Canada has again joined its partners in the Five Eyes intelligence co-operative and is calling on tech companies to work with governments to find a legal way around their end-to-end encryption.
In a news release over the weekend, senior cabinet officials from Canada, the U.S., the United Kingdom, Australia and New Zealand, as well as the governments of India and Japan, urged the industry to address concerns that encryption in their products helps criminals by precluding any legal access to unlawful communications.
“Particular implementations of encryption technology … pose significant challenges to public safety, including to highly vulnerable members of our societies like sexually exploited children,” officials wrote.
The governments are asking industry to help find “reasonable, technically feasible solutions” that do the following:
- Embed the safety of the public in system designs, thereby enabling companies to act against illegal content and activity effectively with no reduction to safety, and facilitating the investigation and prosecution of offences and safeguarding the vulnerable.
- Enable law enforcement access to content in a readable and usable format where a (court) authorization is lawfully issued, is necessary and proportionate, and is subject to strong safeguards and oversight.
- Engage in consultation with governments and other stakeholders to facilitate legal access in a way that is substantive and genuinely influences design decisions.
The demand by governments and law enforcement agencies for lawful access to encrypted communications has been going on for years, and been resisted by privacy experts for just as long.
It’s being raised again, says the statement, because of proposals to apply end-to-end encryption across major messaging services. Many services including WhatsApp and Telegram already offer it. Zoom has been testing it since July.
The issue last hit headlines in the summer of 2019 when the University of Toronto’s Citizen Lab condemned then-Public Safety Minister Ralph Goodale for changing Canada’s policy on lawful access. Before then, Canada said it favoured strong encryption in products to protect citizens. However, after Goodale signed a Five Eyes communique urging tech companies to include “mechanisms in the design of their encrypted products and services whereby governments, acting with appropriate legal authority, can obtain access to data in a readable and usable format.”
Citizen Lab hit back. “In advancing an irresponsible encryption policy that would deny individuals and businesses access to strong encryption, [Ralph Goodale, Minister of Public Safety] and the Government of Canada have failed to publicly acknowledge and present the range of serious harms that would follow should companies voluntarily, or under compulsion, adopt the government’s current policy,” it said.
Briefly, privacy and many encryption experts argue that what governments want is a back door into systems so they can read communications of crooks and nation-states. However, they say even if any back door system needs judicial approval a hole is a hole, and it can be exploited by any skilled attacker. There is no such thing, they argue as a process that can only be used by governments. As a result, such back doors or processes end personal privacy.
The weekend communique acknowledges that technology companies use encryption to protect their users. But, the release also says, law enforcement must find a way to respond to “illegal content, child sexual exploitation and abuse, violent crime, terrorist propaganda and attack planning.” In fact, the Five Eyes argue, end to end encryption hobbles tech companies own efforts to fight these threats.
All that is being asked, according to the Five Eyes community, is for law enforcement agencies to access content “in limited circumstances where necessary and proportionate to investigate serious crimes and protect national security.”
“We challenge the assertion that public safety cannot be protected without compromising privacy or cybersecurity,” the statement reads. “We strongly believe that approaches protecting each of these important values are possible and strive to work with industry to collaborate on mutually agreeable solutions.”
Suggestions include creating master decryption keys that, in theory, only law enforcement agencies can access with a court order; giving police the ability to get a court order to compel suspects to decrypt their conversations; or creating a way that allows third parties to lawfully listen in to encrypted conversations or messages.