committing page revision 3

author: 46halbe <46halbe@berlin.ccc.de> 2019-06-14 16:47:27 +0000
committer: 46halbe <46halbe@berlin.ccc.de> 2020-05-23 13:40:21 +0000
commit: 301f60024f704dba01ecaba7bd5cf92e567f2269 (patch)
tree: 11cedcd5b29f18fab0b1982d8f9e3d89bde941f3 /updates/2019
parent: bdd69b4b68f985cb9b6282cef3b570f7b62fb535 (diff)
1 files changed, 298 insertions, 0 deletions
diff --git a/updates/2019/encrypted-messengers.en.md b/updates/2019/encrypted-messengers.en.md
new file mode 100644
index 00000000..075bd335
--- /dev/null
+++ b/updates/2019/encrypted-messengers.en.md
@@ -0,0 +1,298 @@
+title: IT security: CCC against weakening of encryption by law
+date: 2019-06-11 20:42:46 
+updated: 2019-06-14 16:47:27 
+author: linus
+tags: update, pressemitteilung, verschlüsselung, bmi
+Chaos Computer Club (CCC) signed the open letter against backdoors.
+<!-- TEASER_END -->
+TO: German Federal Ministry of the Interior, Building and Community
+IN COPY: German Federal Foreign Office, German Federal Ministry of
+Justice and Consumer Protection, German Federal Ministry of Economic
+Affairs and Energy, German Federal Office for Information Security
+**Subject: Planned encroachment on encryption of messenger services
+would have fatal consequences**
+Ladies and Gentlemen,
+the Federal Ministry of the Interior, Building and Community (BMI) plans
+a change in the law to make it easier for German police and security
+authorities to gain access to the digital communication of suspects in
+the future, according to media reports. To this end, providers of
+messenger services such as Whatsapp, Threema, and iMessage are to be
+required by law to modify their encryption technology in such a way that
+authorities can record the entire communication of users in cases which
+have generated suspicion. ([reported in
+Gerrman](https://www.spiegel.de/plus/horst-seehofer-greift-whatsapp-an-a-00000000-0002-0001-0000-000164076162))
+We expressly warn against such a step and demand an immediate
+renunciation of this or similar political intentions at German and
+European level. The proposed reform would precipitously reduce the
+security level of millions of German Internet users, create new gateways
+for foreign intelligence services and Internet criminals, and massively
+damage Germany's international reputation as a leading location for a
+secure and data protection-oriented digital economy. Instead of
+implementing reform ideas that are years out of date, the German Federal
+Ministry of the Interior, Building and Community should, in our view,
+take a new security policy path and develop proposals that improve the
+work of police and security authorities without downgrading the security
+of IT systems and private communications in Germany as a whole.
+Our criticism in detail:
+## The German Crypto Policy
+At the end of May, it became known that the Federal Ministry of the
+Interior, Building and Community is planning to extend the existing
+Telecommunications Act to encrypted messengers such as WhatsApp, Signal,
+Threema, Wire, and Telegram. This means in concrete terms: The operators
+of these services must redesign their software in such a way that the
+content of messages can be passed on in unencrypted form to security
+authorities. Should the operators refuse to do so, their services would
+be blocked in Germany. Representatives of the British GCHQ describe in
+their “Ghost Proposal”^[\[1\]](#ftnt1){#ftnt_ref1}^ what a technical
+implementation of the backdoors in the messenger apps could look like.
+This proposal has recently been strongly criticized in an open letter by
+an international alliance of industry, academia, and civil
+society.^[\[2\]](#ftnt2){#ftnt_ref2}^
+The BMI proposal undermines twenty years of successful crypto policy in
+Germany.^[\[3\]](#ftnt3){#ftnt_ref3}^ In the cornerstones of the German
+Crypto Policy of 1999,^[\[4\]](#ftnt4){#ftnt_ref4}^ the then federal
+government agreed on a principle that became known under the maxim
+“security through encryption and security despite encryption”. This
+principle has since been confirmed several times by the subsequent
+federal governments. In 2014, Germany even expressed the ambition to
+become the “No. 1 encryption location”^[\[5\]](#ftnt5){#ftnt_ref5}^ in
+the world. A break with these commitments would cause lasting damage to
+Germany's IT security in administration, industry, and society.
+## Impact on IT security
+The planned obligation on messenger operators would result in operators
+being required to incorporate a vulnerability in their software. This
+demands a profound encroachment on the existing complex software systems
+of the operators. This vulnerability could be exploited by intelligence
+services and criminals to gain access to sensitive information from
+individuals, government authorities, and companies. Current
+examples^[\[6\]](#ftnt6){#ftnt_ref6}^ show that securing a messenger is
+already complex enough, without incorporating additional vulnerabilities
+and thus further jeopardizing IT security.
