The other day I was reading through blogs that I follow and found a couple of concerning stories about government efforts to weaken encryption. The FBI and Department of Justice have long complained about encryption being used by criminals and terrorists to aid their activities. The efforts to weaken encryption are not being driven solely by the US government. Security Boulevard and ZDnet reported on a meeting of the Five Eyes governments in Australia last week. The meeting was to go over areas of cooperation and information sharing. One topic addressed the widespread use of encryption and tech companies’ resistance to building a method of master access to this data.
The Five Eyes
For those, like me, who hadn’t heard the term Five Eyes, it refers to the United States, the United Kingdom, Canada, Australia, and New Zealand. The name refers back to the cooperation between the nations in signals intelligence that was defined under the 1943 UKUSA Agreement. This agreement started the sharing of intelligence information between the UK and US back in WWII and continues on today and evolves. The offices of the Attorney General for each of the nations was also present for these meetings, which makes an interesting crossroad between intelligence and law enforcement.
The meetings last week between the five countries resulted in several documents that were published by the Australian government on their website. These are titled “Five Country Ministerial 2018 Official Communiqué” and “Statement of Principles on Access to Evidence and Encryption.” The Official Communiqué included a paragraph on encryption towards the end of the document that states that the governments have no interest in weakening encryption mechanisms, but then go on to make the case that encryption must be reversible to governments. In spite of this intent, the act of making encryption reversible weakens it. It then links to the second document on evidence and encryption. This document is where some of the policy ideas get interesting.
“Privacy Is Not Absolute”
The document on access to evidence and encryption restates the challenges that encryption poses and details the crimes that are using encryption to hide the criminals responsible for them. The third paragraph of the document states, “Privacy laws must prevent arbitrary or unlawful interference, but privacy is not absolute.” It then starts linking the need to break encryption to long-established abilities for law enforcement to conduct searches of homes and vehicles with court orders or similar authority. There are three principles laid out for access to encrypted data, and the third one is where they lay down the ultimatum to technology companies.
The third principle encourages “information and communications technology service providers to voluntarily establish lawful access solutions to their products and services that they create or operate in our countries.” The providers should be come up with their own way of granting governments the data they want. The final sentence is “Should governments continue to encounter impediments to lawful access to information necessary to aid the protection of the citizens of our countries, we may pursue technological, enforcement, legislative or other measures to achieve lawful access solutions.” In essence, the tech companies can do this their way or governments’ way, but they will comply. Encryption must be breakable by governments or else.
There are several things which concern me here, but the one that seems most apparent is that the tech companies will face five different governments demanding access to this data. Once they are compelled to provide access to encrypted data or weaken algorithms in one country, then it becomes available to all nations. It becomes straightforward for the other four nations to say, “Well you did it for this country. Why can’t you give us the data we need?” Countries known for actively oppressing their people will demand the access as well. Once one country forces a tech company to their will, then that company falls to the other governments as well.
The intent of these nations strikes me as a Pandora’s box that will turn into a mess. The Five Eyes don’t mind encryption as long as they can have access to the data. They will not like it when they realize the tech companies will be forced to provide this data to nations such as China, Russia, and more. Once it results in news headlines, there will be inquiries, congressional hearings, and outrage. The same politicians and officials will be outraged at tech companies for selling out activists, business secrets, and more.
The only way that I can see to slow this down is for citizens in each of the countries to become informed and make their voices known on the issue in their country and to their fellow citizens. If this concerns you, then I recommend that you write to your representatives in Congress or Parliment. I’m already writing to my senators and house representative. Let them know what your opinion is.