close
  • chevron_right

    “War upon end-to-end encryption”: EU wants Big Tech to scan private messages

    news.movim.eu / ArsTechnica · Wednesday, 11 May - 18:05 · 1 minute

Illustration of an eye on a digital background.

Enlarge (credit: Getty Images | Yuichiro Chino)

A European Commission proposal could force tech companies to scan private messages for child sexual abuse material (CSAM) and evidence of grooming, even when those messages are supposed to be protected by end-to-end encryption.

Online services that receive "detection orders" under the pending European Union legislation would have "obligations concerning the detection, reporting, removal and blocking of known and new child sexual abuse material, as well as solicitation of children, regardless of the technology used in the online exchanges," the proposal says. The plan calls end-to-end encryption an important security tool but essentially orders companies to break that end-to-end encryption by whatever technological means necessary:

In order to ensure the effectiveness of those measures, allow for tailored solutions, remain technologically neutral, and avoid circumvention of the detection obligations, those measures should be taken regardless of the technologies used by the providers concerned in connection to the provision of their services. Therefore, this Regulation leaves to the provider concerned the choice of the technologies to be operated to comply effectively with detection orders and should not be understood as incentivising or disincentivising the use of any given technology, provided that the technologies and accompanying measures meet the requirements of this Regulation.

That includes the use of end-to-end encryption technology, which is an important tool to guarantee the security and confidentiality of the communications of users, including those of children. When executing the detection order, providers should take all available safeguard measures to ensure that the technologies employed by them cannot be used by them or their employees for purposes other than compliance with this Regulation, nor by third parties, and thus to avoid undermining the security and confidentiality of the communications of users.

A questions-and-answers document describing the plan emphasizes the importance of scanning end-to-end encrypted messages. "NCMEC [National Center for Missing and Exploited Children] estimates that more than half of its CyberTipline reports will vanish with end-to-end encryption, leaving abuse undetected, unless providers take measures to protect children and their privacy also on end-to-end encrypted services," it says.

Read 15 remaining paragraphs | Comments

  • chevron_right

    Researcher refuses Telegram’s bounty award, discloses auto-delete bug

    news.movim.eu / ArsTechnica · Monday, 4 October, 2021 - 14:12

Researcher refuses Telegram’s bounty award, discloses auto-delete bug

Enlarge (credit: Joshua Sortino )

Telegram patched another image self-destruction bug in its app earlier this year. This flaw was a different issue from the one reported in 2019 . But the researcher who reported the bug isn't pleased with Telegram's months-long turnaround time—and an offered $1,159 (€1,000) bounty award in exchange for his silence.

Self-destructed images remained on the device

Like other messaging apps, Telegram allows senders to set communications to "self-destruct," such that messages and any media attachments are automatically deleted from the device after a set period of time. Such a feature offers extended privacy to both the senders and the recipients intending to communicate discreetly.

In February 2021, Telegram introduced a set of such auto-deletion features in its 2.6 release:

Read 12 remaining paragraphs | Comments

index?i=itQsFK-9aJU:x6ntvWNB6mg:V_sGLiPBpWUindex?i=itQsFK-9aJU:x6ntvWNB6mg:F7zBnMyn0Loindex?d=qj6IDK7rITsindex?d=yIl2AUoC8zA
  • chevron_right

    WhatsApp “end-to-end encrypted” messages aren’t that private after all

    news.movim.eu / ArsTechnica · Wednesday, 8 September, 2021 - 21:33

WhatsApp logo

Enlarge / The security of Facebook's popular messaging app leaves several rather important devils in its details. (credit: WhatsApp )

Yesterday, independent newsroom ProPublica published a detailed piece examining the popular WhatsApp messaging platform's privacy claims. The service famously offers "end-to-end encryption," which most users interpret as meaning that Facebook, WhatsApp's owner since 2014, can neither read messages itself nor forward them to law enforcement.

This claim is contradicted by the simple fact that Facebook employs about 1,000 WhatsApp moderators whose entire job is—you guessed it—reviewing WhatsApp messages that have been flagged as "improper."

