Published on the 05/09/2018 | Written by Jonathan Cotton
Five Eyes talks tough on encryption (or non-encryption) rules…
The five country intelligence alliance of the UK, US, Canada, Australia and New Zealand met last week to address the complex homeland and national security challenges facing the Western World, and in the process issued something of a challenge – or perhaps an ultimatum – to businesses on this side of the globe.
“Privacy is not absolute”, says the group, and tech companies had better take note.
Five Eyes is not in the habit of releasing press announcements, but the official communiqué from the meeting begins magnanimously enough, assuring readers that encryption is indeed “vital to the digital economy, a secure cyberspace and the protection of personal, commercial and government information” and that the five countries have no interest “or intention to weaken encryption mechanisms”.
“Privacy is not absolute.”
There’s a ‘however’, however, and it’s a big one.
“The inability of intelligence and law enforcement agencies to lawfully access encrypted data and communications poses challenges to law enforcement agencies’ efforts to protect our communities.”
Therefore, says the group, there is an “urgent need for law enforcement to gain targeted access to data, subject to strict safeguards, legal limitations, and respective domestic consultations”.
The communiqué doesn’t elaborate much from there, but does direct the reader to a document published in September entitled the Statement of Principles on Access to Evidence and Encryption which states that “privacy is not absolute.”
“It is an established principle that appropriate government authorities should be able to seek access to otherwise private information when a court or independent authority has authorised such access based on established legal standards.
“The same principles have long permitted government authorities to search homes, vehicles, and personal effects with valid legal authority.”
So Five Eyes has an interest in gaining access to private information it otherwise wouldn’t have access to, no great surprises there. But in 2018, what’s the point of seizing data if you can’t crack its encryption?
“The increasing gap between the ability of law enforcement to lawfully access data and their ability to acquire and use the content of that data is a pressing international concern that requires urgent, sustained attention and informed discussion on the complexity of the issues and interests at stake.”
And that’s where the rubber hits the road for industry, because according to Five Eyes, it’s not enough to hand over the data, tech companies and device makers should be ‘encouraged’ to figuratively spell it out.
“Providers of information and communications technology and services – carriers, device manufacturers or over-the-top service providers – are subject to the law, which can include requirements to assist authorities to lawfully access data, including the content of communications.”
“We are always willing to work with technology providers in order to meet our public safety responsibilities and ensure the ability of citizens to protect their sensitive data. Law enforcement agencies in our countries need technology providers to assist with the execution of lawful orders.”
It all sounds a bit familiar. Just last month we covered the new Australian draft legislation proposing sweeping new powers to intercept and access encrypted data linked to illegal activity, and the criticisms of the same.
With no mention of oversight, accountability or scope, Five Eyes’ statements should provoke similar concern.
InternetNZ CEO, Jordan Carter, says that of all the recommendations being pushed by Five Eyes, the possibility of breaking end-to-end encryption is particularly worrying.
“Encryption provides important protection for all of us. We need encryption for things like online banking and booking travel safely. We need it to keep ourselves safe and secure online. Without it no one will have trust in the Internet.”
There are “alternative solutions” to keeping citizens safe, says Carter, “without breaking technologies that do just that.”
“To find these solutions the right people need to be in the room.”
“It’s vital the government discuss these topics with a wide range of people and organisations – the tech sector, law enforcement, small and medium businesses who depend on safe online services, human rights, privacy advocates and more.”