Strong encryption can be a threat to law enforcement and national security, the governments of the United States, United Kingdom, Canada, Australia and New Zealand said in a statement issued Sunday.
“The increasing use and sophistication of certain encryption designs present challenges for nations in combating serious crimes and threats to national and global security,” maintained the countries, which are known as the “Five Eyes” based on an agreement they entered to cooperate on signal intelligence.
“Many of the same means of encryption that are being used to protect personal, commercial and government information are also being used by criminals, including child sex offenders, terrorists and organized crime groups to frustrate investigations and avoid detection and prosecution,” they added.
The statement sets out three principles the nations agreed to abide by when dealing with encryption within their jurisdictions:
- Access to lawfully obtained data shall be a mutual responsibility of all stakeholders — government, carriers, device manufacturers and over-the-top service providers.
- All governments should ensure that assistance requested from providers is underpinned by the rule of law and due process protections.
- Information and communications technology service providers should voluntarily establish lawful access solutions to their products and services.
Do It or Else
Whether compliance with the lawful access demands of the Five Eyes will be voluntary for long remains to be seen, especially in light of the final paragraph in the statement:”Should governments continue to encounter impediments to lawful access to information necessary to aid the protection of the citizens of our countries, we may pursue technological, enforcement, legislative or other measures to achieve lawful access solutions.” That language reeks of Australia, noted Nate Cardozo, a senior staff attorney at the Electronic Frontier Foundation, a digital privacy advocacy group in San Francisco.
For more than a year, Australia has been mulling over legislation aimed at regulating encryption within its borders.
“Australia is looking to lead the charge against security, privacy and technology,” Cardozo told TechNewsWorld. “It believes itself to be in a security crisis, and since it doesn’t have much hope of getting tech investment, it’s more likely to do something to the tech sector.”
Good Guys With Bad Encryption
Forcing companies to provide governments access to encrypted data likely will be a losing proposition, both for the governments and the people they’re trying to protect.
“Bad guys will just be chased to places where strong encryption is available, and good citizens won’t have the opportunity to use the best possible encryption,” argued Balakrishnan Dasarathy, information assurance program chair at the University of Maryland University College in Largo, Maryland.
“Good guys will follow the rules and not have all the best technology,” he told TechNewsWorld.
Although law enforcement has complained about encryption, the technology has failed to prevent it from getting what it wanted in the past.
“Time and time again law enforcement gets what it needs without backdoors,” EFF’s Cardozo observed.
“Backdoors make law enforcement’s job easier at the cost of all our security,” he continued. “Encryption is a magic bullet only if you use it absolutely correctly, which literally no one does.”
There is no way to expose data to friendly spy agencies without also risking exposure of this data to not-so-friendly entities, maintained Craig Young, a computer security researcher at Tripwire, a cybersecurity threat detection and prevention company in Portland, Oregon.
“The truth of the matter is that backdoors simply make the process effortless and can enable bulk data collection without individualized suspicion of wrongdoing,” he told TechNewsWorld.
“Even without backdoors added into communication protocols, intelligence agencies and law enforcement should generally have other tools at their disposal to gain access to endpoints and thereby circumvent the need to break any encryption,” said Young.
“Listening devices, hardware key loggers, and malware can all effectively defeat end-to-end encryption for an individual without adding risk to the general public,” he explained.
Encryption is either strong or it is broken, without much of any room for middle ground, Young contended.
Encryption Horse Out of Barn
Backdoors create great risk to the security of data, noted Young.
“Widespread deployment of any backdoor creates tremendous risk if a third party were ever to gain access either through legal channels or reverse engineering,” he pointed out.
“Anything you do for the good guys will get into the hands of the bad guys also,” said UMUC’s Dasarathy. “It’s only a matter of time. You’re only kidding yourself if you think otherwise.”
The Five Eyes’ attempt to curb the trend toward encryption may be based on an antiquated notion.
“The cat is very much out of the bag on strong encryption,” Tripwire’s Young said. “Anyone with an inkling of technology prowess is capable of building their own private communication scheme.”
Backdoor keys almost inevitably would fall into the wrong hands, Cardozo suggested. Further they wouldn’t enable the good guys to get the bad guys they’re after.
Applications with strong encryption would appear online, be downloaded and sideloaded onto phones, he said.
“It takes only the tiniest bit of technical sophistication to install an app, and that’s all it will take to get around a backdoor,” Cardozo noted.
What’s more, “any attacker who is sophisticated enough to recognize a listening device or a physical implant from the NSA is certainly not going to rely on a public communication infrastructure without strong end-to-end encryption,” Young noted.
Public Distrust of Government
If the Five Eyes decide to make good on their threat to force the use of backdoors in encrypted products, they may find themselves at odds with a lot of their citizens.
Fewer than half (41 percent) of the 3,000 consumers polled in the U.S., UK and Germany believed laws that provided government access into encrypted personal data would make them safer from terrorists. The survey was conducted last year by Salt Lake City-based Venafi, maker of a platform to protect encryption keys.
Skepticsm of government was high in general, with nearly two-thirds (65 percent) suspecting their governments abused their powers to access the data of citizens. That number was even higher in the United States, where 78 percent of respondents held that belief.
“Giving governments access to encryption will not make us safer from terrorism — in fact, the opposite is true,” said Venafi CEO Jeff Hudson.
“Most people don’t trust the government to protect data, and they don’t believe the government is effective at fighting cybercrime,” he added. “It’s ironic that we believe we would be safer if governments were given more power to access private encrypted data, because this will undermine the security of our entire digital economy.”