Enlarge / Building of the European Court of Human Rights in Strasbourg (France). (credit: SilvanBachmann | iStock / Getty Images Plus )

The European Court of Human Rights (ECHR) has ruled that weakening end-to-end encryption disproportionately risks undermining human rights. The international court's decision could potentially disrupt the European Commission's proposed plans to require email and messaging service providers to create backdoors that would allow law enforcement to easily decrypt users' messages.

This ruling came after Russia's intelligence agency, the Federal Security Service (FSS), began requiring Telegram to share users' encrypted messages to deter "terrorism-related activities" in 2017, ECHR's ruling said. A Russian Telegram user alleged that FSS's requirement violated his rights to a private life and private communications, as well as all Telegram users' rights.

The Telegram user was apparently disturbed, moving to block required disclosures after Telegram refused to comply with an FSS order to decrypt messages on six users suspected of terrorism. According to Telegram, "it was technically impossible to provide the authorities with encryption keys associated with specific users," and therefore, "any disclosure of encryption keys" would affect the "privacy of the correspondence of all Telegram users," the ECHR's ruling said.

Enlarge

Apple is "deeply concerned" that proposed changes to a United Kingdom law could give the UK government unprecedented power to "secretly veto" privacy and security updates to its products and services, the tech giant said in a statement provided to Ars.

If passed, potentially this spring, the amendments to the UK's Investigatory Powers Act (IPA) could deprive not just UK users, but all users globally of important new privacy and security features, Apple warned.

"Protecting our users’ privacy and the security of their data is at the very heart of everything we do at Apple," Apple said. "We’re deeply concerned the proposed amendments" to the IPA "now before Parliament place users' privacy and security at risk."

Enlarge (credit: Getty Images | Chesnot )

Meta has started enabling end-to-end encryption (E2EE) by default for chats and calls on Messenger and Facebook despite protests from the FBI and other law enforcement agencies that oppose the widespread use of encryption technology. "Today I'm delighted to announce that we are rolling out default end-to-end encryption for personal messages and calls on Messenger and Facebook," Meta VP of Messenger Loredana Crisan wrote yesterday .

In April, a consortium of 15 law enforcement agencies from around the world, including the FBI and ICE Homeland Security Investigations, urged Meta to cancel its plan to expand the use of end-to-end encryption. The consortium complained that terrorists, sex traffickers, child abusers, and other criminals will use encrypted messages to evade law enforcement.

Meta held firm, telling Ars in April that "we don't think people want us reading their private messages" and that the plan to make end-to-end encryption the default in Facebook Messenger would be completed before the end of 2023. Meta also plans default end-to-end encryption for Instagram messages but has previously said that may not happen this year.

Enlarge (credit: Getty Images | Olemedia)

The long-running battle over encryption between tech companies and law enforcement continues, with law enforcement agencies around the world calling on Meta to cancel plans for end-to-end encryption of Facebook and Instagram messages.

End-to-end encryption (often called "E2EE") boosts security and privacy for all users, whether law-abiding or not. But government officials have long opposed plans to make the technology more widely available, citing the risk that terrorists, sex traffickers, child abusers, and other criminals will use encrypted messages to evade law enforcement.

The latest call to abandon encryption plans was made today by the Virtual Global Taskforce, a consortium of 15 law enforcement agencies including two from the US: the FBI and ICE Homeland Security Investigations. The task force focuses specifically on child sexual abuse; other members include Europol and agencies from the UK, Canada, Colombia, Australia, New Zealand, Kenya, the Philippines, the United Arab Emirates, the Netherlands, and South Korea.

Enlarge (credit: Getty Images)

Academic researchers have discovered serious vulnerabilities in the core of Threema, an instant messenger that its Switzerland-based developer says provides a level of security and privacy “no other chat service” can offer. Despite the unusually strong claims and two independent security audits Threema has received, the researchers said the flaws completely undermine assurances of confidentiality and authentication that are the cornerstone of any program sold as providing end-to-end encryption, typically abbreviated as E2EE.

Threema has more than 10 million users, which include the Swiss government, the Swiss army, German Chancellor Olaf Scholz, and other politicians in that country. Threema developers advertise it as a more secure alternative to Meta’s WhatsApp messenger. It’s among the top Android apps for a fee-based category in Switzerland, Germany, Austria, Canada, and Australia. The app uses a custom-designed encryption protocol in contravention of established cryptographic norms.

The seven deadly flaws

Researchers from the Zurich-based ETH research university reported on Monday that they found seven vulnerabilities in Threema that seriously call into question the true level of security the app has offered over the years. Two of the vulnerabilities require no special access to a Threema server or app to cryptographically impersonate a user. Three vulnerabilities require an attacker to gain access to a Threema server. The remaining two can be exploited when an attacker gains access to an unlocked phone, such as at a border crossing.

Enlarge (credit: SOPA Images / Contributor | LightRocket )

To ring in the new year, WhatsApp introduced a new feature to help people circumvent government-imposed Internet shutdowns that the United Nations said last summer work to undermine human rights.

“To help, today we’re launching proxy support for WhatsApp users all over the world,” WhatsApp’s statement said. “What this means is we’re putting the power into people’s hands to maintain access to WhatsApp if their connection is blocked or disrupted.”

WhatsApp’s new proxy support feature enables users to “connect to WhatsApp through servers set up by volunteers and organizations around the world dedicated to helping people communicate freely.” It also allows users to set up their own proxy servers to help others connect to the app. The feature is currently available to all users running the most updated version of the app.

Enlarge (credit: Getty Images | Yuichiro Chino)

A European Commission proposal could force tech companies to scan private messages for child sexual abuse material (CSAM) and evidence of grooming, even when those messages are supposed to be protected by end-to-end encryption.

Online services that receive "detection orders" under the pending European Union legislation would have "obligations concerning the detection, reporting, removal and blocking of known and new child sexual abuse material, as well as solicitation of children, regardless of the technology used in the online exchanges," the proposal says. The plan calls end-to-end encryption an important security tool but essentially orders companies to break that end-to-end encryption by whatever technological means necessary:

In order to ensure the effectiveness of those measures, allow for tailored solutions, remain technologically neutral, and avoid circumvention of the detection obligations, those measures should be taken regardless of the technologies used by the providers concerned in connection to the provision of their services. Therefore, this Regulation leaves to the provider concerned the choice of the technologies to be operated to comply effectively with detection orders and should not be understood as incentivising or disincentivising the use of any given technology, provided that the technologies and accompanying measures meet the requirements of this Regulation.

That includes the use of end-to-end encryption technology, which is an important tool to guarantee the security and confidentiality of the communications of users, including those of children. When executing the detection order, providers should take all available safeguard measures to ensure that the technologies employed by them cannot be used by them or their employees for purposes other than compliance with this Regulation, nor by third parties, and thus to avoid undermining the security and confidentiality of the communications of users.

A questions-and-answers document describing the plan emphasizes the importance of scanning end-to-end encrypted messages. "NCMEC [National Center for Missing and Exploited Children] estimates that more than half of its CyberTipline reports will vanish with end-to-end encryption, leaving abuse undetected, unless providers take measures to protect children and their privacy also on end-to-end encrypted services," it says.