Governments demand companies allow access to data, or else | Cyber Security
A decades-old alliance of national intelligence partners promised to get at encrypted data last week, whether tech companies helped them or not.
Australia, Canada, New Zealand, the United Kingdom and the United States released a joint statement calling on tech companies to help them access data when authorised by the courts – or else.
The alliance of countries is known as the Five Eyes, and it was formed after the Second World War as a collaborative effort to share intelligence information. The group released an Official Communiqué at a meeting last week, outlining several broad goals. One of these goals involved increasing government powers to target encrypted data when the courts authorized it (a concept known as ‘lawful access’).
The group went into more depth in its Statement of Principles on Access to Evidence and Encryption, released at the same time. The document starts off conciliatory enough, arguing that encryption is necessary:
Encryption is vital to the digital economy and a secure cyberspace, and to the protection of personal, commercial and government information.
Then came the common refrain: You can have too much of a good thing.
However, the increasing use and sophistication of certain encryption designs present challenges for nations in combatting serious crimes and threats to national and global security.
The same encryption that protects legitimate information is also protecting criminals, the statement said, adding that while privacy laws are important, the authorities need a way to access communications when a court has allowed it. The countries’ reasoning here is that the same principles have applied to searches of homes and other physical spaces for years. They want the same warrant principles to apply in cyberspace.
The unified governments set out three principles. One reinforced the rule of law, explaining that governments must follow due process when accessing data.
Assuming they do that, though, another principle says that technology product and service providers – including carriers, device manufacturers or over-the-top service providers – have a responsibility to help governments access the data that they need. These companies should assist governments in getting access to data, the statement said, adding that situations where governments cannot access information with the courts’ consent should be rare.
The final principle has the stinger. Entitled ‘Freedom of choice for lawful access solutions’, it encourages companies to “voluntarily establish lawful access solutions to their products and services that they create or operate in our countries”. But what if they don’t volunteer?
Should governments continue to encounter impediments to lawful access to information necessary to aid the protection of the citizens of our countries, we may pursue technological, enforcement, legislative or other measures to achieve lawful access solutions.
So there it is. Companies must help governments gain lawful access to data, or else.
The Five Eyes’ approach to lawful access appears conflicted. On the one hand, its Communiqué says:
The five countries have no interest or intention to weaken encryption mechanisms.
On the other hand, its statement on encryption appears to advocate exactly that. Should encryption be removed during transit to allow Fives Eyes access to data, that encryption is weakened.
No ungoverned spaces
The other focus for Five Eyes was on online spaces (think Facebook, YouTube and suchlike). It advocated for a “free, open, safe and secure internet”. This means stopping wrongdoers online including terrorists and child abusers. It also singled out foreign interference and disinformation.
In its Statement on Countering the Illicit Use of Online Spaces, it said that it had asked tech leaders to help it look at this problem but came up empty-handed. So it outlined a set of goals anyway.
It urged the tech sector to figure out ways to prevent illegal content from being uploaded, and to take it down more quickly when identified. They should also go through existing online content and check that too. Tech companies should share hashes of this information more readily to co-operate on takedowns, it said, adding that the governments would also share these hashes between themselves and with the tech sector.
The five governments will also be watching the tech industry and reporting back on a quarterly basis, the statement concluded.
This more aggressive, official Five Eyes stance on governmental control of and access to internet information has been in the works for a while. Australia has been particularly outspoken on the issue.
Recently-ousted Australian Prime Minister Malcolm Turnbull called directly on Five Eyes for more action in June 2017 at a speech to the Australian Federal Council:
The internet cannot be an ungoverned space. We cannot continue to allow terrorists and extremists to use the internet and the big social media and messaging platforms – most of which are hosted in the United States I should say – to spread their poison.
Australia recently announced its own stricter rules on lawful access, following the United Kingdom’s lead.