+At the same time, this incorporation of vulnerabilities would enable
+employees of the operators to view communication content, something
+which is currently not possible. This not only increases the potential
+for abuse – a central storage of the required cryptographic
+keys^[\[7\]](#ftnt7){#ftnt_ref7}^ would also represent a primary target
+for attackers, which in the case of a successful attack could lead to
+the disclosure of the communication of all (!) users
+(Single-Point-of-Failure).
+In addition, the new version of the respective messenger app with a
+backdoor would have to be installed as a software update. Either all
+German users or selected German users would receive this backdoor as an
+update. This process would shake consumer confidence in security updates
+to the core, and would thus have a lasting negative impact on IT
+security in Germany.
+Should the messenger operators fail to implement the planned measure,
+the Ministry of the Interior plans to block their services in Germany.
+This would also be the only way for the authorities to deal with
+messengers whose encryption does not require a central operator and in
+which no backdoors could be implemented by regulation (e.g. Pretty Good
+Privacy, Off-The-Record). This would inevitably mean that there would no
+longer be any secure messenger communication within Germany. However, a
+technical implementation would be virtually impossible, especially for
+open source messenger apps such as Signal. It would require a dedicated
+IT infrastructure which deeply encroaches on civil liberties, in order
+to rule out the bypassing of these blocks (including blocking Virtual
+Private Networks \[VPNs\] and The Onion Router \[TOR\]), as criminals
+would be the first to attempt this.^[\[8\]](#ftnt8){#ftnt_ref8}^
+However, this would not “only” affect German authorities (e.g. police,
+fire brigade, technical relief), companies and citizens in general, but
+also people subject to professional confidentiality (e.g. lawyers,
+clergymen, physicians, journalists, and parliamentarians) and other
+groups of persons who are in particular need of protection.
+Meanwhile, former intelligence chiefs are increasingly arguing that in
+the age of cyber crime, data leaks, and espionage, the benefits of
+comprehensive encryption (without backdoors) more than outweigh the loss
+of surveillance capability. Strategic interests such as the stability of
+the IT sector and the IT ecosystem outweigh the tactical interests of
+prosecutors, such as former NSA chief Michael Hayden and former head of
+the British domestic intelligence service
+MI5.^[\[9\]](#ftnt9){#ftnt_ref9}^
+## Empirical state of knowledge and alternatives
+In keeping with the cornerstones of the German Crypto Policy, the German
+federal government decided in 1999 not to weaken encryption (including
+the installation of backdoors) but to use malware (“State Trojan”) to
+obtain data before/after encryption. For understandable reasons, the
+German Federal Constitutional Court set high barriers for this measure.
+Instead of carrying out an urgently needed needs analysis on the basis
+of the existing surveillance measures and the
+overall^[\[10\]](#ftnt10){#ftnt_ref10}^ surveillance account demanded
+many years ago by the Federal Constitutional Court, a regulation is now
+to be implemented that ignores^[\[11\]](#ftnt11){#ftnt_ref11}^ more than
+twenty years of scientific findings in IT security research.
+The often cited hypothesis that secret services and law enforcement
+authorities no longer have access to relevant data due to encryption
+(going dark) has not been empirically proven to
+date.^[\[12\]](#ftnt12){#ftnt_ref12}^ On the contrary, technological
+developments in recent decades have resulted in more data being
+available to prosecutors than ever
+before.^[\[13\]](#ftnt13){#ftnt_ref13}^ The law enforcement authorities
+have so far documented very little regarding the number of cases where
+encrypted communication has actually brought investigations to a halt.
+Nor is there a complete overview of which alternative possibilities for
+collecting the necessary data are already legal in Germany and where
+there are still gaps.^[\[14\]](#ftnt14){#ftnt_ref14}^
+## International spillover effects
+If this proposal were to be implemented, it would also have a negative
+impact far beyond Germany's borders. Authoritarian states would refer to
+this regulation and request corresponding content data from the
+messenger operators with reference to the fact that this is technically
+possible, given that it is already being done in Germany. This would
+massively affect the communication of human rights activists,
+journalists, and other pursued groups ofpeople – groups of people that
+German foreign and development aid policy has tried to protect up to now
+and supports to the tune of billions of Euros annually. Germany must
+also be aware of its responsibility in the world in this area. By
+deliberately weakening secure messenger apps, Germany would jeopardize
+its credibility in foreign policy as an advocate of a free and open
+Internet.^[\[15\]](#ftnt15){#ftnt_ref15}^ The Network Enforcement Act
+serves here as a warning of the impact German legislation can have on
+the world.^[\[16\]](#ftnt16){#ftnt_ref16}^
+## Germany as a business location
+Administration, businesses, and consumers must be able to rely on the
+fact that the use of digital products and services meets the
+requirements for the protection of their data and the integrity of their
+systems. For companies in particular, this plays a major role in the
+choice of their production location. They establish their headquarters
+in those places where they know their trade secrets and customer data
+are protected.
