Sergey Nivens - Fotolia
Five Eyes -- the government intelligence alliance between Australia, Canada, New Zealand, the U.K. and the U.S. -- issued a threat to tech companies that don't find ways to comply with law enforcement in the face of encrypted data and devices.
Following a meeting in Australia on Aug. 30, representatives of the Five Eyes nations detailed principles expressing support for privacy and claimed they did not want to weaken encryption. The coalition described a vision of cooperation between government and tech companies that would allow law enforcement to gain access to encrypted evidence. However, the Five Eyes partners reserved the right to take stronger action, if necessary.
Many of the points made by the Five Eyes governments are arguments the infosec community has heard before in pleas from the FBI, for example. But this is the first time the coalition of major Anglosphere countries has issued a joint statement on encryption.
In the "Statement of Principles on Access to Evidence and Encryption," Five Eyes claimed "encryption is vital" to economies and for protecting information, but added that these protections are also being abused by "child sex offenders, terrorists and organized crime groups to frustrate investigations and avoid detection and prosecution."
"Privacy laws must prevent arbitrary or unlawful interference, but privacy is not absolute," the Five Eyes partners wrote. "It is an established principle that appropriate government authorities should be able to seek access to otherwise private information when a court or independent authority has authorized such access based on established legal standards."
Although the statement did not mention encryption backdoors or how companies would have to weaken encryption in order to provide law enforcement access, there were also no details on how the Five Eyes partners expected tech companies to comply.
"The Governments of the Five Eyes encourage information and communications technology service providers to voluntarily establish lawful access solutions to their products and services that they create or operate in our countries," the Five Eyes report read. "Governments should not favor a particular technology; instead, providers may create customized solutions, tailored to their individual system architectures that are capable of meeting lawful access requirements."
Much like past arguments about how to gain access without having to weaken encryption, the statement urged cooperation and said government access to encrypted data should be "underpinned by the rule of law and due process protections."
However, the statement ended with a threat: "Should governments continue to encounter impediments to lawful access to information necessary to aid the protection of the citizens of our countries, we may pursue technological, enforcement, legislative or other measures to achieve lawful access solutions."
Experts defend encryption
Just as the Five Eyes argument for lawful access echoed past statements from law enforcement, experts took to Twitter with many of the same arguments used against previous law enforcement efforts to weaken encryption.
Chad Loder, founder of Rapid7, based in Boston, said even if law enforcement got its way, other software services would arise.
Another way to read this is “Five Eyes governments making the best case yet for open source”.— Chad Loder ❇️ (@chadloder) September 1, 2018
The toothpaste is already out of the tube - if governments push the Apples and Googles of the world to build backdoors, it will cause a huge shift to open source. https://t.co/Le2NeUeHgm
Others noted that even if the governments of the Five Eyes countries were to legislate weakened encryption, those laws would only apply to software companies based in one of the five countries.
Sergei Boeke, researcher and lecturer at the Institute of Security and Global Affairs and Cyber Security Academy at Leiden University in the Netherlands, expressed doubt that the Five Eyes partners would see the cooperation it hoped.
A few interesting points. 1). A joint statement by Five-Eyes countries; quite rare 2). Strong wording against encryption. More important for law enforcement than foreign intel, as attested by former heads NSA/GCHQ. 3) counts on voluntary cooperation from industry: no chance. https://t.co/n9CQTQzCiP— Sergei Boeke (@SergeiBoeke) September 3, 2018
Craig Lawson, research vice president at Gartner, said legal access was impossible without weakening encryption.
It’s actually pretty simple, you can’t say you want “a safe, secure internet” and then say you want (crypto or otherwise) backdoors. These are diametrically opposite to each other. https://t.co/hKRApSCYsL— craiglawson (@craiglawson) September 2, 2018
Dig Deeper on Data security and privacy
Encryption myths versus realities of Online Safety Bill
Tech companies risk being compelled by law to protect children, says online safety expert
ICO criticises government-backed campaign to delay end-to-end encryption
Government funds charity campaign to warn big tech over the risks of encryption to children