The members of the Five Eyes surveillance group – Australia, Canada, New Zealand, the UK and the US – with the addition of the Indian and Japanese governments, have once again called for the tech industry to break end-to-end encryption and enable law enforcement to access private messages through backdoors in their services, while insisting they still support the concept of encryption.
The joint statement was signed for the UK by home secretary Priti Patel – who was forced to resign as international development secretary in 2018 for holding unsanctioned meetings with the Israeli government without Westminster’s knowledge.
The group said that strong encryption played a “crucial role” in safeguarding personal data, privacy, intellectual property, trade secrets and cyber security, as well as serving a vital purpose in protecting journalists, human rights activists and other groups at risk of targeted repression by governments.
However, it said, “particular implementations” of encryption – such as the end-to-end encryption provided in apps such as Signal, Telegram, and WhatsApp – “pose significant challenges to public safety”.
The alliance said this was particularly true when it came to protecting the interests and safety of minors. Facebook Messenger, for example, is held responsible for 12 million out of 18.4 million reports of child sexual abuse material received by the US’ National Center for Missing and Exploited Children in 2018.
“We urge industry to address our serious concerns where encryption is applied in a way that wholly precludes any legal access to content,” said the allies in their statement.
“We call on technology companies to work with governments to take the following steps, focused on reasonable, technically feasible solutions: Embed the safety of the public in system designs, thereby enabling companies to act against illegal content and activity effectively with no reduction to safety, and facilitating the investigation and prosecution of offences and safeguarding the vulnerable; enable law enforcement access to content in a readable and usable format where an authorisation is lawfully issued, is necessary and proportionate, and is subject to strong safeguards and oversight; and engage in consultation with governments and other stakeholders to facilitate legal access in a way that is substantive and genuinely influences design decisions.”
The Five Eyes group is arguing that law enforcement agencies have a responsibility to protect the citizens they oversee by investigating and prosecuting crime, and that tech companies have responsibilities to put in place terms of services for their users that provide them authority to act to protect the public. End-to-end encryption, they reason, precludes lawful access to communications content and therefore directly affects those responsibilities, which in turn creates risk to public safety.
“We are committed to working with industry to develop reasonable proposals that will allow technology companies and governments to protect the public and their privacy, defend cyber security and human rights and support technological innovation,” said the group.
“We challenge the assertion that public safety cannot be protected without compromising privacy or cyber security. We strongly believe that approaches protecting each of these important values are possible and strive to work with industry to collaborate on mutually agreeable solutions.”
Ray Walsh, digital privacy expert at ProPrivacy, branded the idea that secure encryption could coexist with deliberately created backdoors was a PR exercise from Five Eyes that stood in direct opposition to proper data security principles.
“Five Eyes’ and the Department of Justice’s claim that they support strong encryption because it is essential for protecting personal data, privacy, intellectual property, trade secrets and cyber security is completely contrary to its calls for companies to provide backdoors into that encryption,” said Walsh.
“Security and privacy experts understand that any purposefully designed holes in encryption create the risk of outside intrusion not only at the hands of government snoops, but also from the company itself or from malicious cyber actors who manage to discover that backdoor.
“Secure end-to-end encryption by definition ensures that data is only ever available to those people who send and receive the data, and as soon as you create a backdoor into that data, the encryption is broken, it is vulnerable, and it is put at risk of improper access and misuse and of potential data leaks and breaches,” he said.
“This is why server-side encryption has been criticised by security experts for so long, and why proper end to end encryption is the industry standard when it comes to effectively securing valuable or sensitive data such as intellectual property,” added Walsh.