encryption

The recently spotted Telecrypt ransomware can be thwarted: malware analyst Nathan Scott has created a tool that decrypts the encrypted files.

Telecrypt Decryptor

Telecrypt Decryptor works only if the affected user has .NET 4.0 and above (every Windows version since Windows XP has it by default), and if he or she has at least one of the encrypted files in unencrypted form. It also needs to be run from an Administrator account.

The tool comes with instructions and a warning: don’t use it if you haven’t been infected with this particular ransomware, as it could corrupt some of your files.

About Telecrypt

Telecrypt was first spotted a few weeks ago, targeting Russian-speaking users.

Its specificity is that it uses Telegram’s communication protocol to deliver the decryption key to the crooks and, in general, to keep in touch with them.

The message it shows puts the ransom at 5,000 rubles (around 78 USD), and the crooks thank the victims for helping the “Young Programmers Fund.”

“Telecrypt will generate a random string to encrypt the files that is between 10-20 length and only contain the letters vo, pr, bm, xu, zt, dq,” Malwarebytes explained.

“[It] encrypts files by looping through them a SINGLE byte at a time, and then simply adding a byte from the key in order. This simple encryption method allows a decryption application to be made.”

Telecrypt is distributed in the form of an executable, via spam emails, exploits, and drive-by download schemes.

It encrypts a wide variety of files and, depending on its configuration, it either adds the extension ‘.Xcri’ to the encrypted files or leaves it unchanged.


Help Net Security

TeleCrypt, the file encryption ransomware that abuses Telegram API for communication, has had its encryption cracked just two weeks after the threat was originally detailed.

The ransomware abuses the instant messaging service Telegram for command and control (C&C) communications. What’s more, victims can send messages to the attackers using the same service. Immediately after infection, the malware creates a Telegram bot beacon to the C&C server to send various details about the compromised machine.

After installation, TeleCrypt searches the hard drive for specific files, then encrypts them and appends the .Xcri extension to them. However, security researchers say that some variations of the malware don’t change the file extension.

The ransomware’s authors would request around $ 75 from their victims to provide them with a decryptor (payments are accepted via Russian payment services Qiwi or Yandex.Money). Right from the start, however, researchers suggested that TeleCrypt was written by cybercriminals without advanced skills.

According to Malwarebytes Labs researchers, the encryption TeleCrypt uses isn’t very strong indeed. The security researchers have already managed to create a decryption tool that allows victims to recover their files without paying the attackers. The utility requires .NET to work and for users to provide the unencrypted version of one of the encrypted files.

“Telecrypt will generate a random string to encrypt the files that is between 10-20 length and only contain the letters vo,pr,bm,xu,zt,dq. Telecrypt encrypts files by looping through them a SINGLE byte at a time, and then simply adding a byte from the key in order. This simple encryption method allows a decryption application to be made,” Malwarebytes Labs explains.

Written in Delphi, the ransomware is being distributed via spam emails, exploits, and drive-by downloads, and targets only users in Russia at the moment. Both the ransom note and an executable with GUI that is downloaded and dropped onto the infected machines, are written in Russian.

Kaspersky Lab security researchers also managed to crack the ransomware’s encryption to help victims recover their files using a free decryption tool. Involved in the NoMoreRansom initiative, Kaspersky actually helps the victims of numerous other ransomware families decrypt their files.

Related: Fake ISP Complaint Emails Distribute Locky Ransomware Variant

Related: Ransoc Ransomware Blackmails Victims

Related: CryPy Ransomware Uses Unique Key for Each File

view counter

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:

Tags:


SecurityWeek RSS Feed

The Manhattan District Attorney's Office released an updated report denouncing smartphone encryption, but experts said the data was willfully misleading.

Cyrus Vance, Jr., district attorney for New York County, released version 2.0 of the Report on Smartphone Encryption and Public Safety. According to the report, the Manhattan DA's Office has "423 Apple iPhones and iPads lawfully seized since October 2014 [that] remain inaccessible due to default device encryption." Vance said the number of inaccessible devices has been on the rise.

