourself remain completely quiet, do you want to have to worry if some off-color joke some other participant makes will land you on a no-fly list next time you travel? What if one of your close friends from childhood becomes politically active and you are forever connected to them when you apply for a security clearance? I think most people would not want their entire lives catalogued in this way, no matter what kind of security this kind of system could offer.
You may be monitored if you ever feel the need to protest and express yourself
I've written about this before, I think that climate activism will need secure communication in the future even more than they do today. When the planet gets warmer and the effects of climate change get more and more extreme, it will be impossible to ignore and this will lead to climate activism becoming more commonplace and more radical.
Places like the UK and Australia are cracking down on disruptive protests, showing that there is a real political desire to keep the status quo. The story below is from Australia and in it tells the story of Greg Rolles who is out on bail after being arresting at a protest arranged by a more radical climate group. A condition of his bail was that he was barred from using "encrypted messaging apps", meaning he effectively cannot communicate with anyone online.
"Since late June, Greg Rolles must produce on demand his computer and mobile phone for police inspection, and tell them his passwords.
He is not allowed to use any encrypted messaging apps, like Signal or WhatsApp. He can only have one mobile phone.
And there is a list of 38 people, many of whom are his friends, who he's not allowed to associate with in any way — even, another activist found, liking a post on social media."
You may never want to join a protest, can you say the same for everyone in your family or friend group? Would you want them subjected to this kind of state control?
technology reporter Ariel BogleYour life may be monitored in ways you never expected
Metadata, as you may or may not know, is "data about data". What this means is that this data doesn't include the contents of your private messages, but rather when you sent the message and to who and from where. Metadata is incredibly detail and in some cases is more useful in surveillance than the actual contents of messages. The former head of the NSA, Michael Hayden, famous said the US government "kill[s] people based on metadata".
Despite Europe having some of the strongest data privacy laws in the world, there are still laws that require online service providers keep user metadata to help fight terrorism and domestic threats just in case. There are legal limits to how much metadata can be retained and the mass collection of metadata has been forbidden by decisions in European courts.
One example of how metadata can be demanded by authorities and used to track users, fairly recently ProtonMail, a provider of encrypted email services, came under fire for revealing the IP addresses of climate activists when issued a warrant to do so.
To illustrate what can be teased out from simple metadata, the article below is about how metadata bought from a data broker was used to out a pastor in the USA as gay.
Sara Morrison
While European law prevents companies from using and selling data in the same way that it can be in say the USA, governments can still access metadata in the course of investigations. For this reason Signal, the encrypted messaging app that is the gold standard of secure communication apps, attempts to collect as little metadata as possible from users and has a site where they disclose whenever a government demands data from them. As Signal mentions in its most recent disclosure:
"Because everything in Signal is end-to-end encrypted by default, the broad set of personal information that is typically easy to retrieve in other apps simply doesn’t exist on Signal’s servers. This order requested a wide variety of information we don’t have, including the target’s correspondence, contacts, groups, calls, address"
This is not to protect criminals but to protect the public. In the international world, any legal recourse to extract user data from an online service can be used by any country against it's citizens. Quoting from this article about why backdoors that allow spying on user communications don't only work for the "good guys":
"To American lawmakers, it may seem logical to require that access should be provided to U.S. law enforcement in line with U.S. law, including, at a minimum, the receipt of a valid warrant. However, digital communications are international, as are the tech firms at the center of this debate. If Apple, for example, had the technical capability to circumvent encryption on their devices, and they had a policy of facilitating access for U.S. law enforcement when presented with a warrant, they would face tremendous pressure to provide equivalent services to other governments, and, in some cases, like China, even legal obligation to do so."
Why is secure communication under threat in the European Union?
As I am writing this in the summer of 2024, there is an ongoing, concerted effort to outlaw or heavy regulate secure conversations online in the European Union. The proposal to regulate secure messaging would alter the way regular people use everyday apps, like Signal and WhatsApp, and lead to a society where no European could be certain that their conversations remain completely private.
I am really not trying to exaggerate the gravity of this issue. The details of what this legislation would require may be a bit complicated and technical, but in its simplicity, the proposed law would require messaging apps to decrypt user messages if issued a warrant to do so. The legislation is being justified as a way to protect children from abuse and the proposal has the title "Proposal for a Regulation of the European Parliament and of the Council laying down rules to prevent and combat child sexual abuse".
