The governments of the UK, US and other Five Eyes alliance partners Canada, Australia and New Zealand say government authorities should be able to seek access to otherwise private information.
The group says it encourages information and communications technology service providers to voluntarily establish lawful access solutions to their products and services, but warns in a statement that should governments “continue to encounter impediments to lawful access to information necessary to aid the protection of the citizens of our countries, we may pursue technological, enforcement, legislative or other measures to achieve lawful access solutions”.
The statement is part of an official communiqué issued after a recent meeting of representatives of the alliance partners in Australia to discuss collaboration and security challenges. Other topics addressed in the communique include: a free, open safe and secure internet; countering the threat of terrorism; cyber security and resilience of critical infrastructure; and criminal information sharing.
The alliance partners say they are “committed to personal rights and privacy, and support the role of encryption in protecting those rights” and even acknowledge that “encryption is vital to the digital economy and a secure cyberspace, and to the protection of personal, commercial and government information”
However, they say the increasing use and sophistication of certain encryption designs “present challenges for nations in combatting serious crimes and threats to national and global security”.
The statement notes that many of the same means of encryption that are being used to protect personal, commercial and government information are also being used by criminals, including child sex offenders, terrorists and organised crime groups to frustrate investigations and avoid detection and prosecution.
“Privacy laws must prevent arbitrary or unlawful interference, but privacy is not absolute. It is an established principle that appropriate government authorities should be able to seek access to otherwise private information when a court or independent authority has authorised such access based on established legal standards,” the statement said, adding that the same principles have long permitted government authorities to search homes, vehicles, and personal effects with valid legal authority.
Read more about encryption
- Encryption is under attack, says Venafi CEO Jeff Hudson.
- A report from US district attorney Cyrus Vance claims the encryption of data on mobile operating systems has had severe consequences for public safety.
- The Wikimedia Foundation calls on all websites to join its move to encrypt all connections by default.
- Seven more security suppliers join Blue Coat’s encrypted traffic management programme amid fresh warnings of attackers using encryption to hide malicious activity.
According to the Five Eyes governments, the increasing gap between the ability of law enforcement to lawfully access data and their ability to acquire and use the content of that data is “a pressing international concern” that requires “urgent, sustained attention and informed discussion”.
Otherwise, the statement said, court decisions about legitimate access to data are increasingly “rendered meaningless”, threatening to undermine the systems of justice. Each of the Five Eyes countries will consider how best to ensure access to encrypted products. The options include voluntary cooperation of industry partners or legislation.
Any response, the statement said, will adhere to requirements for “proper authorisation and oversight”, and to the “traditional requirements” that access to information is underpinned by.
“We recognise that, in giving effect to these principles, governments may have need to engage with a range of stakeholders, consistent with their domestic environment and legal frameworks,” the statement said.
In a joint statement on countering the illicit use of online spaces, the Five Eyes alliance partners said they were united in their commitment to protect their citizens from child predators, terrorists, violent extremists and other illicit actors.
The statement calls on tech firms to develop capabilities to prevent illegal and illicit content from ever being uploaded, to execute urgent and immediate takedown where there is a failure to prevent upload, to deploy human and automated capabilities to seek out and remove legacy content, to remove and prevent re-uploading of illegal content, to prioritise user safety in design of all online platforms, to build and enhance capabilities to counter foreign interference and disinformation, and to prevent preventing live streaming of child sexual abuse on all platforms.
“We recognise that governments also have a major role to play in addressing the spread of illicit content online. We commit to build the capacity of non-“five eyes” countries to protect and defend the most vulnerable,” the statement said.
The countries said they would establish a senior officials group charged with monitoring industry progress on a quarterly basis and called on digital industry CEOs to future meetings of alliance partners to update the alliance on their efforts directly.
UK and US intelligence and law enforcement agencies have led the campaign for tech companies to build backdoors into their products and services, weakening secure encryption to enable electronic surveillance.
In a speech at the Association of State Criminal Investigative Agencies 2018 Spring Conference on 7 May, US attorney general Jeff Sessions said: “It is critical that we deal with the growing encryption or the “going dark” problem.
“And the stakes are high. Last year, the FBI was unable to access investigation-related content on more than 7,700 devices – even though it had the legal authority to do so. Each of those devices was tied to a threat to the American people,” he said.
In the UK, former home secretary Amber Rudd went on a crusade against end-to-end encryption that began after the Westminster terror attack on 22 March 2017, but she appeared to back down after discussions with WhatsApp’s owner, Facebook, and Google, Twitter and Microsoft on the issue.
In an official statement after the meeting, no mention was made of restricting encryption or requiring tech firms to provide backdoors, and the government’s apparent u-turn on the issue was widely welcomed by the security industry.
However, concerns remain among technology firms about the lack of clarity around encryption and bulk data collection in the UK government’s controversial Investigatory Powers Act, which allows the government to demand “technical” changes to software and systems.
Opponents to the introduction of backdoors say that they put the privacy and security of everyone using these compromised products at risk because backdoors created for law enforcement and intelligence surveillance are vulnerabilities available for hackers to exploit.