An open letter to the leaders of the world's governments SIGNED by organizations, companies, and individuals:
We encourage you to support the safety and security of users, companies, and governments by strengthening the integrity of communications and systems. In doing so, governments should reject laws, policies, or other mandates or
practices, including secret agreements with companies, that limit access to or undermine encryption and other secure communications tools and technologies.
Governments should not ban or otherwise limit user access to encryption in any form or otherwise prohibit the implementation or use of encryption by grade or type;
Governments should not mandate the design or implementation of "backdoors" or vulnerabilities into tools, technologies, or services;
Governments should not require that tools, technologies, or services are designed or developed to allow for third-party access to unencrypted data or encryption keys;
Governments should not seek to weaken or undermine encryption standards or intentionally influence the establishment of encryption standards except to promote a higher level of information security. No government should mandate
insecure encryption algorithms, standards, tools, or technologies; and
Governments should not, either by private or public agreement, compel or pressure an entity to engage in activity that is inconsistent with the above tenets.
Access Now, ACI-Participa, Advocacy for Principled Action in Government, Alternative Informatics Association, Alternatives, Alternatives Canada, Alternatives International, American Civil Liberties Union, American Library
Association, Amnesty International, ARTICLE 19, La Asociación Colombiana de Usuarios de Internet, Asociación por los Derechos Civiles, Asociatia pentru Tehnologie si Internet (ApTI), Association for Progressive Communications (APC), Association for
Proper Internet Governance, Australian Lawyers for Human Rights, Australian Privacy Foundation, Benetech, Bill of Rights Defense Committee, Bits of Freedom, Blueprint for Free Speech, Bolo Bhi, the Centre for Communication Governance at National Law
University Delhi, Center for Democracy and Technology, Center for Digital Democracy, Center for Financial Privacy and Human Rights, the Center for Internet and Society (CIS), Center for Media, Data and Society at the School of Public Policy of Central
European University, Center for Technology and Society at FGV Rio Law School, Chaos Computer Club, CivSource, Committee to Protect Journalists, Constitutional Alliance, Constitutional Communications, Consumer Action, Consumer Federation of America,
Consumer Watchdog, ContingenteMX, Courage Foundation, Críptica, Datapanik.org, Defending Dissent Foundation, Digitalcourage, Digitale Gesellschaft, Digital Empowerment Foundation, Digital Rights Foundation, DSS216, Electronic Frontier Finland, Electronic
Frontier Foundation, Electronic Frontiers Australia, Electronic Privacy Information Center, Engine, Enjambre Digital, Eticas Research and Consulting, European Digital Rights, Fight for the Future, Föreningen för digitala fri- och rättigheter (DFRI),
Foundation for Internet and Civic Culture (Thai Netizen Network), Freedom House, Freedom of the Press Foundation, Freedom to Read Foundation, Free Press, Free Press Unlimited, Free Software Foundation, Fundacion Acceso, Future of Privacy Forum, Future
Wise, Globe International Center, The Global Network Initiative (GNI), Global Voices Advox, Government Accountability Project, Hiperderecho, Hivos, Human Rights Foundation, Human Rights Watch, Institute for Technology and Society of Rio (ITS Rio),
Instituto Demos, the International Modern Media Institute (IMMI), International Press Institute (IPI), Internet Democracy Project, IPDANDETEC, IT for Change , IT-Political Association of Denmark, Jonction, Jordan Open Source Association, Just Net
Coalition (JNC), Karisma Foundation, Keyboard Frontline, Korean Progressive Network Jinbonet, Localization Lab, Media Alliance, Modern Poland Foundation, Movimento Mega, Myanmar ICT for Development Organization (MIDO), Net Users' Rights Protection
Association (NURPA), New America's Open Technology Institute, Niskanen Center, One World Platform Foundation, OpenMedia, Open Net Korea, Open Rights Group, Panoptykon Foundation, Paradigm Initiative Nigeria, Patient Privacy Rights, PEN American Center,
PEN International, Pirate Parties International, Point of View, Privacy International, Privacy Rights Clearinghouse, Privacy Times, Protection International, La Quadrature du Net, R3D (Red en Defensa de los Derechos Digitales), R Street Institute,
Reinst8, Restore the Fourth, RootsAction.org, Samuelson-Glushko Canadian Internet Policy & Public Interest Clinic (CIPPIC), Security First, SFLC.in, Share Foundation, Simply Secure, Social Media Exchange (SMEX), SonTusDatos (Artículo 12, A.C.),
Student Net Alliance, Sursiendo; Comunicación y Cultura Digital, Swiss Open Systems User Group /ch/open, TechFreedom, The Tor Project, Tully Center for Free Speech at Syracuse University, Usuarios Digitales, Viet Tan, Vrijschrift, WITNESS, World Privacy
Forum, X-Lab, Xnet, Zimbabwe Human Rights Forum
Messaging app WhatsApp has announced that it has added encryption for all voice calls and file transfers for all users.
It renders messages generally unreadable if they are intercepted, for example by criminals or law enforcement. No doubt if the security services throw all their computing might at a message then they may be able to decrypt it by brute force.