Contributors to Wikimedia projects
Many experts in online security are against this legislation, which has now been dubbed "Chat Control", and are outspoken on what the outcomes of ending secure messaging in Europe would have. It would effectively create the tools for a mass surveillance system in Europe on a level that has never been seen before.
You can read the proposal here: https://www.patrick-breyer.de/wp-content/uploads/2024/06/csam_cleaned.pdf#page=4
We cannot trust all our private messages to be secure in the hands of the State
At first glance, this kind of proposal seems to solve a horrible societal problem we are facing. No reasonable person would be against protecting some of the most vulnerable people in society. Yet the framing and subsequent attempts to pass this proposal hide the reality that what this law does is allow for the scanning of every single private message in Europe. For now the scope has remained squarely on detecting child abuse but as you can read from the article below that was published in Balkan Insights, Europol has claimed they want to expand this scanning power to other crimes as well.
A reasonable argument can be made that even though every message in Europe would be scanned, it is all for the public good as Europol would only target and monitor criminal activity. Why care if you have nothing to hide?
Even if someone would be OK with being constantly monitored online without any reason or suspicion for the State to do so, a look at the amended proposal reveals that scanning and monitoring would not apply to EU officials or law enforcement. Why would they add a that applies only to themselves? If anything, this highlights how little trust the drafters of this legislation have in the scanning system they themselves are proposing as it cannot be trusted to keep official communications secure.
To give you some context as to why I find this so important, recently Europol had an embarrassing data breach themselves where, get you, sensitive physical documents in a safe were taken out and misplaced. The physical safety of singular documents should be the easiest and most fool-proof of procedures to enact yet even this was shown to fail at the highest levels of law enforcement.
Antoaneta Roussi
What will happen when the means to read any private message in Europe is developed and deployed? We can garner some insight into how this might look like from another European nation: Sweden. In 2017 the Swedish government had a disastrous data breach where the nation's most confidential information was leaked. The data that was released was some of the most sensitive the nation has, including the identities of undercover agents and the makeup of special intelligence units. This data was not exposed due to some hacker getting into their system but from recklessness on the part of officials themselves:
"Unlike other cases involving breaches of government data, the case in Sweden does not appear to involve hacking or other malice. Instead, the focus has been on an apparent absence of proper safeguards and oversight."
If data this sensitive can leak out through sheer bureaucratic fumbling, how can we have any assurance that when a system capable of reading any private message in Europe will remain secure?
Chat Control passing would mean outlawing secure communication in Europe
The EU Commissioner for Justice Věra Jourová has said outright during the EDPS 20th Anniversary Summit that laws that are aimed to protect children online would break secure communication, otherwise know as end-to-end encryption, in Europe. You can watch the video yourself here:
There is no uncertainty about this proposal anymore and no one can claim that critics are imagining worst-case scenarios or misinterpreting what the proposal would entail. If this passes, there will be no wide-spread secure communication in Europe.
What is the current status of Chat Control?
The proposal was originally proposed to the European Council by Ylva Johansson, the EU Commissioner for Home Affairs on 11 May 2022 and for the last 4 terms of the Council it has failed to secure a majority vote to pass.
Joe Mullin
The next push to pass this legislation will happen in October 2024 . Hungary will assume the presidency of the Council and has already slated the proposal to be voted on. If it were to pass, the proposal would be put into effect by the end of 2024.
The most current schedule for voting on this proposal as of July 2024 can be read here:
https://data.consilium.europa.eu/doc/document/ST-11222-2024-INIT/en/pdf#page=30
It's clear now that this has become a battle of attrition. Despite the proposal failing to secure enough votes to pass for the last two years, it has been tactically removed and the vote pushed forward into the future in hopes that public interest will wain. In my own country of Finland, mainstream news sources are barely covering this issue at all and the only recent article about it that I found was written after the fact when the proposal had already been voted on.
Henrik Kärkkäinen
What You Can Do
If you have made it this far into this blog post, it's safe to say that you are beginning to feel concern regarding the future of secure communication in Europe. When I first began to research this subject, I felt overwhelm and a bit lost. It seemed at first that after the Snowden revelations in 2013, Western society collectively began to value online privacy and I felt that even 10 years on this dedication to privacy was still quite strong. I felt that all I needed to is to keep an eye on the news and privacy would protect itself.