+Sabotage and industrial espionage caused 43 billion Euro damage to the
+industrial sector alone in 2016/2017.^[\[17\]](#ftnt17){#ftnt_ref17}^ It
+can be assumed that a weakening of encryption will further increase
+these figures, as built-in backdoors can also be abused by foreign
+intelligence services and criminals. If Germany wants to be an
+innovation-friendly and competitive business location, technical
+backdoors that allow access for third parties must continue to be
+excluded.
+In addition, Germany is also a location for IT security companies with,
+among other things, a focus on encryption technologies. The
+trustworthiness of these companies in particular would be massively
+jeopardized by the planned intentions. This would weaken Germany as a
+location for the IT security industry as a whole, which directly
+contradicts the industrial policy goals of Germany and Europe.
+We expressly warn against the planned intentions of the German Federal
+Ministry of the Interior, Building and Community to regulate messenger
+services and demand an immediate abandonment of this and similar
+political intentions at German and European level. In addition, an
+official assessment from the following bodies would be required: :
+-   The Federal Ministry for Economic Affairs and Energy (BMWi) (focus:
+    possible damage to German industry and the digital economy),
+-   of the German Federal Foreign Office (focus: Spillover effects,
+    especially in authoritarian states, loss of Germany’s reputation as
+    an established constitutional state),
+-   German Federal Ministry of Justice and Consumer Protection (focus:
+    loss of consumer confidence),
+-   Federal Office for Information Security (focus: jeopardizing IT
+    Security in Germany for the state, industry, and society).
+Yours sincerely
+[**German version**](/de/updates/2019/encrypted-messengers)
+------------------------------------------------------------------------
+## Links:
+-   [\[1\]](#ftnt_ref1){#ftnt1} [Ian Levy, Crispin Robinson: Principles
+    for a More Informed Exceptional Access
+    Debate](https://www.lawfareblog.com/principles-more-informed-exceptional-access-debate)
+-   [\[2\]](#ftnt_ref2){#ftnt2} [Coalition Letter: Open Letter to
+    GCHQ](https://newamericadotorg.s3.amazonaws.com/documents/Coalition_Letter_to_GCHQ_on_Ghost_Proposal_-_May_22_2019.pdf)
+-   [\[3\]](#ftnt_ref3){#ftnt3} [Sven Herpig, Stefan Heumann: Encryption
+    Debate in
+    Germany](https://carnegieendowment.org/2019/05/30/encryption-debate-in-germany-pub-79215)
+-   [\[4\]](#ftnt_ref4){#ftnt4} [Die Raven-Homepage: Eckpunkte der
+    deutschen
+    Kryptopolitik](https://hp.kairaven.de/law/eckwertkrypto.html) (The
+    Cornerstones of German Crypto Policy)
+-   [\[5\]](#ftnt_ref5){#ftnt5} [Die Bundesregierung: Digitale Agenda
+    2014 -
+    2017](https://www.bmwi.de/Redaktion/DE/Publikationen/Digitale-Welt/digitale-agenda.pdf?__blob%253DpublicationFile%2526v%253D3)
+-   [\[6\]](#ftnt_ref6){#ftnt6} [Jürgen Schmidt: Kritische
+    Sicherheitslücke gefährdet Milliarden
+    WhatsApp-Nutzer](https://www.heise.de/security/meldung/Kritische-Sicherheitsluecke-gefaehrdet-Milliarden-WhatsApp-Nutzer-4186365.html)
+    (Critical vulnerability threatens billions of WhatsApp users) und
+    [Marius Mestermann: Ernster iPhone-Bug: Apple schaltet
+    FaceTime-Gruppenanrufe
+    ab](https://www.spiegel.de/politik/deutschland/nachrichten-am-morgen-die-news-in-echtzeit-a-1249669.html)
+    (Apple turns off FaceTime group calls)
+-   [\[7\]](#ftnt_ref7){#ftnt7} This is one possible implementation of
+    these backdoors. There are also other implementation possibilities,
+    but these are technically no less problematic.
