Tag: encryption

France’s Own Hack Is the Best Argument Against Its War on Encryption

Brussels and a run of European governments, France loud among them, have spent the past few years treating strong encryption as a problem to be solved.

The argument behind proposals like Chat Control is that the state needs a way to scan private messages to keep people safe and that it can be trusted to hold that kind of access without abusing it or losing control of it.

But France just handed that argument an awkward rebuttal. Tchap, the messenger the French government built for its own civil servants, got breached.

France’s National Cybersecurity Agency, ANSSI, detected the compromise on June 7, and DINUM, the digital affairs directorate that runs the platform, blocked the account involved and published an incident notice.

The intrusion broke neither the encryption nor the servers. Someone hijacked a legitimate user account, which is all an attacker needs when any one credential is a key to the same building.

That detail is the part the backdoor crowd keeps refusing to absorb. The encryption on Tchap did its job. DINUM says private conversations stay end-to-end encrypted even when an account is impersonated and that the attacker could reach only the unencrypted public chat rooms any authenticated user is able to find.

Security researchers were quick to note what that reassurance skips over. An attacker wearing a real user’s identity can see whatever that account sees in the moment, private rooms included.

A government backdoor is exactly that, an access path bolted on beside working encryption and France just demonstrated it cannot keep one of those paths shut for a single weekend.

DINUM has notified CNIL, the French data protection regulator, because personal information may have surfaced in whatever the attacker viewed. The directorate described its handling of the intrusion in a press release.

“At this stage, the account originating the malicious requests has been identified. It was immediately blocked to remove the attacker’s persistent access and allow for a thorough analysis of the data they were able to access. The investigation continues, including the study of event logs, to identify the conversations that the attacker was able to access and the nature of the exfiltrated data,” DINUM said.

The directorate also pushed responsibility back toward its own users, reminding them where the safe lines were supposed to be.

“A message has been sent to all Tchap users reminding them that a public chat room can be found and joined by any user and that its content is not encrypted. In accordance with Tchap’s terms of service, no personal, sensitive, or confidential information should be exchanged in public chat rooms: such exchanges should be reserved for private chat rooms.”

Keep reading

UK Encryption Backdoor Could Hit US Data, Jordan Warns

Britain has refused to let a US technology company brief Congress about a secret order to weaken encryption and the chairman of the House Judiciary Committee is treating that refusal as a problem in its own right.

Jim Jordan, the Ohio Republican who leads the committee, wrote to Home Secretary Shabana Mahmood on Friday warning that Britain may be using encryption powers to reach the private data of US citizens.

The underlying dispute is not new. For more than a year, the UK’s use of secret “technical capability notices” under the Investigatory Powers Act 2016 has strained relations with Washington, ever since reports that Britain ordered Apple to open up encrypted iCloud data. What is new is the wall Jordan says he keeps hitting when he tries to learn more.

He met Sir Christian Turner, the British ambassador to the United States, in March, after a US company asked to brief members of Congress about one of these notices, something that would require Mahmood’s sign-off.

The ambassador suggested it could happen. Mahmood then refused.

“This denial is inconsistent with our understanding from Ambassador Turner and raises serious concerns about shared cooperation on these sensitive matters, particularly as Congress exercises its important oversight responsibilities,” Jordan wrote, the Telegraph reported, adding that it cast doubt on the “trust and effective partnership between our two countries.”

He asked Mahmood to “review this matter and grant the US company’s request to speak with Congress about an alleged technical capability notice,” which he said would “honour the representation made by the ambassador during our meeting and uphold the spirit of transparency and cooperation that is the foundation of our shared security relationship.”

The secrecy Jordan ran into is built into how these orders work and it is worth keeping in view.

The UK may be building “backdoors into their encrypted services,” he wrote.

A backdoor is a deliberately built flaw, a master key, or a hidden bypass that lets an intelligence agency read encrypted data without the user ever knowing. It defeats end-to-end encryption, the design that normally keeps a message readable only to the person who sent it and the person who received it.

