(Washington, DC) – The governments that constitute the intelligence partnership known as “The Five Eyes,” will meet on June 26-27, 2017, in Ottawa to discuss how to bypass encryption. The governments may pursue a dangerous strategy that will subvert the rights and cybersecurity of all internet users.
Forcing technology companies to give governments “back door” access into all digital communications will do little to prevent terrorists from shielding their activities. But technologists and digital security experts have warned that imposing any requirement to build back doors into encryption or banning end-to-end encryption would broadly undermine cybersecurity. Technologists caution that companies cannot build a “back door” that can only be used by law-abiding officials, while keeping out bad actors. Governments should instead promote strong encryption as a key component of cybersecurity.
“Encryption protects billions of ordinary people worldwide from criminals and authoritarian regimes,” said Cynthia Wong, senior internet researcher at Human Rights Watch. “Agencies charged with protecting national security shouldn’t be trying to undermine a cornerstone of security in the digital age.”
The Five Eyes is an intelligence sharing partnership between Australia, Canada, New Zealand, the United Kingdom, and the United States. Law enforcement and intelligence agency representatives from each state will gather in Ottawa to discuss shared national security concerns. The meeting is expected to address the increasing use of end-to-end encrypted communications as a challenge to surveillance and seek a coordinated approach.
In recent years, law enforcement officials in some Five Eyes countries have contended that they are losing some of their ability to investigate crime or prevent terrorism because advances in consumer encryption have led some channels of information that were previously accessible to “go dark.” Companies like Apple and WhatsApp have begun to integrate “end-to-end” encryption into their products by default, which makes it impossible for even the companies to retrieve unscrambled user data at the request of the government because the firms do not hold the decryption “keys.” Some officials have gone further and sought legislation to ensure that their governments can access all encrypted data, even if this would force companies to build “back doors” or other vulnerabilities into phones and applications to bypass encryption.
Australian Attorney General George Brandis plans to raise the need for new restrictions on the encryption built into popular messaging applications with Five Eyes counterparts, stating that existing laws “don’t go far enough.”
In March, in the immediate aftermath of the Westminster attack, UK Home Secretary Amber Rudd called end-to-end encryption on apps such as WhatsApp “completely unacceptable” and stated that “there should be no place for terrorists to hide.” On June 13, UK Prime Minister Theresa May and French President Emmanuel Macron announced a counter-terrorism joint action plan that calls for greater access to encrypted communications.
The UK’s Investigatory Powers Act allows authorities to compel companies to take undefined “reasonable” and “practicable” measures to facilitate interception, including of unencrypted data. Authorities are still determining the exact scope of what companies will be required to do under the law with respect to encryption.
Law enforcement officials in the US have also repeatedly called for companies to build back doors into encryption. In 2016, media reports released draft legislation that would have required technology companies to provide access to encrypted information in an “intelligible format” upon court order. The bill did not specify how companies would have to unscramble encrypted information, but it would have effectively forced companies to bypass encryption and other security features. The bill faced widespread criticism from security experts and privacy groups as unworkable and harmful to cybersecurity and was never formally introduced.
In February 2016, US authorities also sought a court order to force Apple to build a back door into an iPhone that was used by one of the attackers in the 2015 San Bernardino attack. Apple challenged the order, and authorities eventually withdrew it because they were able to access the phone’s data without Apple’s help.
In 2016, Canada held a consultation on its national security framework, which expressed concern over security agencies’ diminished ability to investigate crimes due to the use of encryption. It also stated that Canada had no legal procedure to require decryption.
Many officials from Five Eyes countries claim they do not seek “back doors.” But they don’t explain how companies that don’t hold encryption keys could provide exceptional access for law enforcement to unencrypted data without a back door. To implement such a requirement, companies would be forced to redesign their products without security features like end-to-end encryption.
Back doors create weaknesses that can be exploited by malicious hackers or other abusive government agencies. Billions of people worldwide rely on encryption to protect them from threats to critical infrastructure like the electrical grid and from cybercriminals who steal data for financial gain or espionage. The vast majority of users who rely on encryption have no connection to wrongdoing.
Encryption built into phones and messaging apps can also help safeguard human rights defenders and journalists from abusive surveillance and reprisals, including threats of physical violence. In 2015, the UN special rapporteur on freedom of expression, David Kaye, recognized that encryption enables the exercise of freedom of expression, privacy, and a range of other rights in the digital age.
Governments have an obligation to investigate and prosecute crime and protect the public from threats of violence. But proposals to weaken encryption in popular products will not prevent determined criminals or terrorists from using strong encryption to shield their communications. A recent survey shows that determined, malicious actors would still be able to access such tools made by companies outside the Five Eyes countries, which would not be subject to their laws.
Ordinary users will be more vulnerable to harm, online and offline, if technology firms are forced to weaken the security of their products, Human Rights Watch said. Instead of weakening encryption, governments should better train law enforcement officials to use investigative tools already at their disposal, including access to the vast pool of metadata from digital communications or location data that is not encrypted, consistent with human rights requirements.
“If the Five Eyes countries force tech companies to build encryption back doors, it would set a troubling global precedent that will be followed by authoritarian regimes seeking the same,” Wong said. “These governments should promote strong encryption instead of trying to punch holes in it, which would lead to a race to the bottom for global cybersecurity and privacy.”