+-   [\[8\]](#ftnt_ref8){#ftnt8} [Matthias Schulze: Überwachung von
+    WhatsApp und Co. Going dark? (Monitoring of WhatsApp and
+    Co.)](http://percepticon.de/2019/06/04-going-dark/)
+-   [\[9\]](#ftnt_ref9){#ftnt9} [Michael Hayden: The Pros and Cons of
+    Encryption](https://www.youtube.com/watch?v%253D6HNnVcp6NYA) and
+    [The Guardian: Ex-MI5 Chef warns against crackdown on encrypted
+    messaging
+    apps](https://www.theguardian.com/technology/2017/aug/11/ex-mi5-chief-warns-against-crackdown-encrypted-messaging-apps)
+-   [\[10\]](#ftnt_ref10){#ftnt10} [Constanze Kurz:
+    Überwachungsgesamtrechnung: Vorratsdatenspeicherung ist der Tropfen,
+    der das Fass zum Überlaufen
+    bringt](https://netzpolitik.org/2015/ueberwachungsgesamtrechnung-vorratsdatenspeicherung-ist-der-tropfen-der-das-fass-zum-ueberlaufen-bringt/)
+    (Overall Surveillance Account: Blanket Data Retention is the Straw
+    that Broke the Camel’s Back)
+-   [\[11\]](#ftnt_ref11){#ftnt11} [Danielle Kehl, Andi Wilson, Kevin
+    Bankston: Doomed to repeat history? Lessons from the Crypto Wars of
+    the
+    1990s](https://static.newamerica.org/attachments/3407-doomed-to-repeat-history-lessons-from-the-crypto-wars-of-the-1990s/Crypto%252520Wars_ReDo.7cb491837ac541709797bdf868d37f52.pdf)
+-   [\[12\]](#ftnt_ref12){#ftnt12} [Matthias Schulze, Going Dark?
+    Dilemma zwischen sicherer, privater Kommunikation und den
+    Sicherheitsinteressen von
+    Staaten.](http://www.bpb.de/apuz/259141/going-dark?p%253Dall)
+    (Dilemma between secure, private communication and the security
+    interests of states.)
+-   [\[13\]](#ftnt_ref13){#ftnt13} [Peter Swire, The FBI Doesn’t Need
+    More Access: We’re Already in the Golden Age of
+    Surveillance](https://www.justsecurity.org/17496/fbi-access-golden-age-surveillance/)
+    and [Matthias Schulze: Clipper Meets Apple vs. FBI—A Comparison of
+    the Cryptography Discourses from 1993 and
+    2016](https://www.cogitatiopress.com/mediaandcommunication/article/view/805)
+-   [\[14\]](#ftnt_ref14){#ftnt14} [Sven Herpig: A Framework for
+    Government Hacking in Criminal
+    Investigations](https://www.stiftung-nv.de/sites/default/files/framework_for_government_hacking_in_criminal_investigations.pdf)
+-   [\[15\]](#ftnt_ref15){#ftnt15} [Matthias Schulze: Verschlüsselung in
+    Gefahr](https://www.swp-berlin.org/publikation/verschluesselung-in-gefahr/)
+    (Encryption in danger) and [Cathleen Berger: Is Germany
+    (involuntarily) setting a global digital
+    agenda?](https://medium.com/@_cberger_/is-germany-involuntarily-setting-a-global-digital-agenda-21c7eb735e26)
+-   [\[16\]](#ftnt_ref16){#ftnt16} [Reporter ohne Grenzen: Russland
+    kopiert Gesetz gegen
+    Hassbotschaften](https://www.reporter-ohne-grenzen.de/russland/alle-meldungen/meldung/russland-kopiert-gesetz-gegen-hassbotschaften/)
+    (Russia copied law against hate messages)
+-   [\[17\]](#ftnt_ref17){#ftnt17} [bitkom: Spionage, Sabotage und
+    Datendiebstahl – Wirtschaftsschutz in der
+    Industrie](https://www.bitkom.org/sites/default/files/file/import/181008-Bitkom-Studie-Wirtschaftsschutz-2018-NEU.pdf)
+    (Espionage, sabotage and data theft – economic protection in
+    industry)
author	46halbe <46halbe@berlin.ccc.de>	2019-06-14 16:47:27 +0000
committer	46halbe <46halbe@berlin.ccc.de>	2020-05-23 13:40:21 +0000
commit	301f60024f704dba01ecaba7bd5cf92e567f2269 (patch)
tree	11cedcd5b29f18fab0b1982d8f9e3d89bde941f3 /updates/2019
parent	bdd69b4b68f985cb9b6282cef3b570f7b62fb535 (diff)

diff --git a/updates/2019/encrypted-messengers.en.md b/updates/2019/encrypted-messengers.en.md new file mode 100644 index 00000000..075bd335 --- /dev/null +++ b/updates/2019/encrypted-messengers.en.md