A company served with a notice cannot tell its customers, the press, or apparently even a foreign legislature, without the express permission of the Home Secretary.

Keep reading

Canada Moves to Destroy Encryption – Demands Backdoor Access to ALL Available Data

Canada is walking into extremely dangerous territory and most people do not understand the implications because governments always package surveillance laws as “public safety.” That is how this begins every single time historically. They sell fear first, then quietly expand state power behind the scenes while claiming only criminals should worry.

Now even Apple, Google, Meta, Signal, privacy experts, cybersecurity professionals, and members of the U.S. Congress are warning that Canada’s Bill C-22 could force technology companies to weaken encryption and build government access mechanisms directly into their systems.

People need to understand what encryption actually is. Encryption is not some toy used only by criminals. Encryption protects bank accounts, corporate systems, private medical data, government communications, journalists, dissidents, businesses, lawyers, and ordinary citizens. Every time you use secure banking, send a private message, or protect sensitive data online, encryption is standing between you and cybercriminals.

The government always frames these laws as targeting terrorists, child exploitation, organized crime, or national security threats. But the mechanism itself never stays limited. Once governments establish the legal right to force “lawful access” into encrypted systems, the infrastructure for surveillance already exists. The temptation to expand those powers becomes overwhelming.

Apple warned directly that Bill C-22 could allow Canada to “force companies to break encryption by inserting backdoors into their products.” Meta warned the bill could require companies to “break, weaken, or circumvent encryption” and potentially install government spyware capabilities directly into systems. Signal reportedly stated it would rather leave Canada entirely than compromise its encryption promises.

Keep reading

AI Safety Institute Debuts with Big-Name Backers and a Censorship Agenda

Common Sense Media’s Youth AI Safety Institute arrived at the Danish Parliament this week and the guest list is stacked with people who think you can’t be trusted to speak freely online.

Hillary ClintonUrsula von der Leyen, former Biden Surgeon General Vivek Murthy, Ofcom chief Melanie Dawes, and the head of an organization that wants to break end-to-end encryption are all gathering at Christiansborg Palace in Copenhagen to announce what they’d like to do next about AI and children.

The “next” part is where it gets concerning. The Youth AI Safety Institute, launched by Common Sense Media on May 5, says it will “complement efforts by regulators and policymakers to translate frameworks such as the EU AI Act, the Digital Services Act, and the UK Online Safety Act into practical protections for child-safe AI.”

Those three censorship laws represent the most aggressive government-directed speech suppression regimes currently operating in the Western world. The Institute isn’t questioning them. In fact, it wants to help implement them and push them further.

The summit, titled “Keeping Our Children and Families Safe in the AI Era,” is co-hosted by Common Sense Media, Save the Children Denmark, and Margrethe Vestager, who spent years as the European Commission’s executive vice president building the regulatory architecture that now lets EU officials order platforms to delete content.

More than 200 policymakers, tech executives, and civil society figures are expected. King Frederik X of Denmark is giving the opening address. The Duchess of Edinburgh will attend. Danish Prime Minister Mette Frederiksen is on the bill.

And so is Pinterest CEO Bill Ready, whose company helped pay for the Institute’s creation.

Keep reading

France Moves to Break Encrypted Messaging

France’s intelligence delegation in parliament has formally backed breaking the encryption that protects WhatsApp, Signal, and Telegram conversations, recommending that magistrates and intelligence agents be granted what lawmakers describe as targeted access to messages that platforms currently cannot read even themselves.

The delegation, an eight-member body composed of four deputies and four senators, published its conclusions on Monday after months of work on a question that keeps returning to the French Parliament. “The inability to access the content of encrypted communications constitutes a major obstacle for the work of the justice system and intelligence services,” the delegation wrote, framing end-to-end encryption as a problem to be solved rather than a protection to be preserved.

