Germany drafts law that will make E2EE mandatory for messengers and cloud

75 points by fariszr 1 year ago | 18 comments
  • vik0 1 year ago
    Sounds good, but it's not like it has been passed. It's just a bill

    >While the bill is still a draft and has not yet passed the German Parliament, there is reason to celebrate: For once politicians want to strengthen encryption, not undermine it.

    Again, it's just a bill. Is there even any realistic support from German MPs for this bill to get passed? Isn't the German parliament composed of two chambers? Can it pass in both chambers?

    Also, even if it does get passed, is there some catch? I looked at the bill[1], but I don't understand German, hoping that someone who does can answer that

    [1]https://cdn.netzpolitik.org/wp-upload/2024/02/2024-02-07_BMD...

    • jonp888 1 year ago
      A parliamentary system as used in Germany works rather differently than the three-way bun fight in the US.

      The government wrote the law, not individual parliamentarians(for that reason we don't call them "lawmakers"). The first lines at the top of the PDF say "Reference Draft of the Ministry of Digitalisation and Transport".

      The government is made up like it is, because it has majority control of the parliament. The members of the parties usually do what they are told, partly because they won't get a job in the government if they rebel against party policy.

      If the government couldn't get it's own laws through the parliament, this would be extremely embarrassing for them and the government would probably collapse and be replaced by a new government, so they will not introduce any bill unless they have resolved conflicts which would prevent it from passing.

      There is a second house. Similar to the US, it has a handful of representatives from each federal state. However, these representatives are appointed by the state governments and are required to vote according to instructions received from the state governments. Also, they only have to be consulted about certain types of laws. It is extremely rare that they veto anything passed by the main parliament

      So there will be some debate and probably some amendments, but the chances that the government tries to do something and completely fails is low. Conflicts are solved through negotiation and it's in no-ones interest to grandstand. Bear in mind that almost all governments in Germany are multi-party coalitions, so the best way to ensure you never have any power is to refuse to compromise.

      • matchamatcha 1 year ago
        If I understood correctly, businesses are merely obligated to offer E2EE, where technically possible, and certain user data can still be given to law enforcement (while encrypted?).
        • Ylpertnodi 1 year ago
          >Sounds good, but it's not like it has been passed. It's just a bill.

          As was their decriminalisation of cannabis a bill. ...roll on April 1.

        • fariszr 1 year ago
          > The new law sets a new standard: People should be able to use end-to-end encryption "wherever it is technically possible". In the text it is explained why this clear requirement to cloud providers is necessary: "Although end-to-end encryption is now the industry standard, individual messenger services do not use end-to-end encryption or only use it for certain functions, without this being justified by technical restrictions."

          It's only mandatory where it's technically possible, Gmail, Instagram, Telegram and others are the ones likely to be affected.

          • lxgr 1 year ago
            I agree on Instagram and Telegram, but how on earth would you introduce E2EE to Gmail?

            Encrypt emails on ingress into Google? That would still not be end-to-end, though.

            • sigmoid10 1 year ago
              Gmail already offers E2EE for organisations since 2022. You can have your own keys and everything is locally encrypted/decrypted in the client. Google servers only see the header.
              • braiamp 1 year ago
                Yeah, mail not controlled by the user will still be not E2EE, since gmail needs to store it. What this could do is force mailing providers to use encryption (I do not know of a major one that doesn't)
                • bennyhill 1 year ago
                  It is technically possible to add all the support necessary to work with PGP or S/Mime encrypted emails directly in the client. I.e. protonmail implemented this.
                  • bawolff 1 year ago
                    I mean, PGP and S/MIME are the two standards in this space. Both have significant deployment challenges and don't really match user needs.
                  • karmakaze 1 year ago
                    Technically it may all be possible using homomorphic encryption--it's not however practical.
                  • cj 1 year ago
                    What is the definition of end to end encryption?

                    Is my HTTPS connection end to end encrypted if there’s a CDN terminating and re-establishing TLS at the edge?

                    What if I terminate TLS at the load balancer and clear text to servers in a private subnet?

                    The above wouldn’t be end to end IMO.

                    True end to end IMO means the communication provider is unable to see the contents of the message. Basically public/private key encryption with no middleman.

                    This obviously breaks email spam filtering systems (unless it’s all moved client side, or unless you give Google your key, in which case Google can decrypt your emails, so what’s the point?). Unless we water down the definition of “end to end” to mean between companies rather than user to user.

                    True E2E encryption is difficult when you want to do any processing in the cloud (e.g. Google photos making images searchable - I suppose this is why the Photos app on Mac drives CPU to 100% for a couple days when syncing photos to a new computer, seems like Apple is doing a lot of on-device processing which seems like the opposite direction many other companies are going)

                    • braiamp 1 year ago
                      > What is the definition of end to end encryption?

                      That the encryption is kept from the emitter to the receptor in a way that no intermediary should be able read the plain text. In other words, that once it's encrypted by one end, is only decrypted on the other end.

                      Also, mail providers wouldn't be required, because they are the end of the communication, not the user.

                    • spiffytech 1 year ago
                      I've had Google Translate translate the draft bill PDF into English:

                      https://f001.backblazeb2.com/file/spiffytech-public/german_e...

                      • gndk 1 year ago
                        Germany's solution for everything is more regulation. It works wonderfully so far, so this will definitely contribute to further economic growth. Wir schaffen das!

                        Has the term "privacy washing" been coined already?

                        • V__ 1 year ago
                          Isn't it already mandatory as part of GDPR?

                          > the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

                          (a) the pseudonymisation and encryption of personal data;

                          [1] https://gdprhub.eu/Article_32_GDPR

                          • bawolff 1 year ago
                            There is a diference between e2ee and just encryption. Article32 seems to only be requiring encryption at rest (and maybe transit) but not e2ee.
                            • cccbbbaaa 1 year ago
                              The important points here are “Taking into account the state of the art” and “appropriate technical and organisational measures to ensure a level of security appropriate to the risk”. For example, this case is cited in the page linked above:

                              https://gdprhub.eu/index.php?title=IMY_(Sweden)_-_DI-2021-43...

                              > Sending an e-mail containing sensitive data with enforced TLS-encryption instead of end-to-end encryption was deemed insufficient secured under Article 32(1) GDPR.

                          • 1 year ago