It's clear now that encryption and secure communication is under sustained attack and there is a serious political project ongoing as we speak to weaken or undermine it.
I always try to keep in mind that if a news story truly upsets me, I most act upon it. Like many people, I personally sink into a state of doomscrolling when reading the news and allow it to weaken me and rob me of my agency. For this reason, I want to end this post with a few things you can do right now to fight for our right to secure communication.
Spread the word
"Spreading the word" gets mentioned a lot whenever you read about advancing political causes but it really is the most important thing you can do. As I mentioned in this post, "Chat Control" and upload moderation is a story that is not getting reported on in the mainstream media so this responsibility lies squarely on us who acknowledge this threat and want to do something about it.
My experience is that it is easy to get labelled a privacy extremist or be seen as "getting lost in a rabbit hole" when you bring this topic up. It's precisely for this reason I wanted to link as many news articles as I could in this post so you can show people who have questions about the importance of this topic that this isn't some paranoid delusion or a weird political stance. If we let this issue slip by and lose the ability to communicate securely, a new kind of society will take shape that will be more rigid and far more controlled.
Follow Privacy Advocates on Social Media
Pretty much everything I know regarding Chat Control and privacy legislation comes from Mastodon, a social media platform that I use after Twitter became the place it is today. If you want to follow privacy news, you ought to have both a Mastodon and a Twitter account, as Twitter still has many politicians and lobbyists that actively use it. I personally share my opinions on Mastodon but will use Twitter to read about privacy news and to retweet things I feel are important. Also the same person might share different things on different accounts so I've found it useful to follow both their Mastodon and Twitter account.
By following these accounts you'll hear about coming legislative pushes and direct action campaigns you can join. It really is the only sure way to know what's going on in the world of privacy.
These lists are in no way exhaustive and I will hopefully be adding to them. My hope here is to simply give you a starting point from where you can begin to curate your own list of voices on privacy issues:
Mastodon
Patrick Beyer - https://digitalcourage.social/@echo_pbreyer
Matthew Green - https://ioc.exchange/@matthew_d_green
Meredith Whittaker - https://mastodon.world/@Mer__edith
Signal - https://mastodon.world/@signalapp
Proton - https://mastodon.social/@protonprivacy
EDRi - https://eupolicy.social/@edri
EFF - https://mastodon.social/@eff
Andre Meister - https://chaos.social/@andre_meister
Twitter
Patrick Beyer - https://twitter.com/echo_pbreyer
Matthew Green - https://twitter.com/matthew_d_green
Meredith Whittaker - https://twitter.com/mer__edith
Signal - https://twitter.com/signalapp
Proton - https://twitter.com/ProtonPrivacy
EDRi - https://twitter.com/edri
EFF - https://twitter.com/EFF
Ella Jakubowska - https://twitter.com/ellajakubowska1
Write to Journalists and Politicians
When the most recent push for Chat Control came around and was going to be put to a vote 19. - 20.6.2024, I began to feel a deep sense of helplessness. I had shared news about Chat Control online and offline for years yet it seemed like it was all for not. As I waited in dread for the vote to come up, I began writing to journalists and politicians to at least give myself the feeling that I could do something, anything, to fight this legislation.
It really is like screaming into the Void as I didn't really get any replies. However, one journalist did get back to me and mentioned they had not heard of this legislation themselves and would begin looking into it. Fortunately the vote was not held and know one more journalist might be following this story.
And who knows, maybe some MEPs saw some of the headlines of my email and might have had a meager effect. In any case, I greatly enjoyed using my right to free speech. Until now to me "free speech" felt more like a catchy jingle people use to explain why modern society is so great. It took this mini-crisis for me to actually find my voice and use it.
Join or Donate To A Digital Rights Organization
Although writing individual emails to journalists and politicians is important, giving your support to digital rights organizations is one of the best ways to affect political change. Larger organizations have a kind of legitimacy and power that make them very influential and will have the ears of politicians and bureaucrats that make important decisions regarding privacy.
Usually the most direct way to support these organizations is by joining and donating money. In Europe, EDRi (European Digital Rights network) is one of the biggest. In the US and around the world, the best known digital right group is the Electronic Frontier Foundation (EFF). Although the EFF is an American organization, it does weigh in on European issues and is listened to widely all over the world.
