Sergey Nivens - Fotolia

Five Eyes wants to weaken encryption, or legislation may be needed

Five Eyes -- the government intelligence alliance between Australia, Canada, New Zealand, the U.K. and the U.S. -- vows not to weaken encryption, while pushing for encryption backdoors.

Five Eyes -- the government intelligence alliance between Australia, Canada, New Zealand, the U.K. and the U.S. -- issued a threat to tech companies that don't find ways to comply with law enforcement in the face of encrypted data and devices.

Following a meeting in Australia on Aug. 30, representatives of the Five Eyes nations detailed principles expressing support for privacy and claimed they did not want to weaken encryption. The coalition described a vision of cooperation between government and tech companies that would allow law enforcement to gain access to encrypted evidence. However, the Five Eyes partners reserved the right to take stronger action, if necessary.

Many of the points made by the Five Eyes governments are arguments the infosec community has heard before in pleas from the FBI, for example. But this is the first time the coalition of major Anglosphere countries has issued a joint statement on encryption.

In the "Statement of Principles on Access to Evidence and Encryption," Five Eyes claimed "encryption is vital" to economies and for protecting information, but added that these protections are also being abused by "child sex offenders, terrorists and organized crime groups to frustrate investigations and avoid detection and prosecution."

"Privacy laws must prevent arbitrary or unlawful interference, but privacy is not absolute," the Five Eyes partners wrote. "It is an established principle that appropriate government authorities should be able to seek access to otherwise private information when a court or independent authority has authorized such access based on established legal standards."

Although the statement did not mention encryption backdoors or how companies would have to weaken encryption in order to provide law enforcement access, there were also no details on how the Five Eyes partners expected tech companies to comply.

"The Governments of the Five Eyes encourage information and communications technology service providers to voluntarily establish lawful access solutions to their products and services that they create or operate in our countries," the Five Eyes report read. "Governments should not favor a particular technology; instead, providers may create customized solutions, tailored to their individual system architectures that are capable of meeting lawful access requirements."

Much like past arguments about how to gain access without having to weaken encryption, the statement urged cooperation and said government access to encrypted data should be "underpinned by the rule of law and due process protections."

However, the statement ended with a threat: "Should governments continue to encounter impediments to lawful access to information necessary to aid the protection of the citizens of our countries, we may pursue technological, enforcement, legislative or other measures to achieve lawful access solutions."

Experts defend encryption

Just as the Five Eyes argument for lawful access echoed past statements from law enforcement, experts took to Twitter with many of the same arguments used against previous law enforcement efforts to weaken encryption.

Chad Loder, founder of Rapid7, based in Boston, said even if law enforcement got its way, other software services would arise.

Others noted that even if the governments of the Five Eyes countries were to legislate weakened encryption, those laws would only apply to software companies based in one of the five countries.

Sergei Boeke, researcher and lecturer at the Institute of Security and Global Affairs and Cyber Security Academy at Leiden University in the Netherlands, expressed doubt that the Five Eyes partners would see the cooperation it hoped.  

Craig Lawson, research vice president at Gartner, said legal access was impossible without weakening encryption.

Dig Deeper on Data security and privacy

Enterprise Desktop
Cloud Computing