Lock on computer chip showing Five Eyes call for encryption backdoors

Five Eyes, India and Japan Resume the Quest for Mandatory Encryption Backdoors in All Devices

Annual calls for what would effectively be the end of hardware encryption have been renewed by the “Five Eyes” nations along with India and Japan, continuing a pattern of pressing for universal encryption backdoors that has been established in recent years.

The coalition of world powers issued a joint statement decrying end-to-end encryption (E2EE), claiming that it prevents law enforcement from doing its job. The governments cite the need to break up rings of child predators and those that prey on other highly vulnerable groups, but what they propose would also leave all device users subject to government monitoring at any time and could also create critical vulnerabilities for hackers to exploit.

The Five Eyes: A relentless quest to end encryption

The “Five Eyes” security alliance nations (the US, UK, Canada, Australia and New Zealand) have been beating the drum for encryption backdoors for several years now. The US has been pressing for widespread law enforcement access to devices since the 2015 terrorist attack in San Bernardino, but Australia kicked off the alliance’s annual calls on tech companies in 2017 with a joint letter directed to its Ministers. Japan and India have more recently joined in the fray.

The debate has gone on for even longer and has been rehashed many times. The Five Eyes governments claim that all sorts of nasty international crime rings are able to communicate freely thanks to encryption capabilities commonly built into modern devices and cloud services, and that law enforcement cannot do its job of tracking them effectively without a special “backdoor” level of access. There are a number of different arguments against this idea: that it could devolve into illegal searches and seizures, that any hardwired backdoor could be (and most likely eventually would be) discovered and exploited by threat actors, that repressive governments would use it to suppress dissent, it could force tech firms into compromising positions if they refused illegal or improper government access to encryption backdoors, and implementing the architecture to make such a mandate possible could cause a hit of billions of dollars to national economies.

The 2020 version of the Five Eyes-led coalition’s seemingly annual call requested that tech companies take several specific steps: to embed encryption backdoors in their systems designs, to enable law enforcement access to device information in a “readable and usable format” and to consult with governments about facilitating legal access. The world governments want encryption backdoors not just in devices but also in cloud-based platforms and apps such as instant messaging.

The running battle over encryption backdoors

Given that the Five Eyes coalition is rooted in democratic nations, these requests have yet to escalate to demands. Pressure has been put on specific tech firms, particularly Apple and Facebook, but no member has passed legislation requiring encryption backdoors yet save Australia. In late 2018 the country’s federal parliament passed the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (TOLA), which compels a broad range of “communications providers” to assist law enforcement and intelligence agencies in circumventing E2EE encryption without any clear limits on what exactly can be asked of them. The UK technically has a similar capability in the form of the Investigatory Powers Act 2016 (IPA), but has yet to actually use it in this way to compel a tech firm to provide it with a backdoor. The UK government did make one hesitant attempt in 2017 with WhatsApp, but the matter appears to have been dropped after Facebook rebuffed it.

Though the Five Eyes nations always invoke the specter of child abusers and violent gangs threatening the safety of the public when calling for encryption backdoors, some observers believe that this push is really about keeping up with China in ability to gather intelligence. As of the start of 2020, an encryption reform bill allows for even foreign encryption systems in the country (after a passing a certification process) but requires that the government’s State Cryptography Administration (SCA) have complete access to any such system and its data. Some observers believe that the end goal of this system is for the state to have a store of all decryption keys and passwords that it can use freely to obtain any data it develops an interest in.

Most elements of the debate over encryption backdoors center on how much reach the government should have into people’s private lives, but the creation of a potential hardwired vulnerability in every device and service is a separate issue. Paul Bischoff, privacy advocate with Comparitech, expands on this risk to the general public: “It’s impossible to create an encryption backdoor that only law enforcement can take advantage of. If backdoors are in place, criminals will move on to other end-to-end encrypted messaging apps, while legitimate users suffer security and privacy violations. If our analysis of US wiretapping orders is any indication, only a fraction of law enforcement requests to decrypt data will actually be incriminating or lead to convictions. There’s little consideration for innocent parties whose communications are intercepted by law enforcement, and 99 percent of interception requests are granted by courts.”

Proposal would leave all device users subject to government #surveillance at any time and could also create critical vulnerabilities for #hackers to exploit. #privacy #respectdataClick to Post

The ultimate effectiveness of mandatory encryption backdoors in everything is also questionable as this will not put an end to open source software encryption, or even something new of this nature developed entirely for criminal purposes. Savvy criminals will likely jump to whatever is available; the more likely demographic to be subject to Five Eyes spying is the average user who is either unaware of the compromised device & service encryption or simply does not care if the government goes through their files.