The technology end-to-end encryption uses is precisely the thing the delegation wants weakened. Decryption keys live on user devices, not on company servers, which means the platforms holding your messages genuinely cannot read them. That’s the design and the point. Strip that property away and the protection collapses because a system that lets investigators read messages on demand is also a system that can be abused, leaked, subpoenaed, or hacked.

French police and intelligence services have spent years complaining about this tech. They can still intercept old-fashioned phone calls and SMS messages with a judge’s warrant but encrypted platforms route around that capability entirely.

Keep reading

Apple Fixes Bug That Allowed FBI To Read Deleted Signal Messages

Tech giant Apple has fixed a security flaw that had allowed the FBI to access a Signal user’s deleted messages through their phone’s push notification database, despite the app being deleted and messages being set to disappear.

In a security advisory released on Wednesday, Apple said it had fixed a bug that allowed “notifications marked for deletion” to be “unexpectedly retained on the device.”

In an X post on Wednesday, Signal said the update fixed the issue that made a user’s messages retrievable by law enforcement.

“Apple’s advisory confirmed that the bugs that allowed this to happen have been fixed in the latest iOS release,” Signal said.

Signal uses end-to-end encryption to secure messages between its users. The bug is a reminder that messaging encryption may not be enough to keep data protected when using certain devices or operating systems.

Keep reading

Meta is Ending Instagram Direct Message End-to-End Encryption

Meta is quietly dismantling one of its few genuine privacy commitments. Starting May 8, end-to-end encryption for Instagram direct messages disappears, taking with it the one technical guarantee that kept those conversations private from Meta itself.

“If you have chats that are impacted by this change, you will see instructions on how you can download any media or messages you may want to keep,” the company said in a help document, framing the loss of message privacy as a data export problem. Collect your things, the walls are coming down.

The feature being removed was never universal anyway. End-to-end encryption for Instagram DMs had been available only in certain regions, not enabled by default, since Meta began testing it in 2021 as part of what CEO Mark Zuckerberg called his “privacy-focused vision for social networking.”

That vision apparently has an expiration date. Meta also made encrypted DMs available to all adult users in Ukraine and Russia in February 2022, weeks after the Russian invasion began. That access, too, is ending.

The timing is revealing. TikTok told the BBC last week that it has no plans to bring end-to-end encryption to its DMs, arguing that privacy makes users less safe. Meta is now arriving at the same destination from a different direction.

The stakes are straightforward. End-to-end encryption means only the people in a conversation can read it, a technical lock that excludes the platform, third parties, and anyone who might later obtain a warrant.

When that lock disappears, Meta and its employees can read Instagram DMs, law enforcement can subpoena them, and advertisers may eventually benefit from what gets learned.

Instagram users who relied on encrypted DMs have until May 8 to decide what to archive. After that, their private conversations are Meta’s to read.

Keep reading

TikTok Says Privacy Makes Users Less Safe

Over the past five years, the largest social platforms settled on a clear position about private messaging. Lock it down. Facebook turned on end-to-end encryption. Instagram and Messenger did the same. X joined the club. Yes, metadata is still an issue and the protocols used matter; but, generally speaking, the move was toward more privacy of actual messages.

TikTok looked at that trend and made a different choice. Then it scheduled a briefing in London with the BBC to explain the reasoning.

The explanation was safety.

In the UK, TikTok belongs to ByteDance, a Chinese technology company that operates under Beijing’s jurisdiction. China maintains strict limits on end-to-end encryption inside its borders. TikTok, after its own review of the issue, reached the same policy outcome for its messaging system.

Alan Woodward, a cybersecurity professor at Surrey University, raised that point directly. The company’s “Chinese influence might be behind the decision,” he said, adding that end-to-end encryption is “largely banned in China.”

TikTok declined to engage with that suggestion, of course. The remark hung in the air. However, it’s worth adding that the US operation of TikTok has made no indication that it is moving towards private messaging standards either.

