This week, representatives of the Five Eyes intelligence alliance – the U.S., UK, Canada, Australia and New Zealand – along with the intelligence services of Japan and India issued a joint call for the tech world to provide “lawful access” into commercial encryption.
In a statement that was posted on the website of the United States Department of Justice, the intelligence services noted that an understanding that encryption continues to play a crucial role in protecting personal data, privacy, intellectual property, trade secrets, and cyber security. Encryption was also understood to provide a vital purpose in repressive states to protect journalists, human rights defenders, and other vulnerable individuals.
However, the intelligence services also noted, “Particular implementations of encryption technology, however, pose significant challenges to public safety, including to highly vulnerable members of our societies like sexually exploited children.”
The services urged industry to address the joint concerns where encryption is applied in a way that “wholly precludes any legal access to content.” Additionally, the statement called on technology companies to work with governments to take the necessary steps, which are focused on reasonable, technically feasible solutions to provide that lawful access.
*Embedding the safety of the public in system designs, thereby enabling companies to act against illegal content and activity effectively with no reduction to safety, and facilitating the investigation and prosecution of offences and safeguarding the vulnerable;
*Enabling law enforcement access to content in a readable and usable format where an authorization is lawfully issued, is necessary and proportionate, and is subject to strong safeguards and oversight; and
*Engaging in consultation with governments and other stakeholders to facilitate legal access in a way that is substantive and genuinely influences design decisions.
This is not the first time the Five Eyes alliance have called upon the tech giants to address the issue of end-to-end encryption (E2EE) into their respective products. Similar calls were made in 2018 and 2019, as the intelligence services have argued that way that E2EE could be supported on many major tech platforms essentially prohibits law enforcement from investigating crime rings and other illicit activities.
The issue is whether enabling access to law enforcement could in turn create potential “back doors” that could be used by cyber criminals or even foreign actors.
“It’s impossible to create an encryption backdoor that only law enforcement can take advantage of,” warned Paul Bischoff, privacy advocate with Comparitech, via an email to ClearanceJobs.
“If backdoors are in place, criminals will move on to other end-to-end encrypted messaging apps, while legitimate users suffer security and privacy violations,” Bischoff added. “If our analysis of U.S. wiretapping orders is any indication, only a fraction of law enforcement requests to decrypt data will actually be incriminating or lead to convictions. There’s little consideration for innocent parties whose communications are intercepted by law enforcement, and 99% of interception requests are granted by courts.”
An argument could be made that the intelligence community and even the U.S. Department of Justice (DoJ) would be interest in relaxed standards to make it easier for investigators to do their jobs. Of course if the “digital thugs” were to find it easier to access information that too would be the DoJ’s problem.
“The only down side for DoJ would be if they must abide the same standards, and we don’t hear anyone in the government begging for less security in DoJ systems, do we,” explained Jim Purtilo, associate professor of computer science at the University of Maryland.
“What the feds call for are more ways to access protected information, and this means criminals get more bites at the apple too,” Purtilo told ClearancesJobs. “The algorithms will be more complex, but not in a good way. Normally computational complexity makes it tough for an unauthorized agent to reverse encryption; more complexity means more protection. However, once we architect multiple ways to access information, the program’s complexity will go up – there is more a programmer must get right – yet the computational complexity that protects goes down.”
An alternate solution that has been suggested would be for the tech community to work to provide greater access to law enforcement or the IC. Of course that falls back on the often asked question “Quis custodiet ipsos custodies” – or who watches the watchmen.
“Giving keys to the DoJ just in case they might want your information also creates a single point of failure that would have grim consequences if breached,” added Purtilo. “Then everyone’s data are exposed. This might sound unlikely, but let’s remember it was the fed (Office of Personnel Management) that a few years back exposed sensitive personal records of all people who ever applied for security clearances.”
The IC and Cybersecurity
The Five Eyes Alliance, which was formed in 1946 among the five English-speaking nations as a way to share security information, has increasingly had to deal with the issue of cybersecurity in recent years. That included joining with 22 other nations to determine what constitutes fair or foul play in cyberspace. Last year, the Five Eye nations were amongst those who agreed to a broadly written agreement for all nations to follow international law even online.
An issue of cybersecurity also caused the largest riff among the alliance when the UK opted to move forward with a plan to have Chinese-based Huawei build out the nation’s 5G network. While the telecom company would have been blocked from the core parts of the system, the fact that it was involved at all caused a serious divide within the Five Eyes. However, in July Prime Minister Boris Johnson announced that the UK would follow its IC partners and ban Huawei from its 5G network and all components and equipment deployed and/or made by the Chinese firm would be removed from the UK by 2027.