- 10-03-22There's always a workaround: why censorship doesn't work
- 15-04-21AVG: Dutch CIOs vs. US cloud providers
- 10-03-21Grapperhaus thinks installing a backdoor does not weaken encryption
- 12-02-21Max & BIT - Secure video calling within WordPress with Jitsi
- 03-11-20BIT provides support with ISAE 3402, ISAE 3000 and SOC 2 certifications
- 20-10-20Security monitoring at BIT
- 02-10-20Deep Dive in the BIT colocation network
- 24-07-20SMF or MMF? And what exactly is dispersion on a glass fiber?
- 01-07-20Network statistics in the BIT Portal: techniques and tools
- 17-06-20Email at BIT protected against spam and phishing by using DMARC
Grapperhaus thinks installing a backdoor does not weaken encryption
The cabinet is still working behind the scenes on a law that necessitates the ability to break encryption. This while a majority of the House is against it. The NOS revealed this last week. Much commotion has already arisen about this news and has resulted in a large number of organisations and individuals having spoken out in favour of the development, availability and application of encryption on www.stimuleer-encryption.nl. This proposition is apparently very widely supported, which is striking.
The plan is not new. After the attacks in Paris in November 2015, it has already been looked into. This makes sense, because when something like this happens, investigation and intelligence services cry out for more powers. This was about something that happened in France, but we have also seen it in the Netherlands. Of course, it's much easier to say you didn't have enough powers than to admit that something slipped in between. You also kill two birds with one stone: You get more powers, which is nice, and you don't get the blame. This trick has been used several times in the past. Consider the data retention obligation (now made largely inoperative by the judge) after the attacks in Madrid and the murder of Theo van Gogh, and the Intelligence and Security Services Act (Wiv), after the attack on Charlie Hebdo. Trouw wrote in 2015 "Remarkably often in an attack, there is a link with the Netherlands." (the article is only readable by subscribers, so I can't link to it). In short: The AIVD is embarrassed on the international stage.
Grapperhaus seems unfamiliar with end-to-end encryption
But let's get back to the topic. In January 2016, the then acting Minister of Justice wrote a letter to the House of Representatives with the government's position on encryption. The conclusion: it is 'undesirable' to 'take restrictive legal measures with regard to the development, availability and use of encryption'. Grapperhaus, however, wants to build in a 'back door' and his answers to parliamentary questions show that he thinks he can do this within the framework of the above-mentioned government position. Apparently, he doesn't see the inclusion of a backdoor as limiting or weakening encryption.
He made even more remarkable statements. For example, he is asked whether making WhatsApp and Telegram messages accessible to the government would lead to people setting up services themselves and
making use of them. He does not see this as a problem, because "messages have already been seized from companies and the Public Prosecution Service has been able to view messages in unencrypted form". He seems completely unfamiliar with the principle of end-to-end encryption. And besides: if those self-set up services are not a problem, why are existing services a problem?
Would he like to regulate it through a ban on end-to-end encryption? A total ban on end-to-end encryption is impossible. Then banks, payment providers, the tax authorities and the like would no longer be able to make use of it, which in fact amounts to slamming the brakes on the digital economy. If such a ban were to apply only to chat services, it would not help you very much. People who need it can set up and use facilities themselves and will do so. Or use other existing facilities for mutual communication. Consider, for example, storing messages in the 'concepts' folder of an e-mail service in order to communicate without actually sending the e-mail. That may seem far-fetched, but it is a trick that has been used in practice for years.
- A backdoor will always be broken open by third parties. Certainly if it is generally known that that backdoor exists. China, Russia and even allies have already shown that they are very interested in what is happening in the Netherlands on a digital level. Universities, the European medicines agency EMA, the JIT, chip-making equipment manufacturer ASML, there is enough to get in the Netherlands that foreign countries are interested in. That back door is thus easily broken open, with all the consequences that entails. Or the key is stolen, because the Dutch government does not have an impressive reputation when it comes to IT and IT security.
- Who will supervise the lawful use of this back door? Both the report on (the application of) the Intelligence and Security Services Act and the report on the child allowance affair do not inspire confidence in the degree to which ministers have control over their ministries. So we have but to wait until it is abused.
- What's stopping someone from using encryption without the mandatory backdoor? Will the government supervise this? That would mean that the government should occasionally try to 'open the backdoor'. But opening that backdoor is only allowed under strict conditions. So how would that be enforced?
- Will there be permits (as in China) for the use of backdoor encryption for companies (think of VPN connections for home workers), payment providers, banks, the government itself, etc.?
- The chat services that are currently popular in the Netherlands are all foreign apps. How does Grapperhaus think it can impose obligations on those companies?
These are just a few objections and impossibilities that come to mind. The whole idea is so unfortunate that I don't even know where to start.
"We live in a digital betocracy."
If you ask me, the real danger to Dutch society is not the use of encryption. The real danger is that our country is run by digital illiterates. To speak with Arjen Lubach: "We live in a digibetocracy." Society is digitizing at a rapid pace. Digital products and services are already an enormous part of our lives and of the economy. In the meantime, there is practically no one in The Hague who understands this. The few who do understand will soon be leaving. So we are actually in the situation that both the government and the House of Representatives have no idea what is happening in a large and important part of the country that they have to govern.
By: Alex Bik