End-to-end encryption is simple in theory. Only the people in a conversation can read the messages. The platform running the service cannot access the content. Governments cannot request it. Engineers inside the company cannot view it.

TikTok’s system operates in a different way. Messages on the platform remain readable to the company. Employees can access them under defined circumstances. Law enforcement agencies can request them through legal channels.

TikTok argues that readable messages allow the company to identify harmful activity.

The debate turns on a basic technical fact. “We can read your messages to catch predators,” and “we can read your messages” describe the same system.

Keep reading

Zohran Mamdani Has Already Broken His Promise to Be Transparent

New York City Mayor Zohran Mamdani has come under fire for using the encrypted messaging app Signal to communicate with elected officials while conducting government business.

On the campaign trail, Mamdani repeatedly promised his administration would be transparent. Yet, a Politico report revealed that the mayor used Signal from a personal phone number to communicate with elected officials and political strategists. In at least one of these exchanges, he discussed official city business.

Three people with knowledge of the matter told POLITICO that as mayor Mamdani has used the encrypted messaging app to communicate with fellow elected officials and political advisers. In at least one instance, he’s discussed government business over the app, according to one of those people, who like the others, was granted anonymity to discuss the sensitive issue.

POLITICO independently confirmed that Mamdani’s Signal account, registered to his personal cell phone number, remains active.

Norman Siegel, a veteran First Amendment lawyer who previously helmed the New York Civil Liberties Union, said mayors should never use Signal to communicate with other government officials as a rule of thumb — and that there’s another particularly important reason why Mamdani himself should avoid the app.

“With our new mayor, so much of what he’s articulating is a breath of fresh air,” Siegel said. ”I would urge him to not engage in Signal or similar kinds of applications that basically are meant to hide information and prevent the public from knowing the inner workings of government.”

Keep reading

Republican Lawmakers Demand Answers on UK’s iCloud Encryption Backdoor Order

Two senior Republican lawmakers are demanding answers from the British government about its secret order forcing Apple to break its own encryption. The UK has until March 11 to respond.

House Judiciary Committee Chairman Jim Jordan and Foreign Affairs Committee Chairman Brian Mast sent a joint letter on Wednesday to Home Secretary Shabana Mahmood, pressing for a formal briefing on the Technical Capability Notice (TCN) served on Apple under the UK’s Investigatory Powers Act.

We obtained a copy of the letter for you here.

It’s the latest move in a surveillance fight that began over a year ago and has rattled the US-UK relationship at the highest levels.

In January 2025, UK security officials secretly ordered Apple to build a backdoor into iCloud that would allow them to decrypt any user’s data, anywhere in the world. Not just suspected criminals, not just UK citizens. Everyone.

The order targeted Apple’s Advanced Data Protection (ADP) feature, the optional end-to-end encryption that ensures even Apple can’t read iCloud backups. Apple’s response was to pull ADP from the UK market entirely in February 2025, stripping strong encryption options from roughly 35 million iPhone users rather than comply with a demand it couldn’t legally discuss.

UK law makes it a criminal offense for companies to confirm or deny the existence of such orders, even to their own government.

Apple couldn’t tell the US Department of Justice that the order existed. The DOJ couldn’t verify whether it complied with the CLOUD Act, the bilateral agreement governing how the two countries share access to digital evidence. That agreement explicitly states it “shall not create any obligation that providers be capable of decrypting data.” The UK’s order appears to do exactly that.

The reaction in Washington was bipartisan. Senator Ron Wyden and Congressman Andy Biggs slammed the order as “effectively a foreign cyber attack waged through political means.”

President Trump compared the UK’s conduct directly to China’s. Speaking to the Spectator after meeting Prime Minister Keir Starmer, Trump said: “We actually told [Starmer] . . . that’s incredible. That’s something, you know, that you hear about with China.” DNI Secretary Tulsi Gabbard called any attempt to compel Apple to create security weaknesses an “egregious violation” of privacy and confirmed legal and intelligence teams were assessing the implications.

Keep reading