Buongiorno nexiane, scusate, sono prolisso oltre la mia media in questo messaggio, ma vorrei essere esaustivo. Insomma che intenzioni ha il consiglio europeo (e la commissione? e il parlamento?) in merito all'encryption E2E?!? Sono paranoie di qualcuno o si stanno preparando a smontare l'encryption E2E delle "piattaforme"? ... e del software in generale? Renderanno illegali i software di comunicazione decentralizzata con encryption E2E tipo Jami https://jami.net/ Delta.Chat https://delta.chat/it/ e simili? Perché ho letto tutto e seguo "da sempre" la cosa... e non capisco, anzi da quello che capisco mi preoccupo. Vogliono evitare che l'encryption E2E venga usata dai criminali senza che una autorità competente sia in grado di intercettare il contenuto: e quale sarebbe quindi il "balance" tra diritto alla riservatezza e lotta al crimine? Leggendo la bozza del consiglio, sostanzialmente il "balance" sarebbe quello di armonizzare il "legal framework" EU al fine di consentire alle autorità competenti di svolgere i propri compiti operativi (intercettazione) in modo efficace, OVVIAMENTE il tutto in modo legale, ça va sanse dire! Quindi?!? Le autorità competenti avranno accesso alle informazioni in chiaro perché c'è una backdoor nel software (e col software libero come la mettiamo?!?) o una "superchiave" in grado di decifrare tutto? Pare che le fonti ufficiali spergiurino non non pensare minimamente a un divieto della E2EE e nemmeno a una compromissione "stile backdoor"... ma allora cosa? Una "superchiave" iniettata ovunque? Un modesto suggerimento: che ne direste di smetterla di essere ossessionati dalla E2E encryption e di organizzarsi per *infiltrarsi* nelle organizzazioni criminali usando i loro stessi mezzi digitali, stando comodamente seduti alle scrivanie dei centri operativi delle autorità competenti? Ecco a cosa mi riferisco: In questo articolo del 9 Novembre scorso; https://stemcelllove.com/2020/11/eu-resolution-draft-seeks-to-bypass-encrypt... «EU Resolution Draft Seeks to Bypass Encryption» viene fatto riferimento a un articolo https://fm4.orf.at/stories/3008930/ (in tedesco) dell'emittente radiofonica austriaca radioFM24, parte di ORF (radiotelevisione nazionale austriaca); ecco un estratto del succo del dicscorso che *farebbe* l'articolo di ORF: --8<---------------cut here---------------start------------->8--- An Austrian news outlet reported that the Council of the European Union has nearly completed a resolution, “made ready within five days,” that would require applications such as WhatsApp and Signal to have a “master key” for monitoring end-to-end (E2E)-encrypted chats and messages. ORF.at claims to have received an internal document dated November, addressed from the German Presidency to the delegations of the member states in the Council. The alleged revised version of the Draft Council Resolution on Encryption argues that, while encryption is “a necessary means of protecting fundamental rights and the digital security of governments, industry and society,” which should be “promoted and developed,” the European Union also must “ensure the ability of competent authorities in the area of security and criminal justice […] to exercise their lawful powers, both online and offline.” That said, an increasing number of communication channels, instant messaging apps, and other online platforms implementing E2E encryption has brought “great opportunities” and “considerable challenges” – namely “the potential for exploitation for criminal purposes,” stands in the draft. Therefore, law enforcement has to increasingly depend on access to individual electronic devices during their investigations of terrorism, organized crime, child sexual abuse, etc. However, sometimes doing this is “extremely challenging or practically impossible despite the fact that the access to such data would be lawful,” argues the draft. “Technical solutions for gaining access to encrypted data must comply with the principles of legality, transparency, necessity and proportionality,” it adds, inviting governments, industry, research and academia to work together on creating a balance. “There is a clear need to review the effects arising from different regulatory frameworks in order to develop further a consistent regulatory framework across the EU that would allow competent authorities to carry out their operational tasks effectively.” The document makes no mention of either a master key or a ban. ORF.at stated that the topic will be discussed between the French President Emmanuel Macron and the Austrian Chancellor Sebastian Kurz in a video conference at the beginning of the week, claiming that the resolution “has already been voted on in the Council,” and “has already been agreed to such an extent that it can be passed in the video conference of the interior and justice ministers at the beginning of December without further discussion.” What we know from the document is that, if there are no further objections or