"While the Manhattan District Attorney's Office has been locked out of approximately 34% of all Apple devices lawfully recovered since October 2014, that number jumped to approximately 42% of those recovered in the past three months," the report said. "With over 96% of all smartphones worldwide operated by either Apple or Google, and as devices compatible with operating systems that predate default device encryption are becoming outdated, this trend is poised to continue."

Experts said there was important context information omitted from this portion of the report, notably how many total cases the Manhattan DA's Office handled over that time period in order to understand the proportion of cases influenced by inaccessible mobile devices.

Rebecca Herold, CEO of Privacy Professor, said given the population and the amount of crime in the New York area, 423 inaccessible devices collected over two years "seems very low."

"Plus, for those 400 devices, how many were they able to get metadata, logs from associated cloud services, and other data from that did help with their investigation?" Herold asked. "They should have provided those insights to support a balanced report."

Liviu Arsene, senior e-threat researcher at Romania-based antimalware firm Bitdefender, said the report also didn't mention the number of people protected by smartphone encryption.

"It's safe to estimate that the number of people protected from threat actors by iOS security is by far greater than the 400 devices in question by the Manhattan DA," Arsene said. "Encryption technologies have caused more good than harm when it comes to protecting privacy."

Matthew Gardiner, cybersecurity strategist at Mimecast, said "Apple sells approximately 50 million iPhones every quarter, and has sold approximately 1 billion since the beginning of time. Increasing the vulnerability of the vast majority of those users to open up 400 phones is not a reasonable tradeoff."

The report said "approximately 10% of the impenetrable devices pertain to homicide or attempted murder cases and 9% to sex crimes," and Arsene said these distinctions were important.

"While 400 devices might not seem like a large number, it all depends to whom those devices belong to and whether or not those individuals were involved in activities endangering national security," Arsene told SearchSecurity. "However, it's entirely possible that incriminating evidence involving terrorist or criminal activities could probably be procured from other sources, rather than relying on a single phone as a single point conviction."

Surveillance and privacy

The report discussed the potential other sources for gathering investigative data, but argued against the idea that we live in a "golden age of surveillance."

"The other sources of information may be incomplete, or unavailable to law enforcement," the report read. "They generally do not give as complete a picture of criminal liability, or as complete access to evidence relevant to a criminal investigation or prosecution, as would a mobile device."

Additionally, the report said the end-to-end encryption being added to communication apps like Facebook Messenger and WhatsApp "show that far from it being a "golden age" for law enforcement, today's criminals have means of communication that are more secure from law enforcement’s scrutiny than criminals had ever dared hope."

Experts pointed out this argument ignored two major sources of data available to investigators faced with smartphone encryption: metadata and cloud backups. Apple has admitted to providing law enforcement with metadata and iCloud backup data when presented with a valid warrant.

Arsene said there was no way to know if there was iCloud data associated with the devices in question obtained by the Manhattan DA's Office, but he stressed that metadata can be valuable.

"Metadata is at the core of modern day information collection technologies as it removes any personally identifiable information about the individual from the picture, and focuses on his behavior, without infringing on his right to privacy," Arsene said.

Herold said strong encryption was not only available in the U.S. and "if a terrorist or criminal is bent on keeping their communications with others strongly protected, they have many options available elsewhere throughout the world they can use." Additionally, Herold said the constant argument for weakened encryption or backdoors has ultimately limited law enforcement from getting metadata for investigations.

"Requiring U.S. technology companies to build backdoors into encryption will result in criminals and terrorists using encryption tools from other countries, will only hurt U.S. businesses by driving all consumers to other countries for such technologies and will not lead to measurably any more capabilities for their investigation purposes," Herold said. "In fact, investigators will now have less data, because those non-U.S. technology companies will not cooperate with U.S. investigators on cases where they could have gotten a lot of metadata, logs and other useful data beyond the encrypted data from a U.S.-based tech company, such as Apple or any other tech business they seem focused on ruling over."

