One thing I, personally, find very interesting is that a lot of wording from the coalition contract on this and related matters is apparently taken from or at least based on [0] a document [1] released by the CCC for that very purpose. I haven't personally carefully verified this to be true, but I have no reason to distrust the linked report.<p>[0] <a href="https://blog.fefe.de/?ts=9f60b12e" rel="nofollow">https://blog.fefe.de/?ts=9f60b12e</a><p>[1] <a href="https://www.ccc.de/de/updates/2021/ccc-formulierungshilfe-regierungsprogramm" rel="nofollow">https://www.ccc.de/de/updates/2021/ccc-formulierungshilfe-re...</a><p>(both in German)
> There is [...] a prohibition of state authorities to keep vulnerabilities a secret.<p>This is another great thing. It is simply unethical to hoard vulnerabilities, as this will eventually backfire[0]<p>> On top that all future security legislation will be subject to an evaluation by a panel of independent experts who have to look into issues with any potential restrictions on freedom.<p>I really hope this will be people from the CCC.<p>[0]: <a href="https://www.theregister.com/2020/10/28/nsa_backdoor_wyden/" rel="nofollow">https://www.theregister.com/2020/10/28/nsa_backdoor_wyden/</a>
I think this is all fine and dandy until the new Innenminister is starting his or her work early next year.<p>They will project the concerns of the civil service and somehow carve out enough special regulations that will all but hollow out any such rights.<p>I really want to believe that the majority of the coalition parties believe that they are saying, but that's not how politics are made or put into practice.<p>E.g., after Zimmermann, there was great hope that Germany would be a lot less conservative in it's interior policy, but following interior ministries have not really become much less conservative.<p>Here's to hope, though - Cheers.
It's neat how many genuinely good points regarding information security and privacy made it into the coalition agreement, but everyone knows that just because it says in the paper that a new gov't wants to do something does not mean they do it.
What does 'right to encryption' actually mean in this new plan? Can anyone explain in English?<p>For example, Google Translate (always dubious) gives the following*: "The state must also offer the possibility of real encrypted communication". Which may mean either 'e2e communication' or 'e2e communication except government' or even merely 'the state must create an encrypted messaging solution and allow everyone to use it, but nothing else will change' (and no one will actually use it due to scale effects Whatsapp etc. have).<p>* From Cu3PO42's excellent comment: <a href="https://news.ycombinator.com/item?id=29434183" rel="nofollow">https://news.ycombinator.com/item?id=29434183</a>
What about the EU working on mandating a backdoor though? EU law supersedes local law..<p>I remember another German email provider raising this last week: <a href="https://mailbox.org/en/post/chat-control-the-latest-eu-plans-to-outlaw-encryption-and-introduce-telecommunications-surveillance?nl" rel="nofollow">https://mailbox.org/en/post/chat-control-the-latest-eu-plans...</a><p>And <a href="https://www.patrick-breyer.de/en/posts/messaging-and-chat-control/" rel="nofollow">https://www.patrick-breyer.de/en/posts/messaging-and-chat-co...</a><p>Other posts here mentioned it as exaggerated but it sounds pretty detailed there. It worries me a bit because it would instantly move the EU from one of the best on privacy protections to one of the worst in the western world.
"We require all government agencies to report security vulnerabilities they are aware of to the Federal Office for Information Security (BSI) and to undergo regular external audits of their IT systems."<p>If some well known agencies done this, loss of billions of dollars could have been avoided.<p>"In the future, development contracts will be regularly commissioned as open source, and the software will be made public as a matter of principle. There will be a right to encryption, and the state must also offer the option of genuine encrypted communication."<p>Personally I have a hard time to trust anything after heart bleed. A very basic attack that caused havoc. It proved that the quality of open source is nowhere close to the promises of OSS. It also tells that the automatic tests are too simple, if there are any. Fact is that a student in any class about the network stack probably already been targeted about far more complex attacks than heart bleed.<p>Encryption is mandatory for most things in EU. But the quality is difficult to evaluate.
This is great, of course, but ~50 years of hesitant, schizophrenic legislation regarding digital security leaves me hesitant that Germany will actually be a forerunner on this one.
Then they are setting up a constitutional challenge with the ECJ, just like Poland. They were on the brink of it recently, when it got hushed it 'because Poland was doing it', but this kind of thing will highlight the fact that Germany doesn't accept ECJ Supremacy either. Interestingly enough, they may back off just enough so that the Germany-ECJ '40 year dispute' doesn't get inflamed, hoping that maybe after a few more decades it will just 'go away' with a German Judiciary, Parliament and Population that just accept the ECJ Supremacy, even though it doesn't actually say that in any treaty.