comments, this resolution will be adopted in the Standing Committee on Operational Cooperation on Internal Security (COSI) on November 19, and submitted to the Committee of the Permanent Representatives of the Governments of the Member States to the European Union (COREPER) six days later, “followed by adoption by the Council via written procedure.” ORF.at, however, argued that the decision will be made in a virtual meeting at the beginning of December, after which the Council will draw up a draft regulation and put it through the usual procedure by the European Parliament, though it might be possible “to implement the planned regulation in its core even without the involvement of the Parliament,” as has already happened in connection with surveillance, claimed the article. --8<---------------cut here---------------end--------------->8--- Il documento trafugato è stato pubblicato qui: https://files.orf.at/vietnam2/files/fm4/202045/783284_fh_st12143-re01en20_78... (vietnam2?!?!? interessante sottocartella :-O ) Ecco il testo, trasportato dal PDF: --8<---------------cut here---------------start------------->8--- Brussels, 6 November 2020 (OR. en) 12143/1/20 REV 1 NOTE From: Presidency To: Delegations Subject: Draft Council Resolution on Encryption - Security through encryption and security despite encryption Delegations will find in attachment the revised version [1] of the Draft Council Resolution on Encryption. It reflects the comments received from the Member States before and during the informal VTC meeting of JHA Counsellors (Encryption) on 3 November 2020. Unless delegations send in further substantive comments, accompanied by concrete wording suggestions, by 12 November 2020 noon, to [OMISSIS, ndr], the Presidency intends to present this revised text for endorsement to COSI (VTC) on 19 November 2020, in view of further submission to COREPER (I-item) on 25 November 2020, followed by adoption by the Council via written procedure. Please be advised that the form of the document has been adjusted to a "Council resolution", so that the text could be processed for adoption via a written procedure by the Council in case it takes place in a VTC format. [1] Changes compared to the previous version are marked in *bold* and /strikethrough/ 1. Preamble: Security through encryption and security despite encryption The European Union fully supports the development, implementation and use of strong encryption. Encryption is a necessary means of protecting fundamental rights and the digital security of governments, industry and society. At the same time, the European Union needs to ensure the ability of *competent authorities in the area of security and criminal justice, e.g.* law enforcement and judicial authorities, to exercise their lawful powers, both online and offline. According to the European Council conclusions of 1-2 October 2020 (EUCO 13/20), the EU will leverage its tools and regulatory powers to help shape global rules and standards. It was agreed that funds under the Recovery and Resilience Facility would be used to advance objectives such as enhancing the EUʼs ability to protect itself against cyber threats, to provide for a secure communication environment, especially through quantum encryption, and to ensure access to data for judicial and law enforcement purposes. 2. Current use/state of encryption In today’s world, encryption technology is increasingly used in all areas of public and private life. It is a means to protect governments, *critical infrastructures*, civil society, citizens and industry by ensuring the privacy, *confidentiality* and *data integrity* of communications and personal data: it is evident that all parties benefit from high-performance encryption technology. Encryption has been identified by EU data protection authorities as an important tool contributing for instance to the protection of personal data transferred outside the EU *but subject to the requirement of an essentially equivalent level of protection*, which according to the Court of Justice is a legal requirement for data transfers [2]. Not only are electronic devices and applications increasingly programmed to encrypt stored user data by default, but more and more communication channels are also secured by end-to-end (E2E) encryption. This is positively reflected in an increasing response by the communication and application industry, where the majority of instant messaging apps and other online platforms have also implemented end-to-end encryption. [2] Judgment of 16 July 2020 in Case C-311/18, Data Protection Commissioner v Facebook Ireland Ltd, Maximillian Schrems, ECLI:EU:C:2020:559: 3. Challenges for ensuring public *security* "Digital life’" and cyberspace not only present great opportunities, but also considerable challenges: the digitalisation of modern societies brings with it certain vulnerabilities and the potential for *exploitation for criminal purposes*. Thus criminals can include readily