A decades-old alliance of national intelligence partners promised to get at encrypted data last week, whether tech companies helped them or not.
Australia, Canada, New Zealand, the United Kingdom and the United States released a joint statement calling on tech companies to help them access data when authorised by the courts – or else.
The alliance of countries is known as the Five Eyes, and it was formed after the Second World War as a collaborative effort to share intelligence information. The group released an Official Communiqué at a meeting last week, outlining several broad goals. One of these goals involved increasing government powers to target encrypted data when the courts authorized it (a concept known as ‘lawful access’).
The group went into more depth in its Statement of Principles on Access to Evidence and Encryption, released at the same time. The document starts off conciliatory enough, arguing that encryption is necessary:
Encryption is vital to the digital economy and a secure cyberspace, and to the protection of personal, commercial and government information.
Then came the common refrain: You can have too much of a good thing.
However, the increasing use and sophistication of certain encryption designs present challenges for nations in combatting serious crimes and threats to national and global security.
The same encryption that protects legitimate information is also protecting criminals, the statement said, adding that while privacy laws are important, the authorities need a way to access communications when a court has allowed it. The countries’ reasoning here is that the same principles have applied to searches of homes and other physical spaces for years. They want the same warrant principles to apply in cyberspace.
The unified governments set out three principles. One reinforced the rule of law, explaining that governments must follow due process when accessing data.
Assuming they do that, though, another principle says that technology product and service providers – including carriers, device manufacturers or over-the-top service providers – have a responsibility to help governments access the data that they need. These companies should assist governments in getting access to data, the statement said, adding that situations where governments cannot access information with the courts’ consent should be rare.
The final principle has the stinger. Entitled ‘Freedom of choice for lawful access solutions’, it encourages companies to “voluntarily establish lawful access solutions to their products and services that they create or operate in our countries”. But what if they don’t volunteer?
Should governments continue to encounter impediments to lawful access to information necessary to aid the protection of the citizens of our countries, we may pursue technological, enforcement, legislative or other measures to achieve lawful access solutions.
So there it is. Companies must help governments gain lawful access to data, or else.
The Five Eyes’ approach to lawful access appears conflicted. On the one hand, its Communiqué says:
The five countries have no interest or intention to weaken encryption mechanisms.
On the other hand, its statement on encryption appears to advocate exactly that. Should encryption be removed during transit to allow Fives Eyes access to data, that encryption is weakened.
No ungoverned spaces
The other focus for Five Eyes was on online spaces (think Facebook, YouTube and suchlike). It advocated for a “free, open, safe and secure internet”. This means stopping wrongdoers online including terrorists and child abusers. It also singled out foreign interference and disinformation.
In its Statement on Countering the Illicit Use of Online Spaces, it said that it had asked tech leaders to help it look at this problem but came up empty-handed. So it outlined a set of goals anyway.
It urged the tech sector to figure out ways to prevent illegal content from being uploaded, and to take it down more quickly when identified. They should also go through existing online content and check that too. Tech companies should share hashes of this information more readily to co-operate on takedowns, it said, adding that the governments would also share these hashes between themselves and with the tech sector.
The five governments will also be watching the tech industry and reporting back on a quarterly basis, the statement concluded.
This more aggressive, official Five Eyes stance on governmental control of and access to internet information has been in the works for a while. Australia has been particularly outspoken on the issue.
Recently-ousted Australian Prime Minister Malcolm Turnbull called directly on Five Eyes for more action in June 2017 at a speech to the Australian Federal Council:
The internet cannot be an ungoverned space. We cannot continue to allow terrorists and extremists to use the internet and the big social media and messaging platforms – most of which are hosted in the United States I should say – to spread their poison.
Australia recently announced its own stricter rules on lawful access, following the United Kingdom’s lead.
Ld Elon
Actually white ‘hidden in plain sight’ colonial supremacy governments sez this…
No body else has.
Paul Ducklin
Lots of governments at various points on their postcolonial journeys “sez this”. Try entering the search term lawful interception [nameofacountry] into your favourite search engine.
(Not taking sides, just pointing out that the issue of telecommunications interception and the regulation of access to cryptographic services are hot topics the world over right now.)