Could someone help me understand the following sentence from the article?<p><i>> Controversial hackbacks, i.e., the hacking back of attacks, are rejected as a "means of cyber defense in principle."</i><p>Does this mean "hackbacks" are seen as cyber defense and therefore rejected, or that they are refused the name of cyber defense? Or something else? Does this mean there's intention to forbid cyber defense, esp. by govt/army?!? I'm confused by what's attempted to be communicated here. (Also, who's the presumed actor of those "hackbacks" here, govt? private entities? anyone?)
> In the future, development contracts will be regularly commissioned as open source, and the software will be made public as a matter of principle. There will be a right to encryption, and the state must also offer the option of genuine encrypted communication<p>Would be neat if they also mandated that all such software must be in a memory-safe language unless there’s no available alternative or there’s a compelling performance reason or the software is well-established/reviewed by experts in the field and no reasonable alternative exists.
huh, it wasn't that long ago that they outlawed the kind of "hacking tools" that would be used to verify the integrity of cipher systems... is that still on the books? My German is rustier than my Fourth, so I'm drawing a blank on a position reversal...
I approve of constitutionally guaranteeing that people can keep their communications secure, but as an American, I think the rhetorical framework surrounding the movement could be improved. We need negative rights, not positive ones.<p>People don't have a right <i>to</i> encryption, or a right <i>to</i> a specific computing environment, or really, a right <i>to</i> anything at all. What people do have is a right to be free of government limitations on the freedom of individuals to run whatever software they want on devices they own.<p>When you make something a positive right, that means it's something the government has to give you, and a government that can give you rights can take them away.<p>The American perspective is that people have rights just by virtue of existing, and the state can only illegally and immorality interfere with rights that you always possess, unconditionally, no matter what.<p>IMHO, the right framing isn't that people have a right to encryption, but that the state has no business interfering with the math people do on their own computers.
Excellent. I hope they fix the deliberate botch they made of the use of ID cards as key carriers. As far as I know the hardware is fine but the Bundestag fucked up the infrastructure.<p>Germany should look to Estonia who, IMHO, gets it right.
Good! German opposition and political activists desperately need good encryption to organize! Large opposition party was placed under surveillance before election, its leaders wiretapped. Today activists are monitored on Internet by secret services.
Wonderful how many good changes are happening so quickly with the new government. Merkel held power uninterrupted for over 18 years straight. The new leadership is basically Trump's campaign promise, for Germany (anti-globalist elite), but without all the backlash and manufactured outrage.<p>I guess these anti-globalist ideas have had enough time to percolate that even HN is supporting their fruits now.
The history of encryption it includes doesn’t dwell West Germany.<p>The West German government had a reputation for supporting strong crypto (unlike the East Germans and Nazis).<p>They were aware that many of their day-to-day communications were being intercepted by the East Germans (much as they intercepted East German communications).<p>Many West Germans had loved ones in East Germany who could at least in theory face negative consequences for the actions of West Germans.<p>West Germany simply couldn’t be free without strong crypto.
In all honesty, I don't/can't value government provided rights. The reason is governments have no basis to grant anything more than an individual.<p>If you think about it, if I grant you a right to privacy - what can that possibly mean to you? If not just I, but I and 10 others (or 100, or 10000) agree to grant you a right, still - what does that mean? Do you now have that right?<p>In fact, the position is nonsense.<p>The question then, is at what point do a bunch of people become a government? What is the magic number? And on what basis does a government have greater rights than the individuals it purports to represent?<p>The answer in reverse, is that government does not have greater rights than individuals. It does not determine morality. A majority of people might decide to rule over others - and they may be successful via their greater or co-ordinated force - but at no point does that use of force become a right. Put simply, if someone or a group or a government initiate force, that is a wrong. Re rights, you can do whatever as long as you are not harming another.<p>Governments are not greater than individuals. While we might go along with government dictats or government 'granting of rights', there is no moral basis for it. It is just the labouring under an illusion. The government illusion is powerful, for sure, and there is malign threat therein, but at no point can government create a right that is not already existent for the individual. If some people believe it can, they are mistaken. If those people undertake the dictats of government, acting forcibly against other that have done them no wrong, they are acting immorally.<p>In answer to the main post then, individuals have always had a right to encryption, if it is not harming anyone. Governments have never had the (moral) 'right' to decrypt as that is stealing someone's privacy. Governments can of course write laws to justify whatever they like, but these laws themselves need to align with morality to be 'right'.<p>PS I seriously don't mind being down-voted, but would rather understand what the objections are to my argument.