Encryption & Key Management , Governance & Risk Management , Incident & Breach Response
Europe Seeks More Mass SurveillanceEU Politicians Demand More Monitoring, New Encryption Policies
In the wake of the Paris attacks, the French government will introduce new laws to strengthen the country's already extensive surveillance state. Meanwhile, British Prime Minister David Cameron has pledged that if his Conservative party wins an upcoming election, he will ban or "backdoor" all encrypted-communications products to facilitate easier monitoring by the country's security services.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
French Prime Minister Manuel Valls said in his Jan. 13 address to parliament that the government will soon propose a new surveillance law designed to give the country's intelligence services "all the legal means to accomplish their mission," The Wall Street Journal reports. The government also plans to increase funding for its intelligence services, hire more employees and track more suspected terrorists domestically.
But the country also wants to see greater policing on the part of social networks. "We have to focus on the Internet and social networks, which are more than ever used to recruit, organize and disseminate technical knowhow to commit terrorist acts," said Valls, who reportedly received multiple standing ovations during his speech.
Europol advisor Alan Woodward tells Information Security Media Group that already, "France has some of the most intrusive surveillance laws in the western world."
Some EU officials are now calling for greater monitoring of social networks, saying it will help law enforcement agencies spot and thwart such attacks before they occur. To that end, 10 European countries, together with Canada and the United States, signed a Jan. 11 joint statement calling on social networks to channel more information to law enforcement agencies by default.
Such efforts follow related meetings - and escalating rhetoric - in recent months between European officials and U.S. technology firms. A recent U.K. parliamentary report, for example, even went so far as to blame Facebook for failing to prevent the 2013 murder of British soldier Lee Rigby by two fellow citizens. The same report, which characterized the social network as being a "terrorist haven," exonerated Britain's intelligence services, despite noting that they had committed a string of related errors.
Some U.S. technology executives have reacted with anger to such criticism, noting that the EU intelligence services are already intercepting a massive amount of online communications in the name of national security - without the companies' permission - and are legally entitled to subpoena any desired information.
Britain Seeks Encryption Busting
In Britain, meanwhile, Prime Minister David Cameron's response to the Paris massacre has been a pledge to reintroduce controversial mass-surveillance legislation if the Tories win the country's general election in May. He also promises to legislate the intelligence services' right to read all forms of encrypted communications (see U.K. Debates Rebooted 'Snooper's Charter'). "In our country, do we want to allow a means of communication between people which even in extremis with a signed warrant from the Home Secretary that we cannot read?" Cameron asked in a Jan. 12 speech. "My answer to that question is, 'No, we must not.'"
The prime minister's pledge to penetrate or eliminate some types of security was delivered the same day that the EU Agency for Network and Information Security, or ENISA, issued a report urging Europe's data protection agencies to demand much more "privacy by design" in software and hardware products, especially for regulatory compliance, and saying that privacy need not come at the expense of security. ENISA also says that numerous privacy technologies - including but not limited to end-to-end encryption - should be promoted by policymakers and in legislation, and become part of many more engineers' toolbox.
Such advice comes, however, as law enforcement agencies are struggling to adapt their anti-terrorism strategies. Terrorism experts say that recent attacks in Paris, Canada and Australia have involved smaller terror cells than before, including lone-wolf gunmen that cause relatively few deaths, but cause great amounts of panic. "The threats we have dealt with recently include traditional Al Qaeda plans for large-scale attacks, with concerns about explosives hidden in tablets and computers," a former British intelligence official tells The New York Times. "But over the last two years, we have also seen an increase in the actions of individuals and small groups, and we have to worry about that, too."
Experts Deride Encryption Attacks
But Cameron's vague encryption promise is being read by some information security experts as an attempt to ban - or add backdoors - to encrypted communications tools, while others think it might represent a bid by the country's intelligence services to gain new, legal means of compelling services to open back doors into end-to-end encryption services.
Any such attempts, however, would be "crazy," independent information security expert Graham Cluley tells the Guardian. "Cameron is living in cloud cuckoo land if he thinks that this is a sensible idea, and no it wouldn't be possible to implement properly."
Numerous security experts have likewise derided the prime minister's promise, with former Microsoft chief privacy officer Caspar Bowden - now a privacy rights campaigner - tweeting that it reflects the widespread lack of technical knowledge in the upper echelons of the British government.
if there are any members of @UKParliament who could cogently explain asymmetric crypto or how a vuln is exploited, I don't know who they are” Caspar Bowden (@CasparBowden) January 14, 2015
U.K. Data Watchdog Sounds Warning
Jumping into the debate, the head of Britain's data watchdog has warned against "knee-jerk reactions," saying he wants to see a thorough accounting of the information that the security services are already accessing, before they're granted any additional surveillance powers. "I do not underestimate the real challenges posed by international terrorism - particularly after last week's shootings in Paris," U.K. Information Commissioner Christopher Graham said in a Jan. 12 speech. "But ... we need cool heads to analyze carefully what information the security services had access to and how they used it before necessarily concluding that we must give them access to more and more of our private information."
"We must avoid knee-jerk reactions," Graham said. "In particular, I am concerned about any compromising of effective encryption for consumers of online services."