The Manhattan DA's Office declined to comment on this story.

Getting around smartphone encryption

According to the report, the Manhattan DA's Office "advocates enactment of a federal law that would require smartphone manufacturers and software designers whose software is used in smartphones to retain the ability to extract the information on the smartphones, if and when the manufacturer or designer receives a search warrant for that information. The proposed legislation would restore the status quo before Apple's iOS 8, and would be no different conceptually than legislation that requires products to be safe, buildings to be constructed with exits and egresses that satisfy specific requirements, and roads to have maximum speed limits."

The "status quo" refers to the time before iOS 8 when full device encryption was not the default for Apple products. The report asserts "the actual benefits of iOS 8's default device encryption [has] not been demonstrated by Apple" and "default device encryption does not meaningfully increase smartphone users' protection from unauthorized hackers."

Experts widely disagreed with this assessment, and Herold pointed out the report referenced a decision in The Netherlands that contradicted the argument of the Manhattan DA's Office.

In the list of actions from other countries the report pointed out that "in January 2016, the Dutch government announced that it would not require technology companies to share encrypted communications with security agencies."

The link in the footnote quoted the Dutch Ministry of Security and Justice saying that allowing law enforcers to access protected data would make digital systems vulnerable to "criminals, terrorists and foreign intelligence services," and added "this would have undesirable consequences for the security of information stored and communicated and the integrity of [information and communication technology] systems, which are increasingly of importance for the functioning of the society."

Herold said, "That point summarizes the heart of the issue well: we need strong encryption for the peaceful and privacy-respecting functioning of our modern, digital society."

The report reiterated the various security claims made by Apple regarding iOS 7 in 2012,. Specifically, it said that before iOS 8 Apple maintained the ability to aid law enforcement with investigations and said that "Apple's method of data extraction before iOS 8 was never compromised."

Arsene said Apple's advancement of iOS security was "not necessarily aimed at hindering law enforcement efforts, but at offering users more privacy and security features with the purpose of adding value to Apple's products."

"Good enough security has never been best practice, especially since the digitalization of services and infrastructures has brought forward new attack methods and threats. Security is all about constantly developing and placing more barriers between you and the attacker, increasing the cost of attack and making it difficult for someone to gain access to your data," Arsene said. "Cybercriminals are more creative than we'd like to think and relying on outdate or deliberately vulnerable technologies to protect and secure our data is not just bad practice, but also shortsighted."

Ultimately, the report said there was "an urgent need for federal legislation that would compel software and hardware companies that design or build mobile devices or operating systems to make such devices amenable to appropriate searches," but said all current attempts, including the Burr-Feinstein bill were inadequate. Because of this, the Manhattan DA's Office has proposed legislation that "would require those who design operating systems to do so in a way that would permit law enforcement agents with a search warrant to gain access to the mobile devices."

Herold said "it is misleading, at best, to vilify the use of strong encryption," and said the Manhattan DA's Office is asking for a smartphone encryption backdoor, just without using the word "backdoor."

"Law enforcement has got to stop propagating the false narrative of encryption being all bad. They must balance the effect of encryption to also point out the significantly larger amount of good this effective technology tool does than any harm that they always seem to focus upon," Herold said. "Overall their report is not balanced, and is skewed to promoting fear, uncertainty and doubt within the public in an effort to get their way, and to in effect get access to everyone in the U.S.'s digital selves. If people cannot be compelled to speak in person, then they should not be compelled to have their digital voices revealed either."

Next Steps

Learn more about how encryption legislation could affect enterprise.

Find out why experts say lawmakers don't understand encryption backdoors.

Get info on whether the feds needed Apple's help to bypass smartphone encryption.