The Facebook-owned company said protecting private communication of its one billion users worldwide was one of its core beliefs . Whatsapp said:
The idea is simple: when you send a message, the only person who can read it is the person or group chat that you send that message to. No one can see inside that message. Not cybercriminals. Not hackers. Not oppressive regimes. Not even us.
Users with the latest version of the app were notified about the change when sending messages on Tuesday. The setting is enabled by default.
Users should be aware that snoopers can still see a whole host of non-content data about the communication, such as who was using the app, who was being called, and for how long.
Amnesty International called the move a huge victory for free speech:
Whatsapp's roll out of the Signal Protocol, providing end to end encryption for its one billion users worldwide, is a major boost for people's ability to express themselves and communicate without fear.
This is a huge victory for privacy and free speech, especially for activists and journalists who depend on strong and trustworthy communications to carry out their work without putting their lives at greater risk.
The Hungarian ruling party wants to ban all working crypto. The parliamentary vice-president from Fidesz has asked parliament to:
Ban communication devices that [law enforcement agencies] are not able to surveil despite having the legal authority to do so.
Since any working cryptographic system is one that has no known vulnerabilities, whose key length is sufficient to make brute force guessing impractical within the lifespan of the universe, this amounts to a ban on all file-level encryption and
end-to-end communications encryption, as well as most kinds of transport encryption (for example, if your browser makes a SSL connection to a server that the Hungarian government can't subpoena, it would have no means of surveiling your communication).
A draft copy of a US law to criminalize strong encryption has been leaked online. And the internet is losing its shit.
The proposed legislation hasn't been formally published yet: the document is still being hammered out by the Senate intelligence select committee. The proposal reads:
The underlying goal is simple, when there's a court order to render technical assistance to law enforcement or provide decrypted information, that court order is carried out. No individual or company is above the law. We're still in the process of
soliciting input from stakeholders and hope to have final language ready soon.
The draft legislation, first leaked to Washington DC insider blog The Hill, is named the Compliance with Court Orders Act of 2016 , and would require anyone who makes or programs a communications product in the US to provide law enforcement with
any data they request in an intelligible format, when presented with a court order.
The bill stems from Apple's refusal to help the FBI break into the San Bernardino shooter's iPhone, but goes well beyond that case. The bill would require companies to either build a backdoor into their encryption systems or use an encryption method that
can be broken by a third party.
On example of the tech community response was from computer forensics expert Jonathan Dziarski who said:
The absurdity of this bill is beyond words. Due to the technical ineptitude of its authors, combined with a hunger for unconstitutional governmental powers, the end result is a very dangerous document that will weaken the security of America's technology
At least two other countries--Pakistan and Turkey--already have versions of such laws on the books. The Pakistan Telecommunications Authority has previously instructed the country's internet service providers to ban encrypted communication, though it's
largely VPN use, which can be used to circumvent location-based internet censorship, that has been actively restricted there, and WhatsApp is still popular. Turkey takes the anti-encryption law on its books more seriously, and used it to initially charge
Vice journalists arrested in southeastern Turkey in September 2015.
Meanwhile, France's National Assembly passed a bill in May to update its Penal Code to fine companies that don't find a way to undo their own encryption when served with a warrant in a terrorism investigation. The french? Senate version of this bill
excludes this provision, and seven members from each house will now begin a compromise.
Thanks to the attention brought to the importance of encryption via Apple vs FBI from Fight for the Future and other strong voices, Compliance with Court Orders Act of 2016 - one of the worst national security bills ever drafted - is stalled.
Signal, an encrypted messaging apt for mobile devices had its service blocked in Egypt and UAE.
Now Signal have responded by making a new release available to those territories that should make the censors thinks twice before reaching for the block option.
The new Signal release uses a technique known as domain fronting. Many popular services and CDNs, such as Google, Amazon Cloudfront, Amazon S3, Azure, CloudFlare, Fastly, and Akamai can be used to access Signal in ways that look indistinguishable from
other uncensored traffic. The idea is that to block the target traffic, the censor would also have to block those entire services. With enough large scale services acting as domain fronts, disabling Signal starts to look like disabling the internet. When
users in the two countries send a Signal message, it will look like a normal HTTPS request to www.google.com. To block Signal messages, these countries would also have to block all of google.com.
Signal , the messaging app that prides itself on circumventing government censorship, has a few new places where its flagship feature works. Last week it was Egypt, and now users in Cuba and Oman can send messages without fear of them being intercepted
and altered by lawmakers.
Two new encryption algorithms developed by the US NSA have been
rejected by an international standards body amid accusations of threatening behavior.
The Simon and Speck cryptographic tools were designed for encryption of the Internet of Things and were intended to become a global standard.
But the pair of techniques were formally rejected earlier this week by the International Organization of Standards (ISO) amid concerns that they contained a backdoor that would allow US spies to break the encryption. The process was also marred
by complaints from encryption experts of threatening behavior from American snoops.
When some of the design choices made by the NSA were questioned by experts, the US response was to personally attack the questioners. While no one has directly accused the NSA of inserting backdoors into the new standards, that was the clear
suspicion, particularly when it refused to give what experts say was a normal level of technical detail. It took 3 years for the ISO to extract technical details about the encryption. But by then the trust had been undermined and the vote went
against the standards at a meeting in the US late last year.