@@ -0,0 +1,298 @@
	1	title: IT security: CCC against weakening of encryption by law
	2	date: 2019-06-11 20:42:46
	3	updated: 2019-06-14 16:47:27
	4	author: linus
	5	tags: update, pressemitteilung, verschlüsselung, bmi
	6
	7	Chaos Computer Club (CCC) signed the open letter against backdoors.
	8
	9	<!-- TEASER_END -->
	10
	11	TO: German Federal Ministry of the Interior, Building and Community
	12
	13	IN COPY: German Federal Foreign Office, German Federal Ministry of
	14	Justice and Consumer Protection, German Federal Ministry of Economic
	15	Affairs and Energy, German Federal Office for Information Security
	16
	17	**Subject: Planned encroachment on encryption of messenger services
	18	would have fatal consequences**
	19
	20	Ladies and Gentlemen,
	21
	22	the Federal Ministry of the Interior, Building and Community (BMI) plans
	23	a change in the law to make it easier for German police and security
	24	authorities to gain access to the digital communication of suspects in
	25	the future, according to media reports. To this end, providers of
	26	messenger services such as Whatsapp, Threema, and iMessage are to be
	27	required by law to modify their encryption technology in such a way that
	28	authorities can record the entire communication of users in cases which
	29	have generated suspicion. ([reported in
	30	Gerrman](https://www.spiegel.de/plus/horst-seehofer-greift-whatsapp-an-a-00000000-0002-0001-0000-000164076162))
	31
	32	We expressly warn against such a step and demand an immediate
	33	renunciation of this or similar political intentions at German and
	34	European level. The proposed reform would precipitously reduce the
	35	security level of millions of German Internet users, create new gateways
	36	for foreign intelligence services and Internet criminals, and massively
	37	damage Germany's international reputation as a leading location for a
	38	secure and data protection-oriented digital economy. Instead of
	39	implementing reform ideas that are years out of date, the German Federal
	40	Ministry of the Interior, Building and Community should, in our view,
	41	take a new security policy path and develop proposals that improve the
	42	work of police and security authorities without downgrading the security
	43	of IT systems and private communications in Germany as a whole.
	44
	45	Our criticism in detail:
	46
	47	## The German Crypto Policy
	48
	49	At the end of May, it became known that the Federal Ministry of the
	50	Interior, Building and Community is planning to extend the existing
	51	Telecommunications Act to encrypted messengers such as WhatsApp, Signal,
	52	Threema, Wire, and Telegram. This means in concrete terms: The operators
	53	of these services must redesign their software in such a way that the
	54	content of messages can be passed on in unencrypted form to security
	55	authorities. Should the operators refuse to do so, their services would
	56	be blocked in Germany. Representatives of the British GCHQ describe in
	57	their “Ghost Proposal”^[\[1\]](#ftnt1){#ftnt_ref1}^ what a technical
	58	implementation of the backdoors in the messenger apps could look like.
	59	This proposal has recently been strongly criticized in an open letter by
	60	an international alliance of industry, academia, and civil
	61	society.^[\[2\]](#ftnt2){#ftnt_ref2}^
	62
	63	The BMI proposal undermines twenty years of successful crypto policy in
	64	Germany.^[\[3\]](#ftnt3){#ftnt_ref3}^ In the cornerstones of the German
	65	Crypto Policy of 1999,^[\[4\]](#ftnt4){#ftnt_ref4}^ the then federal
	66	government agreed on a principle that became known under the maxim
	67	“security through encryption and security despite encryption”. This
	68	principle has since been confirmed several times by the subsequent
	69	federal governments. In 2014, Germany even expressed the ambition to
	70	become the “No. 1 encryption location”^[\[5\]](#ftnt5){#ftnt_ref5}^ in
	71	the world. A break with these commitments would cause lasting damage to
	72	Germany's IT security in administration, industry, and society.
	73
	74	## Impact on IT security
	75
	76	The planned obligation on messenger operators would result in operators
	77	being required to incorporate a vulnerability in their software. This
	78	demands a profound encroachment on the existing complex software systems
	79	of the operators. This vulnerability could be exploited by intelligence
	80	services and criminals to gain access to sensitive information from
	81	individuals, government authorities, and companies. Current
	82	examples^[\[6\]](#ftnt6){#ftnt_ref6}^ show that securing a messenger is
	83	already complex enough, without incorporating additional vulnerabilities
	84	and thus further jeopardizing IT security.
