[Cryptography] Licensing of cryptographic services in France

[efc at disroot.org]

On Tue, 27 Aug 2024, Phillip Hallam-Baker wrote:

> At this point, we don't know what charges are going to be brought against Durov in France. It is very likely that the 'failure to
> register to provide cryptographic services' cited in the complaint is merely the equivalent of a holding charge.
> 
> That said, there is a big difference between providing cryptographic apparatus and providing cryptographic services and this is why I
> believe Signal, Session and many other companies need to consider a change of course because their current architectures make them
> sitting ducks for hostile government intervention.
> 
> We all use SMTP email for one simple reason, it is an open network any mail service provider can join. The need to control spam has
> made that a 'kinda/sorta' situation but the basic principle of many service providers, one infrastructure stands.
> 
> Every cryptographic service provider to date has been designed as a monolithic service. Signal has an open source client but you can
> only use it with the Signal service.
> 
> This is a bad situation for users. Alice and Bob can only talk if they both use the same messaging service provider. Getting someone
> to install Signal so you can talk is a non-trivial task that many journalists are unable to complete.
> 
> But it is also painting a target on the service providers and not just in France. Take the recent legislation the Tories pushed
> through in the UK which puts intercept requirements on the service providers.
> 
> An open network architecture in which each user chooses their own service provider is robust against these types of attacks. It
> doesn't matter to Alice if Signal shuts down in the UK, she can pick a different service provider that is out of the jurisdiction or
> she can become her own service provider.
> 
> The Mesh takes this a step further and makes it very easy for Alice to switch service providers so that the service provider is
> always accountable to Alice.
> 
> 
> People don't have to adopt my code, but the reason I wrote the code is precisely because I see the service provision as a point of
> pressure that puts the operators of those services at risk. I have an existence proof for an alternative approach.
> 
> As a result of the cryptowars, there tends to be an oppositional approach to government regulation. But there are some legitimate
> government interests. Having experienced multiple terrorist attacks on members of my family, I would support lawful intercept if it
> was a feasible proposition. The problem being that building a cryptographic apparatus suitable for use by terrorists or the military
> who have a very high degree of interest in using it correctly is a much easier proposition than building systems suitable for use by
> civil servants which is in turn much easier than for the general public.
> 
> But there are legitimate government concerns. Providing defective cryptographic systems is harmful to government interests and
> providing a system with an undeclared backdoor for a hostile government would be a national security issue.
> 
> Another major government issue is competition. The free market is a quaint theory but as Adam Smith observed, there is a tendency of
> people in the same trade to conspire against the public. The walled garden model serves the interests of the service providers but is
> a conspiracy against the public and there is a legitimate government interest in forcing those gardens to open up.
> 
> 
> I am of course aware of the MIMI effort in IETF to produce the absolute minimum level of interoperability possible to comply with the
> regulatory requirements and turn the walled gardens into a profitable cartel. I don't think this is going to work for anyone.
>

The choking points, if push comes to shove, are the ISP:s. The government
will work with cryptography white lists, which consists of approved
corporations which are allowed to send and received encrypted traffic
through a countrys ISP:s. All the rest of the encrypted traffic will be
blocked.

Then it doesn't matter if there are multiple service providers, they will
only be allowed to use encryption after getting certified on the
government white list, which of course means leaking information at will,
when the incompetent public sector wants it.

That will push solutions based on steganography, hiding encrypted
information in non-encrypted streams. There will of course be a black
market (the market always wins in the end, despite what todays socialist
politicians want us to believe) for encrypted communication through white
listed corporations. I read an article a long time ago, that this is how
it works in china, were companies do sell internet connections to the west
if you know who to ask through the right channels.

I think, in the short term, that the west will increasingly look at, and
copy china, when it comes to the view of free speech, and building a great
firewall. But that will only push technologists and markets to up their
level, so in the end, we'll benefit. The only sad part is that it will
take a while.