The “Five Eyes”, the consortium of intelligence agencies from the predominant English-speaking countries, has put the tech industry on notice. The agencies are suggesting that major tech companies such as Google voluntarily build encryption-circumventing measures into their products to provide them with unlimited access to data, or they may eventually be forced to by law.
The Five Eyes consists of the various intelligence agencies of the United States, Canada, the United Kingdom, Australia and New Zealand. A recent joint statement released by the five interior ministers cited cybercrime, terrorism and migration issues among the reasons for their need for effectively unfettered access to the user data collected by tech companies.
The agencies laid out their general terms for access to data in a statement of principles, which did acknowledge the importance of the rule of law and due process as well as respect for the privacy of citizens. It should also be noted that at this point, a formal demand for backdoors has yet to be made. The language of the statement suggests that these government agencies should have complete access to encrypted information, however, listing a litany of crime-fighting reasons for the protection of citizens as the justification. The only way for that to happen is for backdoors to be installed.
Built-in backdoors require an exceptional level of trust in government agencies to not abuse them. The track record of the Five Eyes agencies does not necessarily inspire that sort of trust, at least among privacy watchdog groups.
The Five Eyes: A shadowy history
The Five Eyes alliance has long been a magnet for controversy. The primary concern has been that member states use the alliance as a means of circumventing their own internal laws for warrantless monitoring of citizens, allowing partner agencies to perform the surveillance instead in a quid pro quo arrangement. The mid-2013 NSA leaks released by Edward Snowden first made the scope of this international information trading apparent to the general public, but the activities of the Five Eyes and the exact rules that govern the exchange of information between countries are still opaque to the populations that are subject to them.
Encryption has stymied law enforcement in recent high-profile cases in the Five Eyes countries, which likely has something to do with the motivation for this statement. For example, in the United States, the FBI has had a number of disputes with Apple in recent years over access to data on locked iPhones and iPads. The most prominent of these centered around a phone recovered from one of the shooters in the December 2015 mass shooting in San Bernardino, which the FBI was incapable of unlocking and attempted to force Apple to do so by court order.
The Snowden leaks also made clear that it’s not just citizens of the Five Eyes member nations that have to worry about spying. The NSA routinely spies on ally and friendly nations that are not members of the intelligence pact, up to and including the personal calls of German Chancellor Angela Merkel and the offices of the European Union.
When backdoor access to data breaks down
Trusting the Five Eyes governments to respect citizen privacy and always access information strictly with warrants and within the bounds of the law is one issue. Another is the security of these proposed mandatory backdoors.
Apple CEO Tim Cook argued this very point during the company’s legal tilts with the FBI, and with good reason. The burden of securing these backdoors from detection and abuse by unauthorized parties would fall on tech companies. This is a very difficult thing to do, especially when government intelligence agencies the world over with essentially limitless budgets are throwing their efforts at the task.
Backdoors can be placed in hardware or software. Hardware backdoors are usually much tougher to detect and make use of; for example, a backdoor planted in VIA CE processors manufactured between 2001 and 2003 was only just recently discovered in 2018. Of course, the problem with this type of backdoor is that once a vulnerability is out in the wild, all of the hardware with it effectively becomes useless silicon.
Access to data through software backdoors would be necessary for things like the cloud-based services and encrypted social media apps provided by tech companies. Existing backdoors are already hunted, documented and exploited by a vast network of both bug bounty hunters and cybercriminals. These enthusiastic professionals would immediately join intelligence agencies in probing for access. The numbers simply don’t favor any particular backdoor of this nature holding up for very long, no matter what tech companies do to secure it.
The future of encryption and tech companies
The Five Eyes agencies present some compelling national security reasons for a need to bypass encryption and have unfettered access to data, not the least of which is fighting terrorism. The broad and free access to data that they appear to be seeking is antithetical to the nature of encryption, however. If there is always a known method available at the hardware and software level to bypass encryption, then encryption becomes worthless for a wide range of legitimate purposes.
The widespread existence of these backdoors would also precipitate the need for an extremely high level of trust in governments to not abuse the ability and in tech companies to secure their products against the most sophisticated attackers. Neither governments nor tech companies have a particularly good track record upon which to base this level of trust. The myriad of leaks about the NSA’s data collection and hacking practices that have come out over the last few years indicate that these agencies could very well have trouble securing the details of their own backdoors, and such details could cause a global tech catastrophe if they made their way out to the general public.
It’s not uncommon for calls for backdoor access to data to be made in the wake of terrorist attacks, but they are usually made by isolated politicians or agencies that are not necessarily the most tech-savvy and see encryption only in terms of impediments to lawful access. The recent statement by the Five Eyes carries much more weight than previous proposals. It remains to be seen what sort of concrete action it might translate into, but at the very least it should have anyone concerned with data security thinking about what their future might look like if their present encryption schemes can no longer be relied upon.