Thursday, 12 March 2015

De-Mail Encryption: 1990s Technology Meets 2015 Reality

Thomas de Maiziere

SumRando applauds the German government’s decision to make its state-supported email service, De-Mail, capable of end-to-end encryption by April 2015. The Bundestag’s approach to the change acknowledges a desire to meet industry standards of security without inconveniencing individuals: De-Mail clients need only to download a plug-in in order to access Pretty Good Privacy (PGP)-level encryption. 
Although this is clearly a step in the right direction, there are elements of De-Mail’s encryption that even David Cameron would support. According to The Associated Press, the Interior Ministry has already announced that, “When necessary to fight crime, German security services would aim to intercept messages before they are encrypted or after they have been decrypted.” Even if a message’s content remains hidden, there is no guarantee that the sender or receiver of an email would, given that De-Mail accounts require a verified ID at setup.   

Despite these threats to privacy and anonymity, Thomas de Maiziere, Germany’s Interior Minister, appears to believe that De-Mail’s encryption will move Germany to the forefront of the digital world: “Germany wants to take a leading role in the use of digital services. Encryption is an important precondition for this.” De Maiziere’s statement proves that he is yet another politician who simply doesn’t understand that privacy most of the time is as good as no privacy at all—and, therefore, will not enable a country to build the consumer trust necessary to provide reliable digital services.  

Just days before Germany’s announcement, the BBC interviewed the man behind PGP, Phil Zimmermann, at the 2015 Mobile World Congress. As if in direct warning to de Maiziere, David Grossman’s interview contrasted Zimmermann of the 1990s, a man who believed encryption equaled security, with Zimmermann today, a man cognizant of the workarounds government has found to encryption: “The NSA shifted their emphasis to being able to take over your computer. They can inject malware into your computer. And, if they can do that, it doesn’t matter how good the crypto is. They can exfiltrate the cryptographic keys…They can do all kinds of things if they can take over your computer and that’s where the intel companies are putting their energy now.”

The German government maintains that De-Mail’s end-to-end encryption will make the nation a global leader in digital services. In the 1990s, it might have. Today, however, Germany’s simultaneous promise to use malware—the very malware that Zimmermann warns renders encryption useless—to fight unspecified crime, shifts Monday’s news to yet another shiny but insubstantial announcement.

No comments:

Post a Comment