Written by CDT summer intern Michael Jardine.
Last week, a global alliance of 76 organizations, companies, and individuals urged Australian officials to refrain from requiring technology companies to weaken the security of their products and services by building in backdoors to facilitate law enforcement access. The Center for Democracy & Technology signed onto the letter in response to the Turnbull administration’s announcements about its intentions to legislate on the issue in the interests of national security. For example, former Attorney General George Brandis stated: “If terrorists increasingly use in particular encrypted messaging apps that are inaccessible to intelligence or to law enforcement authorities, then our capacity to surveil their communications, our capacity in the event for example a terrorist incident occurs, to prosecute them, will be lost.” More recently in May 2018, the Minister for Law Enforcement and Cyber Security Angus Taylor revived the debate around access to encrypted data by declaring that making progress on draft legislation is “one of [his] highest priorities.”
The call for legislation in Australia was echoed a few days ago by FBI Director Christopher Wray, who indicated that if on-going private talks with tech companies do not result in a solution, the FBI could seek a legislative approach. Debate around legislation that would provide law enforcement a ‘backdoor’ into encrypted information and technology has been part of a global conversation for a number of years. Law enforcement agencies, including the FBI, say that they are “going dark” as a result of encryption because it prevents them from accessing the plain text of communications. The U.S. has pursued access to the information carried through end-to-end encryption (e2e) networks, aggressively launching multiple legal proceedings against tech companies, including Apple, in order to gain access to encrypted content. The FBI settled the litigation, admitting that one its vendors had accessed the iPhone’s contents.
Indeed, law enforcement officials from the ‘Five Eyes’ group of nations (United States, United Kingdom, Canada, Australia, and New Zealand) have seemingly been singing from the same song book when it comes to government approaches to so-called ‘Key Disclosure Laws’ or ‘Mandatory Key Disclosure.’ Many analysts believe that the Australian proposals, when unveiled, will closely mirror those contained within the United Kingdom’s 2016 Investigatory Powers Act (commonly referred to as the ‘Snooper’s Charter.’) The ‘Snoopers Charter’ provides the UK government and law enforcement agencies the ability to obtain a court order compelling companies that design e2e into their products and services to turn over the keys to encrypted communications. This provision has not yet been tested in court. If mandated, it could effectively outlaw forward secrecy in which multiple keys may be developed to protect the privacy of a single conversation.
E2e has become an essential feature of much of the technology we use on a daily basis. People encounter e2e when they use messaging apps such as Signal, iMessage, or more commonly, WhatsApp (which 1.5 billion people around the globe use on a monthly basis). This encryption allows users to send and receive information securely and without fear of interception, collection, or alteration from unwanted third-party actors. For governments and law enforcement agencies, e2e has been a thorn in their collective sides: the same technology that makes it safe for you to make a purchase online can make it “safe” for criminal conspirators to plan their crime online.
Unfortunately the creation of a ‘backdoor’ for law enforcement access would present two problems. First, from a commercial security perspective, companies could no longer assure their customers that they can use the platform without fear of data theft or government intrusion. Second, once backdoor access has been created for law enforcement use, this structural vulnerability becomes a target for hackers, rouge states, cyber-criminals, terrorist organizations, and even over-reaching governments.
CDT has for quite some time, outlined the risks posed to consumers and to companies with the creation of so-called ‘backdoors.’ Companies are already struggling to secure apps, services, and devices against vulnerabilities. Deliberately building in a vulnerability to facilitate law enforcement access would increase the possibility of malicious intrusion and access to sensitive information.
Furthermore, Backdoor access for law enforcement would make it difficult to keep encryption keys secure. The more law enforcement agencies that need access, the less secure any backdoor access will be. In the U.S. alone, there are around 17,985 police departments, each of which could claim a need for access to encrypted communications. To build a singular secure method and system to access encrypted information for just the U.S. law enforcement authorities could be impossible. Law enforcement agencies in each country around the world would want similar access to this encrypted data, compounding the security problem exponentially.
Creating deliberate vulnerabilities in software or hardware to accommodate the demands of one country can have a global impact. First, it sets a precedent that other countries will demand that the provider follows. Second, it creates vulnerabilities that malicious hackers can exploit on a global basis. Third, it forces global tech companies to make difficult decisions with global implications, such as as choosing to withdraw from a market when they cannot offer a secure product or service on account of a rule about creating backdoors to their encryption. If companies operating on a global scale, such as Apple, Google, and Facebook, will be required by one nation to create some form of backdoor access into their products and services, then the question needs to be asked, would the company in question be happy building multiple products and versions of its services to cater to differing encryption laws in different countries?
Australia is geographically distant from many of the places where encryption is hotly debated. But what happens on encryption “down under” can have a global impact and warrants global attention.