What sauce will encrypted messaging services like WhatsApp, Telegram, Signal, and Olvid be eaten with? The answer should be available in the coming weeks, as starting this Monday, March 17, the National Assembly will begin examining the bill "aimed at freeing France from the trap of drug trafficking." One of its articles (8 ter), deleted in committee after much controversy, could be reintroduced into the text.
This provision aimed to force encrypted messaging services to share messages exchanged on these platforms with law enforcement, for the purpose of combating serious crime—messages to which neither the platform itself nor the investigative services have access, due to encryption. On this type of messaging, only the sender and the recipient have a key that allows the exchanged messages to be decrypted.
As we explained in this article, the measure was highly contested due to its liberticidal nature, whether by messaging services, digital companies, but also by the authorities in charge of defending our personal data and privacy protection associations.
In an op-ed in Monde of Wednesday, March 5, signed by a collective of digital specialists including Guillaume Poupard, cybersecurity expert and former head of Anssi, Gilles Babinet, co-president of the National Digital Council, Sébastien Soriano, former president of Arcep, mathematician Cédric Villani, and French MPs Anne Le Hénanff (Horizons), Eric Bothorel (EPR) and Philippe Latombe (Les Démocrates), the bill was described as "giving the State considerable powers to digitally spy on the French and undermine the secrecy of correspondence." The collective specifically asked parliamentarians to "correct this hasty, ineffective and catastrophic proposal for our digital security by withdrawing Article 8 ter."
The message seemed to have been heard, since the text was finally deleted by the National Assembly's Law Committee. However, the battle is far from over.
Because since then, three amendments have been tabled by MPs Mathieu Lefèvre, Paul Midy (EPR) and Olivier Marleix (DR). They aim to reinstate the measure requiring messaging services to capture messages, at the request of the authorities, with supporting safeguards, such as the absence of alteration of encryption, respect for the secrecy of correspondence and the protection of personal data.
Platforms that "never collaborate on access to content"
Bruno Retailleau, Minister of the Interior and supporter of the measure, repeated last weekend, in the pages of Parisien, that he wanted "this article to be reintroduced." According to the politician, "it is not a question of implementing widespread surveillance but of defining with all operators the means that will allow the intelligence services to prevent score-settling, human trafficking and attacks. Like all intelligence techniques, these methods will be under the control of the Prime Minister and an independent commission."
The director of the DGSI, Céline Berthon, has also taken a stand, this time in the columns of the Journal du Dimanche. The woman at the head of Internal Security believes that such access is today "essential to our work." "This measure can only be applied to specifically designated individuals, by decision of the Prime Minister, after consulting the National Commission for the Control of Intelligence Techniques (CNCTR)." She deplores that "in matters of intelligence, applications like Signal, WhatsApp or Telegram, to name but a few, never cooperate on access to content. It is for this reason that the establishment of a binding legal framework is a source of hope."
However, due to encryption technology, messaging services do not have access to the content of messages exchanged by their users on their platforms: it is therefore difficult to respond positively to a request from the authorities if they are not able to access the conversations exchanged themselves.
In recent years, many cybersecurity experts have explained that it is not possible to make encrypted messages accessible to law enforcement without also making them accessible to hackers and hostile governments – whether through a "backdoor" or other methods. Hearing before the Law Commission on March 4, Bruno Retailleau, the Minister of the Interior, had notably mentioned not "a backdoor solution, that is to say where we create a flaw, where at any time, someone, an intelligence service can infiltrate" but another technique, that of the "ghost user".
"In short, you have a platform that is capable of encrypting a communication from individual A to individual B. We encrypt from end to end. Here, we are not going to introduce ourselves into the middle, if I dare say, of this communication. We will ask the platform to also do, while it uses this flow from A to B, to do from A to C. So there is no flaw, there is no flaw," he repeated.
The ghost technique is "a back door"
A point that Guillaume Poupard returned to this Monday, March 17. The former director of the French cybersecurity watchdog, the National Agency for Information Systems Security (ANSSI), commented at length on Monday, March 17, on the proposed “ghost technique” – a method “whose dangers and inefficiencies (have) (…) been widely demonstrated,” he wrote in a post LinkedIn. "The idea is to introduce a ghost participant into conversations upon request, invisible but the recipient of the exchanges. It's attractive, but unfortunately it doesn't stand up to analysis. The question of whether or not these are backdoors is sterile. Modifying security functions in a covert manner in order to contravene their purpose is introducing a backdoor. Period.", he writes.
For the latter, "modifying security mechanisms, protocols and their implementation, especially in a covert manner, is a guarantee of multiplying involuntary errors and vulnerabilities that can then be exploited by cybercriminals." According to the former head of Anssi, "the introduction of backdoors, however sophisticated they may be, is at the same time unrealistic, dangerous and ineffective."
A few hours before the start of the examination of the text scheduled for this afternoon, the government received this morning at Matignon the representatives of encrypted messaging services, before deciding on its position, we learn Politico, this Monday, March 17. The executive can still submit an amendment to reinstate the measure – until the text is examined, Contexte reminds us today. The debates, which are likely to be heated, will last until March 25.
0 Comments