Are Canada, the U.S. and other members of the Five Eyes intelligence alliance preparing to sacrifice online privacy to increase security? Are the five countries about to increase pressure on telecom and software companies to install ways of defeating encryption?
Yes, if you believe privacy advocates after seeing a communique issued last week by security and public safety ministers following their annual meeting in Australia.
They are alarmed the statement says the five countries – including the U.K., Australia and New Zealand – “agreed to the urgent need for law enforcement to gain targeted access to data, subject to strict safeguards, legal limitations, and respective domestic consultations.”
No, if you believe a spokesperson for Public Safety Ralph Goodale. In an email Scott Bardsley, the minister’s senior communications advisor, noted the statement also says the Five “have no interest or intention to weaken encryption mechanisms,” and that any action on the ministers’ statement “will adhere to requirements for proper authorization and oversight, and to the traditional requirements that access to information is underpinned by warrant or other legal process.”
Still, the communique – which covers a range of safety-related issues including maintaining an open, safe and secure internet, countering the threat of terrorism, cyber security and critical infrastructure resilience and countering foreign interference in internal affairs – does include a separate Statement of Principles on Access to Evidence and Encryption.
It says that because “the increasing use and sophistication of certain encryption designs present challenges for nations in combatting serious crimes and threats to national and global security,” the ministers “encourage information and communications technology service providers to voluntarily establish lawful access solutions to their products and services that they create or operate in our countries. Governments should not favor a particular technology; instead, providers may create customized solutions, tailored to their individual system architectures that are capable of meeting lawful access requirements. Such solutions can be a constructive approach to current challenges.
“Should governments continue to encounter impediments to lawful access to information necessary to aid the protection of the citizens of our countries, we may pursue technological, enforcement, legislative or other measures to achieve lawful access solutions.”
Statements like that worry Imran Ahmad, privacy law specialist and a member of the Canadian Advanced Technology Alliance’s cyber security advisory board. “This is effectively a different way of saying that governments want companies [to build] backdoors into certain software solutions and applications,” he said in an email.
Canadian privacy expert Ann Cavoukian tweeted that the “Five Eyes’ pursuit of a crypto backdoor must be stopped dead in its tracks. The cost to our privacy, security and freedom would be devastating.”
In a Thursday blog, U.S. encryption expert Bruce Schneier called the statement of principles “reckless and shortsighted … Demanding that technology companies add backdoors to computers and communications systems puts us all at risk.”
The debate over putting backdoors into encrypted systems goes back years, but erupted furiously in 2016 when the FBI wanted Apple to create a special version of its iOS operating system so it could unlock an iPhone belonging one of two shooters who killed 14 people in San Bernardino, Calif. Ultimately the FBI were able to get into the phone, but law enforcement agencies around the world have been saying loudly ever since that police need better tools to break into encrypted communications of suspects. Encryption experts warn that any kind of backdoor solution – even one that is designed to only allow decryption keys to be in the hands of police or intelligence agencies with a warrant – can be defeated by the bad guys. There’s no such thing as a secure backdoor.
Earlier this year the U.S. National Academies of Sciences, Engineering and Medicine proposed a framework to evaluate proposals giving authorized government agencies with access to unencrypted versions of encrypted data. It suggests policymakers answer eight questions about any solution, including to what extent will the proposed approach affect the privacy, civil liberties, and human rights of targeted individuals and groups, as well as affect commerce.
In 2013 the University of Toronto’s Citizen Lab issued a report that concluded a backdoor is “not only bad for civil liberties, it is bad for security, and sets dangerous precedents for the legitimization of practices abroad we [as citizens] ostensibly oppose … In the world of Big Data, in which so much personal information is readily abundant, new methods of “connecting the dots” must be explored other than those that drill holes into our communications infrastructure.”
Some Five Eyes countries are hotter about the issue than others. In June, Australia introduced legislation that would force tech companies to give access to customer encrypted data to its security agencies. Backdoors wouldn’t be mandated, but somehow providers would have to give access under a court order. In 2016 the U.K. government of the day talked about legislation giving the Home Secretary the power to force telcos to remove or disable end-to-end encryption. Also in 2016 two U.S. senators co-sponsored a bill obliging tech companies to comply with court orders to help solve crimes. Meanwhile this year some Congressmen introduced legislation prohibiting law enforcement and surveillance agencies from forcing companies to create encryption backdoors.
In his email Bardsley noted Parliament’s standing committee on national security and public safety is studying encryption issues. “It will also continue to examine options to ensure agencies have the resources necessary to gain access to decrypted data required to address criminal activity,” he added.
Unsaid is how that access to decrypted data will be achieved.
Canada ‘doesn’t believe in legislative solution’
Bardsley pointed out a 2017 committee report called for “no changes to the lawful access regime for subscriber information and encrypted information be made.” In response to that report Public Safety Minister Goodale said that while encryption poses challenges to law enforcement and intelligence agencies the government doesn’t believe in a legislative solution. It is looking at other solutions.
The Five Eyes ministers’ communique says each country “will consider how best to implement” the statement of principles on encryption, “including with the voluntary co-operation of industry partners.” Any solution “will adhere to requirements for proper authorization and oversight, and to the traditional requirements that access to information is underpinned by warrant or other legal process.”
The Five Eyes ministers’ statement also included
–a separate document promising to work together to counter the illicit use of online spaces by child predators, terrorists, violent extremists and others. “We note with disappointment that senior digital industry leaders did not accept our invitation to engage on critical issues regarding the illicit use of online spaces” during last week’s meeting, it added. The ministers called on the ICT industry to develop and implement capabilities to prevent illegal and illicit content from ever being uploaded, and to execute urgent and immediate takedown where there is a failure to prevent upload;
–a promise to work together to protect critical infrastructure and support the development of secure critical infrastructure supply chains;
–and a promise to share information on foreign interference and attribution.