The nations of the Five Eyes security alliance have called on technology companies to design their products so they offer 'back door' access to encrypted messages and content.

A statement signed by UK secretary of state Priti Patel, Us attorney general William Barr, Australian minister for home affairs Peter Dutton, New Zealand minister of justice Andrew Little, the Canadian minister of public safety Bill Blair, plus representatives from India and Japan, argued that "encryption is an existential anchor of trust in the digital world and we do not support counter-productive and dangerous approaches that would materially weaken or limit security systems".

However, it continued that "particular implementations" of encryption technology pose significant challenges to public safety, "including to highly vulnerable members of our societies like sexually exploited children".

The statement therefore urged the industry to address these "serious concerns" about where encryption is applied in a way that wholly precludes any legal access to content. It went on the request that technology companies work with governments to take the following steps:

• Embed the safety of the public in system designs, thereby enabling companies to act against illegal content and activity effectively with no reduction to safety, and facilitating the investigation and prosecution of offences and safeguarding the vulnerable;
• Enable law enforcement access to content in a readable and usable format where an authorisation is lawfully issued, is necessary and proportionate, and is subject to strong safeguards and oversight; and
• Engage in consultation with governments and other stakeholders to facilitate legal access in a way that is substantive and genuinely influences design decisions.

The Five Eyes statement explained that law enforcement has a responsibility to protect citizens by investigating and prosecuting crime and safeguarding the vulnerable, while technology companies also have responsibilities and put in place terms of service for their users that provide them authority to act to protect the public.

"End-to-end encryption that precludes lawful access to the content of communications in any circumstances directly impacts these responsibilities", creating severe risks to public safety in two ways:

• By severely undermining a company’s own ability to identify and respond to violations of their terms of service - including responding to the most serious illegal content and activity on its platform; and
• By precluding the ability of law enforcement agencies to access content in limited circumstances where necessary and proportionate to investigate serious crimes and protect national security, where there is lawful authority to do so.

The statement noted that concern about these risks has been brought into focus by proposals to apply end-to-end encryption across major messaging services.

"In light of these threats, there is increasing consensus across governments and international institutions that action must be taken: while encryption is vital and privacy and cyber security must be protected, that should not come at the expense of wholly precluding law enforcement, and the tech industry itself, from being able to act against the most serious illegal content and activity online."

In July 2019, the governments of the UK, US, Australia, New Zealand and Canada issued a statement, concluding that “tech companies should include mechanisms in the design of their encrypted products and services whereby governments, acting with appropriate legal authority, can gain access to data in a readable and usable format".

On 8 October 2019, the Council of the EU adopted its conclusions on combating child sexual abuse, while the WePROTECT Global Alliance and a coalition of more than 100 child protection organisations and experts also called for action to ensure that measures to increase privacy - including end-to-end encryption - should not come at the expense of children’s safety.

The Five Eyes statement concluded that data protection, respect for privacy and the importance of encryption as technology changes and global internet standards are developed remain at the forefront of each state’s legal framework.

"However, we challenge the assertion that public safety cannot be protected without compromising privacy or cyber security - we strongly believe that approaches protecting each of these important values are possible and strive to work with industry to collaborate on mutually agreeable solutions."

Commenting on the statement, Tim Mackey, principal security strategist at the Synopsys' Cybersecurity Research Centre, said that implementing a legislative remedy to this problem creates a different challenge, as laws move slower than technology.

"This means that the legislative remedy could easily turn out to be an exploitable vulnerability that is embedded within all systems and as such very difficult to address," he pointed out. "Since encryption is a key element in the trust equation in digital economies, if a governmental backdoor is part of the DNA of a technology, then other questions are raised – not the least of which is the extent of monitoring any given government might perform and what criteria is used."

Mackey added that as digital privacy laws vary globally, access to any backdoor likely will occur using different criteria in different jurisdictions. "Given the recent invalidation of the EU-US Privacy Shield, it’s clear that such implementation details need to be addressed prior to the creation of monitoring backdoors."

Share Story: