Governments demand companies allow access to data, or else | Cyber Security

A decades-old alliance of national intelligence partners promised to get at encrypted data last week, whether tech companies helped them or not.

Australia, Canada, New Zealand, the United Kingdom and the United States released a joint statement calling on tech companies to help them access data when authorised by the courts – or else.

The alliance of countries is known as the Five Eyes, and it was formed after the Second World War as a collaborative effort to share intelligence information. The group released an Official Communiqué at a meeting last week, outlining several broad goals. One of these goals involved increasing government powers to target encrypted data when the courts authorized it (a concept known as ‘lawful access’).

The group went into more depth in its Statement of Principles on to Evidence and Encryption, released at the same time. The document starts off conciliatory enough, arguing that encryption is necessary:

Encryption is vital to the digital economy and a secure cyberspace, and to the protection of personal, commercial and government information.

Then came the common refrain: You can have too much of a good thing.

However, the increasing use and sophistication of certain encryption designs present challenges for nations in combatting serious crimes and threats to national and global security.

The same encryption that protects legitimate information is also protecting criminals, the statement said, adding that while privacy laws are important, the authorities need a way to access communications when a court has allowed it. The countries’ reasoning here is that the same principles have applied to searches of homes and other physical spaces for years. They want the same warrant principles to apply in cyberspace.

The unified governments set out three principles. One reinforced the rule of law, explaining that governments must follow due process when accessing data.

Assuming they do that, though, another principle says that technology product and service providers – including carriers, device manufacturers or over-the-top service providers – have a responsibility to help governments access the data that they need. These companies should assist governments in getting access to data, the statement said, adding that situations where governments cannot access information with the courts’ consent should be rare.

The final principle has the stinger. Entitled ‘Freedom of choice for lawful access solutions’, it encourages companies to “voluntarily establish lawful access solutions to their products and services that they create or operate in our countries”. But what if they don’t volunteer?

Should governments continue to encounter impediments to lawful access to information necessary to aid the protection of the citizens of our countries, we may pursue technological, enforcement, legislative or other measures to achieve lawful access solutions.

So there it is. must help governments gain lawful access to data, or else.

The Five Eyes’ approach to lawful access appears conflicted. On the one hand, its Communiqué says:

The five countries have no interest or intention to weaken encryption mechanisms.

On the other hand, its statement on encryption appears to advocate exactly that. Should encryption be removed during transit to allow Fives Eyes access to data, that encryption is weakened.