SearchSecurity: Security Wire Daily News

Apple may have refused to help the FBI unlock an iPhone used by the San Bernardino shooter, but the tech industry is still better off working with the U.S. government on encryption issues than turning away, according to a former official with the Obama administration.

“The government can get very creative,” said Daniel Rosenthal, who served as the counterterrorism director in the White House until January this year. He fears that the U.S. government will choose to “go it alone” and take extreme approaches to circumventing encryption, especially if another terrorist attack occurs.

[ Safeguard your data! The tools you need to encrypt your communications and web data. • Maximum-security essential tools for everyday encryption. • InfoWorld's encryption Deep Dive how-to report. | Discover how to secure your systems with InfoWorld's Security Report newsletter. ]

“The solutions they come up with are going to be less privacy protective,” he said during a talk at the Versus 16 cybersecurity conference. “People will think they are horrifying, and I don’t want us to see us get to that place.”

Rosenthal made his comments as President-elect Donald Trump—who previously called for a boycott of Apple during its dispute with the FBI—prepares to take office in January.

A Trump administration has a “greater likelihood” than the Obama administration of supporting legislation that will force tech companies to break into their customers’ encrypted data when ordered by a judge, Rosenthal said.

“You have a commander-in-chief, who said at least on the campaign trail he’s more favorable towards a backdoor regime,” Rosenthal said.

Earlier this year, one such bill was proposed that met with staunch opposition from privacy advocates. However, in the aftermath of another terrorist attack, Congress might choose to push aside those concerns and pass legislation drafted without the advice of Silicon Valley, he said.  

Rosenthal went on to say that U.S. law enforcement needs surveillance tools to learn about terrorist plots, and that’s where the tech industry can help. During his time in the White House, he noticed a “dramatic increase” in bad actors using encryption to thwart government efforts to spy on them.

“There are people trying to come up with a reasonable solution,” he said of efforts to find a middle ground on the encryption debate. “To immediately say there is no solution is counter historical.”

dsc05324Michael Kan

Cindy Cohn (right), executive director of EFF, and Daniel Rosenthal, former director of counterterrorism for the White House.

However, Rosenthal’s comments were met with resistance from Cindy Cohn, executive director for Electronic Frontier Foundation, a privacy advocate. She also spoke at the talk and opposed government efforts to weaken encryption, saying it “dumbs down” security.

“This idea of a middle ground that you can come up with an encryption strategy that only lets good guy into your data, and never lets a bad guy into your data, misunderstands how the math works,” she said.

Law enforcement already possess a wide variety of surveillance tools to track terrorists, she said. In addition, tech companies continue to help U.S. authorities on criminal cases and national security issues, despite past disputes over privacy and encryption.

But law enforcement has done little to recognize the risks of building backdoors into products, Cohn said. Not only would this weaken security for users, but also damage U.S. business interests.

“If American companies can’t offer strong encryption, foreign companies are going to walk right into that market opportunity,” she said.

Cohn also said any effort to force U.S. companies to weaken encryption wouldn’t necessarily help catch terrorists. That’s because other strong encryption products from foreign vendors are also circulating across the world.

“The idea that the Americans can make sure that ISIS never gets access to strong encryption is a pipe dream,” she said. “That’s why I think this is bad idea. Because I don’t think it’s going to work.”

The Versus 16 conference was sponsored by cybersecurity firm Vera. 

To comment on this article and other InfoWorld content, visit InfoWorld's LinkedIn page, Facebook page and Twitter stream.


InfoWorld Security

The amount of phishing emails containing a form of ransomware grew to 97.25 percent during the third quarter of 2016 up from 92 percent in Q1.

encryption ransomware hits

PhishMe’s Q3 2016 Malware Review identified three major trends previously recorded throughout 2016, but have come to full fruition in the last few months:

Locky continues to dominate: While numerous encryption ransomware varieties have been identified in 2016, Locky has demonstrated adaptability and longevity.