available, off-the-shelf encryption solutions designed for legitimate purposes in their modi operandi [3]. At the same time law enforcement is increasingly dependent on access to electronic evidence to effectively fight terrorism, organised crime, child sexual abuse (particularly its online aspects), as well as a variety of cyber-enabled crimes. *For competent authorities, access to electronic evidence is not only essential to conduct successful investigations and thereby* bring criminals to justice*, but also to protect victims and help ensure security*. However, there are instances where encryption renders analysis of the content of communications in the framework of access to electronic evidence extremely challenging *or practically impossible despite the fact that the access to such data would be lawful*. Independently of the technological environment of the day, it is therefore essential to preserve the powers of *competent* authorities *in the area of security and criminal justice* through lawful access to carry out their tasks, as prescribed and authorised by law. Such laws providing for the enforcement powers must always fully respect due process and other safeguards, as well as other freedoms and rights, in particular the right to respect for private life and communications and the right to the protection of personal data. [3] iOCTA 2020, p. 25 4. Creating a *better* balance The principle of security through encryption and security despite encryption must be upheld in its entirety. The European Union continues to support strong encryption. Encryption is an anchor of confidence in digitalisation and *in protection of fundamental rights and* should be promoted and developed. Protecting the privacy and security of communications through encryption and at the same time upholding the possibility for *competent* authorities *in the area of security and criminal justice* to lawfully access relevant data for legitimate, clearly defined purposes in fighting serious *and/or organized* crimes *and terrorism*, including in the digital world, are extremely important. Any actions taken have to balance these interests carefully. 5. Joining forces with the tech industry Moving forward, the European Union strives to establish an active discussion with the technology industry, *while associating research and academia,* to ensure the continued implementation and use of strong encryption technology. *Competent* authorities must be able to access data in a lawful and targeted manner, in full respect of fundamental rights and the data protection regime, while upholding cybersecurity. Technical solutions for gaining access to encrypted data must comply with the principles of legality, *transparency*, necessity and proportionality. Since there is no single way of achieving the set goals, governments, industry, *research and academia* need to work together to *strategically* create this balance. 6. Legal framework There is a *clear* need *to review the effects arising from different regulatory frameworks in order to develop further* a *consistent* regulatory framework *across the EU* that *would allow competent authorities to carry out their operational tasks effectively. Potential technical solutions will have to enable authorities to use their investigative powers which are subject to proportionality, necessity and judicial oversight under their domestic legislation, while upholding* fundamental rights and *preserving* the advantages of encryption. Possible solutions /may need the support of service providers/ should be developed in a transparent manner *in cooperation with communication service providers. Such technical solutions could also require* improving the technical and *operational* skills and *expertise of competent* authorities to *effectively address* the challenges of digitalisation in their work on a global scale. /In line with the principle of proportionality, such measures should be prioritised./ /Developing technical tools aimed at supporting criminal proceedings, could also be considered. Such technical tools should be subject to the principles outlined in this declaration./ 7. Innovative investigative capabilities Finally, it is of paramount importance to /improve the coordination/ at EU level /aimed at/: 1) combining the efforts of all Member States and EU institutions and bodies; 2) defining and establishing innovative approaches /in view of new technologies/; 3) /analysing appropriate technical/ and /operational solutions; and/ 4) /providing tailored high quality training/. Technical /and operational/ solutions anchored /in a legal framework built/ on the principles of /legality/, necessity and proportionality should be developed in close consultation with service providers and the relevant authorities, although there should be no single prescribed technical solution to provide access to encrypted data. --8<---------------cut here---------------end--------------->8--- -- Giovanni Biscuolo