Simon McAllister
Yeah but… guns are used for defence/protection against crooks and no one’s managed to stop the crooks using them to attack either….
If Facebook, for example, grant this access (which I believe they should seeing as it’s a free, open platform) then surely the crooks will just move onto something else.
JD
“lawful access”
Every time I see that phrase, all I can think is the old saying, “Everything Hitler did was legal.”
s31064
While I get your point, what you’re missing is the fact that all five of the Five Eyes governments are composed of popularly elected officials. Germany under Hitler was anything but. The Government of Nazi Germany was a dictatorship run according to the Führerprinzip, which basically meant that Hitler’s word was above all law.
Anon
Hitler was a popularly elected official and he was granted the powers of dictator for life through the democratic institutions of the day.
Paul Ducklin
At this point, Godwin’s law probably ought to kick in and invalidate this entire comment thread…but didn’t Hitler get his dictatorship because of Hindenburg and Article 48, which effectively sidestepped the democratic institutions of the day by triggering so-called “emergency powers”?
Given the increasing popularity of the Nazi movement and the economic incompetence of the administration at the time, I suppose Hitler might ultimately have got to power anyway “as a popularly elected official…through the democratic institutions of the day”, as you put it, but that’s not actually what happened, is it? It was pretty much a coup, wasn’t it?
Bentham
The countries’ reasoning here is that the same principles have applied to searches of homes and other physical spaces for years. They want the same warrant principles to apply in cyberspace.
So to follow that analogy: the state gets the warrant to access and if the owner refuses the court allows the state to “put the door in” – the law does not require all housebuilders to build houses with weak doors!
(Heaven forbid)
RichardD
They also seem to miss the point that the search warrant doesn’t grant them the power to magically decrypt notes found in the home which the occupier has manually encrypted.
Paul Ducklin
AFAIK, if you get in the way of officials who are executing a lawfully issued search warrant, then you have not complied with it. So you can’t open the front door and then refuse to open the cupboards, or open the cupboards and refuse to “decrypt” the safe, if the warrant covers the room where the safe is found.
RichardD
So what’s stopping them from implementing the same approach with electronic communications? If they have a warrant that covers an encrypted communication, demand that the sender or recipient (whichever is covered by the warrant) provides access to the unencrypted version. If they don’t, then they’re not complying with the warrant, and will be punished appropriately.
A search warrant for a physical address doesn’t guarantee that the occupier will comply. So that example can hardly be used to justify breaking or weakening encryption just in case the target of an electronic search warrant doesn’t comply.
And that’s before you get started on how they’re planning to force the criminals to abandon their current “unbreakable” encryption in favour of the government’s new back-doored encryption. :)
Paul Ducklin
Ah, we are at cross-purposes.
I think you’re saying that the power of the warrant is kind of a red herring in this case. A warrant that allows break-and-enter to a home, and then breaking into every cupboard and safe, is all very well, but there isn’t really an analogue for cryptographic cracking – if the suspect won’t play ball, no amount of angle grinders, crowbars, explosive charges or diamond-tipped drills will get you in to a properly scrambled file.
I was simply commenting on the fact that the legalistic breadth of the warrant in each case (physical and electronic) is generally as broad as the location specified for the search. So by law you are supposed to open the main door, and any doors behind that door, and so on.
FYI I’m *not* arguing for crypto backdoors.
They’re a crazy idea because they doubly favour the crooks – quite the opposite of what many politicians seem to think. Firstly, the crooks simply won’t comply and the backdoor will therefore be useless for the cops to use against the crooks. But the rest of us will comply and the backdoor will therefore be ideal for the crooks to use against us. For the law-abiding majority that backdoors are supposed to protect, they amount IMO to a sort of “ultimate lose-lose” situation.
You can’t strengthen cybersecurity by weakening it. That’s a truism, surely?
Spryte
“the Five Eyes governments are composed of popularly elected officials”
A Democracy is just a place where the Dictator happens to have been elected.
Their governments will do whatever they feel is in their own best interests, not the interest of to populace that “Elected” them.
Doesn’t matter what the subject, from economics to security, and everything in between.