As I live in Finland, on the local level I have joined Electronic Frontier Finland (Effi Ry). Effi had released statements against Chat Control to the Finnish body that was going to vote on the measure and so was directly in contact with the people making these decisions. Joining one or all of these organizations and following their sites for ways to directly contribute to ensuring our collective privacy rights.
Josh Richman
Donate to Signal
I've written about this before but one of the best ways to support strongly secured communication is to donate to Signal. Every platform needs to support itself in some way and as of now in 2024, the Signal Foundation is a non-profit that is aiming to run on user and organization donations.
You can donate to Signal in various ways but one of the easiest is to either donate one time or as a recurring monthly donor and get a donor badge.
It's obvious to me that the only way we can make sure we have a widely used and secure messaging platform that is immune to the temptations of surveillance capitalism is for that platform to be supported monetarily by average users. Free stuff is nice, but I think most people my age know that "free" in the way Facebook is free isn't all it seems to be.
There have been all kinds of smear campaigns against Signal and that it's run by the CIA or whatever. I have not come across any serious researcher who would claim that Signal is compromised however there have been serious cryptographers who have expressed reservations about another large encrypted messaging app, Telegram.
Learn More About Encryption
One of the reasons I got into privacy and cryptography in the first place is that I really like the technical aspects of it. I like reading about cryptography from history as well has how modern cryptography is implemented.
If in the dark dystopian future Chat Control would pass and apps that allow for strong encryption would be banned in Europe, the firs thing I would do is start using PGP (or it's open-source version GPG) to secure all my communications. PGP was developed by Phill Zimmermann in the 1991 and how it was developed and the legal fights that ensued after its release is deeply fascinating. If you want to read more about it and the history of the Cypherpunk movement, two books I recommend are This Machine Kills Secrets by Andy Greenberg and Crypto by Stephen Levy.
If you want to join the movement for radical privacy, you can create a GPG keypair for yourself. You'll find more about how to do this online but below is a simple guide you can follow. If strong encryption is ever outlawed, I'll be using GPG for everything.
Hunter Wittenborn
Hopefully these few starting points will help you get into the fight if you want to join. We have until October 2024 to organize and plan our next response to Chat Control.
Afterword
As I am writing this, I have read that the US Supreme Court has now ruled that the US president is beyond criminal liability while in office. This decision is one more disturbing news story that's following a sinister trend. Authoritarian voices are rising and factions within various governments seem to want to tighten their grip on power.
Just to be clear here, not even in my doom-and-gloom mindset do I see some sort of Orwellian surveillance state being built in the next 20 years where people are being jailed for expressing their views like what is currently happening in China.
What I do see though is the tools needed for this for this kind of society getting forged right now. I don't think we ought to rely on the good nature of elected officials to always make the right decisions or that the laws we must live under are always going to line up with what we think is right. New politicians are elected in and new laws passed, how are we to know if in 20 years an issue arises that would make people want to rise up and organize for? What if that issue is deemed a threat by the State and protests are monitored and organization efforts are surveilled?
You might trust the laws and the leaders of the current government now; can you with any certainty say that about the laws and leaders that are to come in the future? If a law that undermines encryption is passed now, that same law will be used by future governments, ones that you might be afraid of or want to fight against. We ought to have the means to talk to each other freely without fear of government surveillance or oversight. It is our ability to discuss and critique the use of power that keeps that power in check. That we have not had to use this ability all that much in the last few decades has made us forgetful its profound potential to change society.
The only way we will ever be able to resist a decent into authoritarianism is through organization and this must be done beyond the gaze of the State surveillance apparatus.
As the president of Signal, Meredith Whittaker, said in a recent interview with the Guardian:
Surveillance, she says, was a “disease” from the very beginning of the internet, and encryption is “deeply threatening to the type of power that constitutes itself via these information asymmetries”. All of which means that she doesn’t expect the fight to end any time soon. “I don’t think these arguments are in good faith. There’s a deeper tension here, because in 20 years of the development of this metastatic tech industry, we have seen every aspect of our lives become subject to mass surveillance perpetrated by a handful of companies partnering with the US government and other ‘Five Eyes’ agencies to gather more surveillance data about us than has ever been available to any entity in human history.
If you read this and want to send me a message you can find my contact info here.