Ransomware encryption: The proportion of phishing emails analyzed that delivered some form of ransomware has grown to 97.25 percent, leaving only 2.75 percent of phishing emails to deliver all other forms of malware utilities.

Increase in deployment of ‘quiet malware’: PhishMe identified an increase in the deployment of remote access Trojan malware like jRAT, suggesting that these threat actors intend to remain within their victims’ networks for a long time.

During the third quarter of 2016, PhishMe Intelligence conducted 689 malware analyses, showing a significant increase over the 559 analyses conducted during Q2 2016. Research reveals that the increase is due, in large part, to the consistent deployment of the Locky encryption ransomware. Locky executables were the most commonly-identified file type during the third quarter, with threat actors constantly evolving the ransomware to focus on keeping this malware’s delivery process as effective as possible.

“Locky will be remembered alongside 2013’s CryptoLocker as a top-tier ransomware tool that fundamentally altered the way security professionals view the threat landscape,” explained Aaron Higbee, CTO at PhishMe. “Not only does Locky distribution dwarf all other malware from 2016, it towers above all other ransomware varieties. Our research has shown that the quarter-over-quarter number of analyses has been on a steady increase since the malware’s introduction at the beginning of 2016. Thanks to its adaptability, it’s showing no signs of slowing down.”

encryption ransomware hits

While ransomware dominates the headlines, PhishMe’s Q3 Malware Review reveals that other forms of malicious software delivered using remote access Trojans, keyloggers and botnets still represent a significant hazard in 2016.

Unlike ransomware, so-called ‘quiet malware’ is designed to avoid detection while maintaining a presence within the affected organization for extended periods of time. While only 2.75 percent of phishing emails delivered non-ransomware malware, the diversity of unique malware samples delivered by these emails far exceeded that of the more numerous ransomware delivery campaigns.

Rohyt Belani, CEO at PhishMe added, “The rapid awareness of and attention to ransomware has forced threat actors to pivot and iterate their tactics on both payload and delivery tactics. This sustained tenacity shows that awareness of phishing and threats is not enough. Our research shows that without a phishing defense strategy, organizations are susceptible to not just the voluminous phishing emails used to deliver ransomware, but also the smaller and less-visible sets of emails used to deliver the same malware that has been deployed for years. We must empower people to act as both human sensors for detecting attacks and partners in preventing threat actors from succeeding.”


Help Net Security

Versus16 Silicon Valley should work with the US government in Washington to arrive at a solution that gives law enforcement access to encrypted comms, but that respects individual privacy.

That's according to former White House counterterrorism and cybersecurity official Daniel Rosenthal, who was debating where the issue of encryption should go next.

Nonsense, responded Cindy Cohn of the Electronic Frontier Foundation (EFF), on stage at the Versus conference in San Francisco. If the tech sector offers some form of compromise now, the government will only come asking for more later.

In the week since Donald Trump was elected president, tech companies have reported a 25 per cent spike in people encrypting their communications.

The reason why is not hard to discern: on the campaign trail the Republican nominee repeatedly stated that he would be prepared to use the full power of the federal government to carry out his policy goals, which includes the forced deportation of millions of people, the surveillance of millions of others, and the pursuit of terrorism above all else.

What's more, Trump weighed in on the biggest showdown in the past decade between law enforcement and the tech industry, telling crowds that they should boycott Apple over its refusal to bypass its own security and grant the FBI access to a locked phone that belonged to San Bernardino shooter Syed Farook.

Risk

Both Rosenthal and Cohn acknowledged that the likelihood of the executive branch of the US government pushing for a backdoor into encryption was "significantly greater" under the Trump Administration.

Although both offered some consolation: Rosenthal said there still remained forces within the executive branch that would argue for the value of strong encryption and the importance of privacy; Cohn promises that the EFF will continue to fight – as it has for decades – to prevent government overreach.

But while both agreed in general, Rosenthal and Cohn represented two very different viewpoints, themselves reflecting two very different attitudes on the East and West Coasts of the United States.

