A Canadian privacy watchdog this week said the federal government is wrong to change its policy by now urging technology companies to weaken encryption protection in products and services.
The move will put people and their data in danger, Citizen Lab said in a report issued Wednesday.
“In advancing an irresponsible encryption policy that would deny individuals and businesses access to strong encryption, [Ralph Goodale, Minister of Public Safety] and the Government of Canada have failed to publicly acknowledge and present the range of serious harms that would follow should companies voluntarily, or under compulsion, adopt the government’s current policy,” indicated the report.
In fact it goes further, complaining the government offers “one-sided anecdotal and emotionally-driven arguments that encryption is increasing risks to public safety.”
In response, Scott Bardsley, Goodale’s manager of communications, said the report “mischaracterizes the issue and the government’s position.”
Citizen Lab is a part of the Munk School of Global Affairs at the University of Toronto. Its accusation comes after Goodale last month signed a communique following a meeting of government ministers in the Five Eyes intelligence co-operative (including Canada, the U.S., the U.K., Australia and New Zealand). The communique worries that “strong encryption” in products is impairing the ability of police and intelligence agencies to investigate crime and terrorism.
For several years Canada said it favoured strong encryption to protect citizens, according to the Citizen Lab report, against pressure from some governments to force tech companies to install backdoors into software.
However, in the July communique — while still endorsing strong encryption — the five countries said “tech companies should include mechanisms in the design of their encrypted products and services whereby governments, acting with appropriate legal authority, can obtain access to data in a readable and usable format.”
At the same time, the communique added, “companies should also embed the safety of their users in their system designs, enabling them to take action against illegal content. As part of this, companies and governments must work together to ensure that the implications of changes to their services are well understood and that those changes do not compromise public safety.”
The Citizen Lab report acknowledges encryption adds “investigative friction” to police and intelligence agencies’ efforts. However, it also argues that encryption does not preclude governments from conducting successful investigations or intelligence operations.
“The tools and legislated powers that are available to law enforcement, security services, and intelligence agencies today were the stuff of science fiction a few decades prior. Today, agencies subscribe to services that monitor social media for intelligence, collect bulk location data in tower-dumps and using IMSI catchers [devices that can intercept mobile phone traffic], deploy malware to intrude into endpoint devices and network equipment, and can avail themselves of the massive information databases which are retained by Canada’s Communications Security Establishment (CSE) and the Establishment’s allies.”
Media reports about the investigative tools available to police have not shown that encryption is stymieing investigations, added Citizen Lab.
The CSE is responsible for protecting the federal government’s communications, including creating encryption standards and policies for the government and decrypting intercepted messages from threat actors. CSE advises the RCMP and other Canadian police forces on their cyber security investigations.
In his response, Bardsley noted the July meeting of Five Eyes ministers was with large Internet companies to discuss child sexual exploitation online. “All agreed to fight this horrific crime and develop a set of voluntary principles to ensure online platforms protect our children. That work is underway.
“The communique confirmed the Five Eyes ‘are committed to strong encryption, which enables commerce, improves cyber security, and protects the privacy of our citizens’ data,’” Bardsley added.
“However, while some companies are developing powerful tools to help combat online child sexual exploitation, they are also developing services that will make those tools virtually obsolete.
“We need to work with the internet companies to achieve two objectives simultaneously: the privacy protections from new technologies and encryption while ensuring that these systems do not conceal or facilitate the exploitation of children.”
The Citizen Lab report is the latest in a long-running debate on calls by governments for either weakening encryption in products or installing backdoors. The counter-argument is that any backdoor will make encryption in products useless because it could be exploited by other governments or criminals. Police have been urging the creation in some way of a backdoor solution that could be accessed by governments with a judicial warrant but impervious to attack by the bad guys.
A summary of the debate can be gained by reading the 2018 report by the U.S. National Academies of Sciences, Engineering and Medicine.