	85
	86	At the same time, this incorporation of vulnerabilities would enable
	87	employees of the operators to view communication content, something
	88	which is currently not possible. This not only increases the potential
	89	for abuse – a central storage of the required cryptographic
	90	keys^[\[7\]](#ftnt7){#ftnt_ref7}^ would also represent a primary target
	91	for attackers, which in the case of a successful attack could lead to
	92	the disclosure of the communication of all (!) users
	93	(Single-Point-of-Failure).
	94
	95	In addition, the new version of the respective messenger app with a
	96	backdoor would have to be installed as a software update. Either all
	97	German users or selected German users would receive this backdoor as an
	98	update. This process would shake consumer confidence in security updates
	99	to the core, and would thus have a lasting negative impact on IT
	100	security in Germany.
	101
	102	Should the messenger operators fail to implement the planned measure,
	103	the Ministry of the Interior plans to block their services in Germany.
	104	This would also be the only way for the authorities to deal with
	105	messengers whose encryption does not require a central operator and in
	106	which no backdoors could be implemented by regulation (e.g. Pretty Good
	107	Privacy, Off-The-Record). This would inevitably mean that there would no
	108	longer be any secure messenger communication within Germany. However, a
	109	technical implementation would be virtually impossible, especially for
	110	open source messenger apps such as Signal. It would require a dedicated
	111	IT infrastructure which deeply encroaches on civil liberties, in order
	112	to rule out the bypassing of these blocks (including blocking Virtual
	113	Private Networks \[VPNs\] and The Onion Router \[TOR\]), as criminals
	114	would be the first to attempt this.^[\[8\]](#ftnt8){#ftnt_ref8}^
	115
	116	However, this would not “only” affect German authorities (e.g. police,
	117	fire brigade, technical relief), companies and citizens in general, but
	118	also people subject to professional confidentiality (e.g. lawyers,
	119	clergymen, physicians, journalists, and parliamentarians) and other
	120	groups of persons who are in particular need of protection.
	121
	122	Meanwhile, former intelligence chiefs are increasingly arguing that in
	123	the age of cyber crime, data leaks, and espionage, the benefits of
	124	comprehensive encryption (without backdoors) more than outweigh the loss
	125	of surveillance capability. Strategic interests such as the stability of
	126	the IT sector and the IT ecosystem outweigh the tactical interests of
	127	prosecutors, such as former NSA chief Michael Hayden and former head of
	128	the British domestic intelligence service
	129	MI5.^[\[9\]](#ftnt9){#ftnt_ref9}^
	130
	131	## Empirical state of knowledge and alternatives
	132
	133	In keeping with the cornerstones of the German Crypto Policy, the German
	134	federal government decided in 1999 not to weaken encryption (including
	135	the installation of backdoors) but to use malware (“State Trojan”) to
	136	obtain data before/after encryption. For understandable reasons, the
	137	German Federal Constitutional Court set high barriers for this measure.
	138	Instead of carrying out an urgently needed needs analysis on the basis
	139	of the existing surveillance measures and the
	140	overall^[\[10\]](#ftnt10){#ftnt_ref10}^ surveillance account demanded
	141	many years ago by the Federal Constitutional Court, a regulation is now
	142	to be implemented that ignores^[\[11\]](#ftnt11){#ftnt_ref11}^ more than
	143	twenty years of scientific findings in IT security research.
	144
	145	The often cited hypothesis that secret services and law enforcement
	146	authorities no longer have access to relevant data due to encryption
	147	(going dark) has not been empirically proven to
	148	date.^[\[12\]](#ftnt12){#ftnt_ref12}^ On the contrary, technological
	149	developments in recent decades have resulted in more data being
	150	available to prosecutors than ever
	151	before.^[\[13\]](#ftnt13){#ftnt_ref13}^ The law enforcement authorities
	152	have so far documented very little regarding the number of cases where
	153	encrypted communication has actually brought investigations to a halt.
	154	Nor is there a complete overview of which alternative possibilities for
	155	collecting the necessary data are already legal in Germany and where
	156	there are still gaps.^[\[14\]](#ftnt14){#ftnt_ref14}^
	157
	158	## International spillover effects
	159
	160	If this proposal were to be implemented, it would also have a negative
	161	impact far beyond Germany's borders. Authoritarian states would refer to
	162	this regulation and request corresponding content data from the
	163	messenger operators with reference to the fact that this is technically
	164	possible, given that it is already being done in Germany. This would
	165	massively affect the communication of human rights activists,
	166	journalists, and other pursued groups ofpeople – groups of people that
	167	German foreign and development aid policy has tried to protect up to now
	168	and supports to the tune of billions of Euros annually. Germany must
	169	also be aware of its responsibility in the world in this area. By
	170	deliberately weakening secure messenger apps, Germany would jeopardize
	171	its credibility in foreign policy as an advocate of a free and open
	172	Internet.^[\[15\]](#ftnt15){#ftnt_ref15}^ The Network Enforcement Act
	173	serves here as a warning of the impact German legislation can have on
	174	the world.^[\[16\]](#ftnt16){#ftnt_ref16}^
	175
	176	## Germany as a business location
	177
	178	Administration, businesses, and consumers must be able to rely on the
	179	fact that the use of digital products and services meets the
	180	requirements for the protection of their data and the integrity of their
	181	systems. For companies in particular, this plays a major role in the
	182	choice of their production location. They establish their headquarters
	183	in those places where they know their trade secrets and customer data
	184	are protected.