Both agreed that the bill put forward by Senators Dianne Feinstein and Richard Burr in April was a horrible piece of legislation (it eventually died, but not without significant effort being made to kill it).

Rosenthal warned, however, that if the tech industry rules out working on ways to open up access to encrypted data, it may find itself left out the conversation when the "inevitable" next terrorist attack hits the United States and the government reacts to it with new laws.

Cohn stuck with well-worn arguments about the mathematics of encryption: weakened encryption is weak for everyone, and a backdoor is a backdoor as much for bad actors as for law enforcement.

She also warned that if the US government pushes a law to undermine encryption, it sends a signal to the rest of the world's governments, and makes it impossible for tech companies to stand up to other, inevitable demands from across the world.

Déjà vu

This is not the first time this debate has played out – for months this year the back-and-forth over encryption turned into fixed positions.

Rosenthal fell back on flattering the West Coast as being "much smarter" and urging tech companies to figure out a way to make breakable encryption possible. In response, Cohn offered the logic of math and argued that everyone has access to prime numbers. She shook her head at the Washington, DC policy process of finding a middle ground between opposing sides: there is no middle ground on encryption – it works or it doesn't.

Fortunately, neither fed into the familiar insults traded between the coasts – but they did reference them: Silicon Valley doesn't care about terrorism; Washington, DC doesn't care about its citizens' privacy.

Rosenthal thinks that Apple should feel an obligation to be a "good citizen"; Cohn notes that law enforcement agencies should be obliged to follow the law and run all requests for information through the legal process – "because companies are not always in the best position to evaluate requests or know if the system is being misused."

In short, despite the best efforts of two very knowledgeable individuals actively looking to find some common ground, nothing new was uncovered.

It's also notable that neither Cohn nor Rosenthal currently possess government or tech industry roles. It is, of course, possible that there are lots of positive conversations going on behind closed doors between DC and Silicon Valley. But it seems unlikely.

What seems even more unlikely is that the conversation will start with the arrival of the Trump Administration. Trump's stated policies are in many ways antithetical to both the politics and the finances of Silicon Valley.

Trouble ahead

When that inevitable next terrorist attack does come, we can expect to see the Apple versus FBI argument return – but this time with much greater odds and carried out in much louder voices. Just as with the election itself, there is increasingly less room for compromise. One side will win, and one side will lose.

Where will it fall? It will come down to Trump and whether he can persuade Congress to enact a new law. The Obama Administration was split on the issue and the President very publicly sat on the fence. That is far less likely to happen with the President-elect.

If there is a large terrorist attack, as Rosenthal noted, the people's concerns about privacy will fall away if they are offered a firm hand and a clearly stated solution.

And while Tim Cook has taken a principled stance on privacy and encryption, and Google and Facebook and many other tech companies have said they support that view – no one has ever said they will ignore the law of the land. ®