End-to-end encryption—but what’s an “end”?

security and privacy page seems easy to misinterpret.' src='https://cdn.arstechnica.net/wp-content/uploads/2021/09/whatsapp-end-to-end-screenshot-640x141.png' >

This snippet from WhatsApp's security and privacy page seems easy to misinterpret. (credit: Jim Salter )

The loophole in WhatsApp's end-to-end encryption is simple: the recipient of any WhatsApp message can flag it. Once flagged, the message is copied on the recipient's device and sent as a separate message to Facebook for review.

Read 14 remaining paragraphs | Comments

index?i=mM8-5GQzxAI:A6MEMK1_Qo8:V_sGLiPBpWUindex?i=mM8-5GQzxAI:A6MEMK1_Qo8:F7zBnMyn0Loindex?d=qj6IDK7rITsindex?d=yIl2AUoC8zA
  • chevron_right

    Zoom to pay $85M for lying about encryption and sending data to Facebook and Google

    news.movim.eu / ArsTechnica · Monday, 2 August, 2021 - 19:51 · 1 minute

A computer screen with a Zoom call showing the faces of a dozen participants.

Enlarge / Technical preview of Zoom's end-to-end encryption, made available months after Zoom was caught lying to users about how it encrypts video calls. (credit: Zoom )

Zoom has agreed to pay $85 million to settle claims that it lied about offering end-to-end encryption and gave user data to Facebook and Google without the consent of users. The settlement between Zoom and the filers of a class-action lawsuit also covers security problems that led to rampant "Zoombombings."

The proposed settlement would generally give Zoom users $15 or $25 each and was filed Saturday at US District Court for the Northern District of California. It came nine months after Zoom agreed to security improvements and a "prohibition on privacy and security misrepresentations" in a settlement with the Federal Trade Commission, but the FTC settlement didn't include compensation for users.

As we wrote in November , the FTC said that Zoom claimed it offers end-to-end encryption in its June 2016 and July 2017 HIPAA compliance guides, in a January 2019 white paper, in an April 2017 blog post, and in direct responses to inquiries from customers and potential customers. In reality, "Zoom did not provide end-to-end encryption for any Zoom Meeting that was conducted outside of Zoom's 'Connecter' product (which are hosted on a customer's own servers), because Zoom's servers—including some located in China—maintain the cryptographic keys that would allow Zoom to access the content of its customers' Zoom Meetings," the FTC said. In real end-to-end encryption, only the users themselves have access to the keys needed to decrypt content.

Read 19 remaining paragraphs | Comments

index?i=ybovdTlVCqE:NK-t8OgAKLA:V_sGLiPBpWUindex?i=ybovdTlVCqE:NK-t8OgAKLA:F7zBnMyn0Loindex?d=qj6IDK7rITsindex?d=yIl2AUoC8zA
  • chevron_right

    Hong Kong downloads of Signal surge as residents fear crackdown

    news.movim.eu / ArsTechnica · Wednesday, 8 July, 2020 - 16:20 · 1 minute

Hong Kong downloads of Signal surge as residents fear crackdown

Enlarge (credit: d3sign / Getty)

The secure chat app Signal has become the most downloaded app in Hong Kong on both Apple's and Google's app stores, Bloomberg reports , citing data from App Annie. The surging interest in encrypted messaging comes days after the Chinese government in Beijing passed a new national security law that reduced Hong Kong's autonomy and could undermine its traditionally strong protections for civil liberties.

The 1997 handover of Hong Kong from the United Kingdom to China came with a promise that China would respect Hong Kong's autonomy for 50 years following the handover. Under the terms of that deal, Hong Kong residents should have continued to enjoy greater freedom than people on the mainland until 2047. But recently, the mainland government has appeared to renege on that deal.

Civil liberties advocates see the national security law approved last week as a major blow to freedom in Hong Kong. The New York Times reports that "the four major offenses in the law—separatism, subversion, terrorism and collusion with foreign countries—are ambiguously worded and give the authorities extensive power to target activists who criticize the party, activists say." Until now, Hong Kongers faced trial in the city's separate, independent judiciary. The new law opens the door for dissidents to be tried in mainland courts with less respect for civil liberties or due process.

Read 3 remaining paragraphs | Comments

index?i=st4wFmzjdzY:iJ6Xv87PCPM:V_sGLiPBpWUindex?i=st4wFmzjdzY:iJ6Xv87PCPM:F7zBnMyn0Loindex?d=qj6IDK7rITsindex?d=yIl2AUoC8zA