Proton
Salt Typhoon

Massive US security breach highlights danger of weakening encryption

A ”potentially catastrophic” cyberattack(new window) against United States broadband infrastructure has likely given the Chinese government access to swathes of highly sensitive security information, including from systems the federal government uses for court-authorized network surveillance requests.

As terrible as this news is for US national security, it also highlights the problem inherent with all surveillance systems that give governments “backdoor” access to critical data. These systems can be compromised, notably by state-sponsored foreign actors. 

This is a lesson the EU would be wise to take to heart. As Hungary is currently assuming the rotating Presidency of the Council of the EU, Hungarian Prime Minister and close friend to Russia(new window) and China(new window), Victor Orban, has been pushing hard(new window) to make EU countries agree on a common position regarding the highly controversial(new window) “chat control” legislation.

Crucially Hungary, similar to Belgium before it, wants to push for an extremely intrusive and dangerous approach that could ultimately force end-to-end encrypted(new window) (E2EE) services to create a backdoor for law enforcement. The European Parliament, on the other hand, went in a totally different direction, arguing that the legislation shouldn’t weaken end-to-end encryption(new window).

What happened in the US?

In an attack that may have lasted “months or longer”, the Chinese hacking group “Salt Typhoon” compromised the networks of key US internet suppliers, including AT&T, Verizon, and Lumen. Salt Typhoon accessed the federal government-mandated surveillance systems that allow internet providers to intercept domestic electronic information related to criminal and national security investigations. It’s unclear if systems for monitoring foreign intelligence were also compromised.

Authorities investigating the incident are looking into whether Salt Typhoon gained access to US internet infrastructure through Cisco Systems routers(new window), which are responsible for routing a large percentage of all internet traffic. However, no such link has been confirmed, and while Cisco is investigating the matter, they claim to have found no indication their routers are involved.

What is chat control?

The EU’s chat control legislation, formally called the “Regulation to Prevent and Combat Child Sexual Abuse,” aims to address the growing problem of child sexual abuse material (CSAM) online. Introduced in 2022, it opens the door for mandatory scanning of digital communications, including images, videos, and links, on platforms like messaging apps and email services.

Proponents, including EU officials and child protection advocates, argue that this regulation is necessary to protect children from online exploitation and highlight the difficulty law enforcement faces in accessing encrypted messages used by perpetrators. The proposed law focuses solely on fighting against the “content”, and aims to catch and prevent CSAM from spreading using technology-based mechanisms.

One of the more controversial aspects that arose during the legislative process is the Commission and EU governments’ push for client-side scanning, where messages would be scanned for illegal content before being encrypted. This would potentially allow law enforcement to view not only the content you share(new window), but also the content you simply save on your device.

The legislation faces strong opposition(new window) from privacy advocates, academics, digital rights groups, and privacy-focused tech companies, including Proton(new window). While we fully support measures that help safeguard children, this legislation is not the answer. It would effectively create a new method for mass surveillance, requiring service providers to scan all digital communications indiscriminately. Even worse, such surveillance would do very little, if anything, to catch the perpetrators or help the victims of such despicable acts.

Chat control and end-to-end encryption

A particular point of contention has been E2EE, where only the sender and their intended recipient can access communications between them.

While the European Parliament understands the importance of E2EE in safeguarding citizens’ (including children) privacy while ensuring a high level of cybersecurity, EU Member States see it differently. Despite the ineffectiveness of such measures at protecting the real victims, most EU governments(new window) are more than happy to use the fight against CSAM as an excuse to require online services to develop systems that allow law enforcement access to all encrypted communications.

Lessons to be learned

There is no such thing as end-to-end encryption with a “backdoor” that only lets the good guys in. Even assuming that governments would not extend the scanning of encrypted communications to any sort of minor criminal offense in the future, implementing a backdoor amounts to creating a weakness that compromises the entire system. And the Salt Typhoon attack on the United States surveillance systems clearly demonstrates that if “authorized personnel” can access a backdoor, so can hackers. 

This includes state-sponsored hackers, and it may be no coincidence that Victor Orban, an authoritarian leader who overtly supports and admires other authoritarian leaders such as Vladimir Putin and Xi Jinping, is so keen to introduce weakness into the encryption standards that keep us all safe. 

Related articles

laptop showing Bitcoin price climbing
en
  • Privacy guides
Learn what a Bitcoin wallet does and the strengths and weaknesses of custodial, self-custodial, hardware, and paper wallets.
pixel tracking: here's how to tell which emails track your activity
en
Discover what pixel tracking is and how it works, how to spot emails that track you, and how to block these hidden trackers.
A cover image for a blog describing the next six months of Proton Pass development which shows a laptop screen with a Gantt chart
en
Take a look at the upcoming features and improvements coming to Proton Pass over the next several months.
The Danish mermaid and the Dutch parliament building behind a politician and an unlocked phone
en
We searched the dark web for Danish, Dutch, and Luxembourgish politicians’ official email addresses. In Denmark, over 40% had been exposed.
Infostealers: What they are, how they work, and how to protect yourself
en
Discover insights about what infostealers are, where your stolen information goes, and ways to protect yourself.
Mockup of the Proton Pass app and text that reads "Pass Lifetime: Pay once, access forever"
en
Learn more about our exclusive Pass + SimpleLogin Lifetime offer. Pay once and enjoy premium password manager features for life.