Recently, the Home Secretaries from Australia, Canada, New Zealand, the UK and the US, all members of the secretive “Five Eyes” intelligence sharing alliance, released a joint memo, calling on the tech industry to “go further in proactively and innovatively addressing the illicit use of their platforms and applications.” However, they also cautioned, “Should governments continue to encounter impediments to lawful access to information necessary to aid the protection of the citizens of our countries, we may pursue technological, enforcement, legislative or other measures to achieve lawful access solutions.”
They could have simply written “or else.”
This memo is the latest in a long series of actions that the Five Eyes nations have taken against encrypted services. In 2016, the UK passed the Investigatory Powers Bill (IPB) which requires UK communication service providers to break the encryption of their services where “practical” and to store Internet browsing records for one year. This year the Parliament of Australia proposed the Assistance and Access Bill (A&A), which is even more aggressive. It would give authorities the power to force tech companies to send out malware to access individuals’ devices.
Authorities use terrorism to justify these expanded surveillance powers. Yet close inspection of recent terror attacks, from the Boston Marathon bombing in 2013, to the Paris shooting in 2015, to the Manchester Arena bombing in 2017, shows the majority of perpetrators were already known to law enforcement. The fact that these attacks happened in three countries with robust mass surveillance programs suggests that perhaps they aren’t the silver bullet that authorities claim.
Meanwhile, the Internet would cease to function without encryption. Even the Five Eyes memo admits that “Encryption is vital to the digital economy and a secure cyberspace, and to the protection of personal, commercial and government information.” It also states the Five Eyes nations have “no interest or intention to weaken encryption mechanisms.” They seek “to gain targeted access to data.” It seems like this memo is following Australia’s proposed A&A bill. This bill contains a provision that would force tech companies to send out malware to users’ devices as a way to work around the encryption. This malware could access the user’s device where unencrypted data resides. This would defeat the purpose of encryption and create new vulnerabilities.
First, the mere act of compelling tech companies to compromise their own users’ security undermines the public’s trust in them. If software updates are viewed as potential government backdoors, ignoring software updates will become commonplace, decreasing the overall security of the Internet. Secondly, the infrastructure used to exploit user devices could itself be exploited.
Authorities assure us that they will guard any exploits that tech companies create for them. History shows that this claim is not credible. Exploits can and do fall into the wrong hands. Even the NSA was breached and its cache of exploits stolen in the 2016 Shadow Brokers heist. Cybercriminals then used these exploits to launch the WannaCry attacks, which crippled hospitals across the UK. Ironically, in trying to improve “security”, the Five Eyes governments would be putting us all at greater risk.
The idea of sacrificing privacy for “security” is not new. Indeed, several countries, such as China or Russia, have already achieved the dystopia described in George Orwell’s novel 1984. It is troubling to see Western democracies heading down the same path. One does not have to look hard to see echoes of Russia’s 2016 “Yarayova Law” in the Investigatory Powers Bill. In fact, the IPB is worse: it requires tech companies to store a year’s worth of users’ data while the Russian law only requires six months’ worth.
Furthermore, the UK’s IPB and Australia’s proposed A&A bill have much more far-reaching effects than the laws that govern Russia and China, due to the Five Eyes global network. As the intelligence sharing agreement broadens, Five Eyes member countries could use surveillance laws that were not passed in their own legislatures. If the Assistance and Access Bill is passed, intelligence agencies in each of the other Five Eyes member countries could route their requests through Australia. This means citizens of these other countries would be subject to this law despite the fact that their elected representatives would never have debated the bill or voted on it.
Benjamin Franklin wrote in 1755 that those who give up essential Liberty to purchase a little temporary Safety deserve neither Liberty nor Safety. This applies directly to the proposals put forth by the Five Eyes memo and legislation, which infringe upon our right to privacy and put our personal data at risk. It is therefore essential that all those who wish for a secure Internet and the right to privacy oppose the Five Eyes countries’ campaign to weaken encryption.