	185
	186	Sabotage and industrial espionage caused 43 billion Euro damage to the
	187	industrial sector alone in 2016/2017.^[\[17\]](#ftnt17){#ftnt_ref17}^ It
	188	can be assumed that a weakening of encryption will further increase
	189	these figures, as built-in backdoors can also be abused by foreign
	190	intelligence services and criminals. If Germany wants to be an
	191	innovation-friendly and competitive business location, technical
	192	backdoors that allow access for third parties must continue to be
	193	excluded.
	194
	195	In addition, Germany is also a location for IT security companies with,
	196	among other things, a focus on encryption technologies. The
	197	trustworthiness of these companies in particular would be massively
	198	jeopardized by the planned intentions. This would weaken Germany as a
	199	location for the IT security industry as a whole, which directly
	200	contradicts the industrial policy goals of Germany and Europe.
	201
	202	We expressly warn against the planned intentions of the German Federal
	203	Ministry of the Interior, Building and Community to regulate messenger
	204	services and demand an immediate abandonment of this and similar
	205	political intentions at German and European level. In addition, an
	206	official assessment from the following bodies would be required: :
	207
	208	- The Federal Ministry for Economic Affairs and Energy (BMWi) (focus:
	209	possible damage to German industry and the digital economy),
	210	- of the German Federal Foreign Office (focus: Spillover effects,
	211	especially in authoritarian states, loss of Germany’s reputation as
	212	an established constitutional state),
	213	- German Federal Ministry of Justice and Consumer Protection (focus:
	214	loss of consumer confidence),
	215	- Federal Office for Information Security (focus: jeopardizing IT
	216	Security in Germany for the state, industry, and society).
	217
	218	Yours sincerely
	219
	220	[German version](/de/updates/2019/encrypted-messengers)
	221
	222	------------------------------------------------------------------------
	223
	224	## Links:
	225
	226	- [\[1\]](#ftnt_ref1){#ftnt1} [Ian Levy, Crispin Robinson: Principles
	227	for a More Informed Exceptional Access
	228	Debate](https://www.lawfareblog.com/principles-more-informed-exceptional-access-debate)
	229	- [\[2\]](#ftnt_ref2){#ftnt2} [Coalition Letter: Open Letter to
	230	GCHQ](https://newamericadotorg.s3.amazonaws.com/documents/Coalition_Letter_to_GCHQ_on_Ghost_Proposal_-_May_22_2019.pdf)
	231	- [\[3\]](#ftnt_ref3){#ftnt3} [Sven Herpig, Stefan Heumann: Encryption
	232	Debate in
	233	Germany](https://carnegieendowment.org/2019/05/30/encryption-debate-in-germany-pub-79215)
	234	- [\[4\]](#ftnt_ref4){#ftnt4} [Die Raven-Homepage: Eckpunkte der
	235	deutschen
	236	Kryptopolitik](https://hp.kairaven.de/law/eckwertkrypto.html) (The
	237	Cornerstones of German Crypto Policy)
	238	- [\[5\]](#ftnt_ref5){#ftnt5} [Die Bundesregierung: Digitale Agenda
	239	2014 -
	240	2017](https://www.bmwi.de/Redaktion/DE/Publikationen/Digitale-Welt/digitale-agenda.pdf?__blob%253DpublicationFile%2526v%253D3)
	241	- [\[6\]](#ftnt_ref6){#ftnt6} [Jürgen Schmidt: Kritische
	242	Sicherheitslücke gefährdet Milliarden
	243	WhatsApp-Nutzer](https://www.heise.de/security/meldung/Kritische-Sicherheitsluecke-gefaehrdet-Milliarden-WhatsApp-Nutzer-4186365.html)
	244	(Critical vulnerability threatens billions of WhatsApp users) und
	245	[Marius Mestermann: Ernster iPhone-Bug: Apple schaltet
	246	FaceTime-Gruppenanrufe
	247	ab](https://www.spiegel.de/politik/deutschland/nachrichten-am-morgen-die-news-in-echtzeit-a-1249669.html)
	248	(Apple turns off FaceTime group calls)
	249	- [\[7\]](#ftnt_ref7){#ftnt7} This is one possible implementation of
	250	these backdoors. There are also other implementation possibilities,
	251	but these are technically no less problematic.
