Germany's proposed anti-cryptography bill: backdoors and hack-backs

This week, German authorities will introduce a law that will allow law enforcement agencies to order companies to insert back doors into their products to assist in law enforcement queries; the law is backed by Thomas de Maizière, Germany's Interior Minister.

The law will also force companies to disclose their security protocols (possibly including their signing keys) to the German government. Finally, it will permit the government to hack computers that it believes to be involved in a crime and damage them without liability.

This law is deeply troubling. Forcing manufacturers to weaken their cryptography — either for all products shipped, or by ordering them to push a poisoned update to some or all devices — also requires them to create a mechanism whereby other malicious updates can be pushed to devices, and implies that any update that appears to serve this lawful interception purpose would have to be installed without the user being able to prevent it.

Further, hacking computers that are believed to be involved in the commission of crimes creates terrible dangers. For example, in 2016 and 2017, many hospitals around the world have been compromised by malware that was used to spread attacks further, to other computers. If the state can attack computers that are spreading malware, they may find themselves unwittingly bricking entire hospitals.

It remains to be seen whether the law will be adopted. Germany is now in a situation reminiscent of the last years of the Obama administration, in which a far-right, authoritarian movement is growing by leaps and bounds. Any powers the current government creates for itself today may be in the hands of literal Holocaust-denying fascists before 2018 is out, depending on whether Merkel can form a government or will be forced to call another election.

The Interior Minister says that police officers are having a hard time investigating cases because smart devices are warning owners before officers could do anything about it. The Minister cites the cases of smart cars that alert an owner as soon as the car is shaken, even a little bit. He says he'd like police to be able to intercept that warning and stop it when investigating a case.

De Maizière claims that companies have a "legal obligation" to introduce backdoors for the use of law enforcement agencies and he also wants to require the industry to disclose its "programming protocols" for future analysis. This latter clause could allow German officials to force companies to disclose details about their encrypted communication practices.

Germany Preparing Law for Backdoors in Any Type of Modern Device [Catalin Cimpanu/Bleeping Computer]

(via /.)


(Image: Spreadshirts)