Sponsored: Transforming software delivery with DevOps


The Register - Security

Researchers Go Inside a Business Email Compromise Scam

August 4, 2016 , 10:00 am

Oracle Patches Record 276 Vulnerabilities with July Critical Patch Update

July 20, 2016 , 9:21 am

Apple Launches Bug Bounty with Maximum $ 200,000 Reward

August 4, 2016 , 8:30 pm

Miller, Valasek Deliver Final Car Hacking Talk

August 4, 2016 , 3:26 pm

Export-Grade Crypto Patching Improves

August 3, 2016 , 10:00 am

Kaspersky Lab Launches Bug Bounty Program

August 2, 2016 , 9:00 am

Threatpost News Wrap, July 29, 2016

July 29, 2016 , 10:45 am

KeySniffer Vulnerability Opens Wireless Keyboards to Snooping

July 26, 2016 , 9:30 am

Upcoming Tor Design Battles Hidden Services Snooping

July 25, 2016 , 3:51 pm

EFF Files Lawsuit Challenging DMCA’s Restrictions on Security Researchers

July 21, 2016 , 1:18 pm

Threatpost News Wrap, July 15, 2016

July 15, 2016 , 11:00 am

Academics Build Early-Warning Ransomware Detection System

July 14, 2016 , 1:05 pm

xDedic Hacked Server Market Resurfaces on Tor Domain

July 12, 2016 , 11:40 am

Conficker Used in New Wave of Hospital IoT Device Attacks

June 30, 2016 , 11:48 am

655,000 Healthcare Records Being Sold on Dark Web

June 28, 2016 , 10:00 am

Windows Zero Day Selling for $ 90,000

May 31, 2016 , 5:44 pm

Millions of Stolen MySpace, Tumblr Credentials Being Sold Online

May 31, 2016 , 1:37 pm

OTR Protocol Patched Against Remote Code Execution Flaw

March 10, 2016 , 10:23 am

uTorrent Forums User List Stolen

June 9, 2016 , 2:30 pm

Patched BadTunnel Windows Bug Has ‘Extensive’ Impact

June 15, 2016 , 3:23 pm

The Illusion Of An Encrypted Internet

June 7, 2016 , 12:56 pm

Meet the 18-Year-Old Who Hacked the Pentagon

June 21, 2016 , 3:15 pm

IoT Medical Devices: A Prescription for Disaster

July 11, 2016 , 11:31 am

Android KeyStore Encryption Scheme Broken, Researchers Say

July 7, 2016 , 11:52 am


Threatpost | The first stop for security news

“The confidentiality of online communications by individuals and businesses is essential for the functioning of modern societies and economies. The EU rules designed to protect privacy in electronic communications need to reflect the world that exists today,” European Data Protection Supervisor (EDPS) Giovanni Buttarelli opined after reviewing a new proposal on the ePrivacy Directive.

European privacy advisor wants encryption without backdoors

The existing ePrivacy Directive is currently under revision. The European Commission is collecting feedback on the proposal, and should prepare a new, updated version of the legislation by the end of 2016. One of the purposes of the EDPS is to advise EU institutions on policies and legislation that affect privacy.

In his opinion, the EDPS says that the scope of new ePrivacy rules needs to be broad enough to cover all forms of electronic communications irrespective of network or service used, not only those offered by traditional telephone companies and internet service providers. Individuals must be afforded the same level of protection for all types of communication such as telephone, Voice over IP services, mobile phone messaging app, Internet of Things (machine to machine).

The updated rules should also ensure that the confidentiality of users is protected on all publicly accessible networks, including Wi-Fi services in hotels, coffee shops, shops, airports and networks offered by hospitals to patients, universities to students, and hotspots created by public administrations.

Any interference with the right to confidentiality of communications is contrary to the European Charter of Fundamental Rights.

No communications should be subject to unlawful tracking and monitoring without freely given consent, whether by cookies, device-fingerprinting, or other technological means. Users must also have user-friendly and effective mechanisms to give, or not give, their consent. In order to better protect the confidentiality and security of electronic communications, the current consent requirement for traffic and location data must be strengthened.

The existing rules in the ePrivacy Directive protecting against unsolicited communications, such as advertising or promotional messages, should be updated and strengthened and require prior consent of the recipients for all forms of unsolicited electronic communications.

The new rules should also clearly allow users to use end-to-end encryption (without “backdoors”) to protect their electronic communications. Decryption, reverse engineering or monitoring of communications protected by encryption should be prohibited.

A new provision for organisations to periodically disclose aggregate numbers indicating EU and non-EU law enforcement or government requests for information would offer some welcome transparency in the sensitive, complex and often contentious area of government access to communications.

The new rules should complement, and where necessary, specify the protections available under the General Data Protection Regulation (GDPR). They should also maintain the existing, higher level of protection in those instances where the ePrivacy Directive offers more specific safeguards than in the GDPR.


Help Net Security