	252	- [\[8\]](#ftnt_ref8){#ftnt8} [Matthias Schulze: Überwachung von
	253	WhatsApp und Co. Going dark? (Monitoring of WhatsApp and
	254	Co.)](http://percepticon.de/2019/06/04-going-dark/)
	255	- [\[9\]](#ftnt_ref9){#ftnt9} [Michael Hayden: The Pros and Cons of
	256	Encryption](https://www.youtube.com/watch?v%253D6HNnVcp6NYA) and
	257	[The Guardian: Ex-MI5 Chef warns against crackdown on encrypted
	258	messaging
	259	apps](https://www.theguardian.com/technology/2017/aug/11/ex-mi5-chief-warns-against-crackdown-encrypted-messaging-apps)
	260	- [\[10\]](#ftnt_ref10){#ftnt10} [Constanze Kurz:
	261	Überwachungsgesamtrechnung: Vorratsdatenspeicherung ist der Tropfen,
	262	der das Fass zum Überlaufen
	263	bringt](https://netzpolitik.org/2015/ueberwachungsgesamtrechnung-vorratsdatenspeicherung-ist-der-tropfen-der-das-fass-zum-ueberlaufen-bringt/)
	264	(Overall Surveillance Account: Blanket Data Retention is the Straw
	265	that Broke the Camel’s Back)
	266	- [\[11\]](#ftnt_ref11){#ftnt11} [Danielle Kehl, Andi Wilson, Kevin
	267	Bankston: Doomed to repeat history? Lessons from the Crypto Wars of
	268	the
	269	1990s](https://static.newamerica.org/attachments/3407-doomed-to-repeat-history-lessons-from-the-crypto-wars-of-the-1990s/Crypto%252520Wars_ReDo.7cb491837ac541709797bdf868d37f52.pdf)
	270	- [\[12\]](#ftnt_ref12){#ftnt12} [Matthias Schulze, Going Dark?
	271	Dilemma zwischen sicherer, privater Kommunikation und den
	272	Sicherheitsinteressen von
	273	Staaten.](http://www.bpb.de/apuz/259141/going-dark?p%253Dall)
	274	(Dilemma between secure, private communication and the security
	275	interests of states.)
	276	- [\[13\]](#ftnt_ref13){#ftnt13} [Peter Swire, The FBI Doesn’t Need
	277	More Access: We’re Already in the Golden Age of
	278	Surveillance](https://www.justsecurity.org/17496/fbi-access-golden-age-surveillance/)
	279	and [Matthias Schulze: Clipper Meets Apple vs. FBI—A Comparison of
	280	the Cryptography Discourses from 1993 and
	281	2016](https://www.cogitatiopress.com/mediaandcommunication/article/view/805)
	282	- [\[14\]](#ftnt_ref14){#ftnt14} [Sven Herpig: A Framework for
	283	Government Hacking in Criminal
	284	Investigations](https://www.stiftung-nv.de/sites/default/files/framework_for_government_hacking_in_criminal_investigations.pdf)
	285	- [\[15\]](#ftnt_ref15){#ftnt15} [Matthias Schulze: Verschlüsselung in
	286	Gefahr](https://www.swp-berlin.org/publikation/verschluesselung-in-gefahr/)
	287	(Encryption in danger) and [Cathleen Berger: Is Germany
	288	(involuntarily) setting a global digital
	289	agenda?](https://medium.com/@_cberger_/is-germany-involuntarily-setting-a-global-digital-agenda-21c7eb735e26)
	290	- [\[16\]](#ftnt_ref16){#ftnt16} [Reporter ohne Grenzen: Russland
	291	kopiert Gesetz gegen
	292	Hassbotschaften](https://www.reporter-ohne-grenzen.de/russland/alle-meldungen/meldung/russland-kopiert-gesetz-gegen-hassbotschaften/)
	293	(Russia copied law against hate messages)
	294	- [\[17\]](#ftnt_ref17){#ftnt17} [bitkom: Spionage, Sabotage und
	295	Datendiebstahl – Wirtschaftsschutz in der
	296	Industrie](https://www.bitkom.org/sites/default/files/file/import/181008-Bitkom-Studie-Wirtschaftsschutz-2018-NEU.pdf)
	297	(Espionage, sabotage and data theft – economic protection in
	298	industry)