Five Eyes governments get even tougher on encryption

Official statements from the Five Country Ministerial meeting make it clear: Voluntarily build lawful access into encrypted messaging systems, or else. It's not a good look.
Written by Stilgherrian , Contributor

"The governments of the United States, the United Kingdom, Canada, Australia, and New Zealand are committed to personal rights and privacy, and support the role of encryption in protecting those rights," began a document agreed to last week. Sounds good. But wait.

The government ministers who met on Australia's Gold Coast last week went on to explain that the information and communications technology vendors and service providers have a "mutual responsibility" to offer "further assistance" to law enforcement agencies.

"Governments should recognize that the nature of encryption is such that there will be situations where access to information is not possible, although such situations should be rare," it said. That's clearly setting an expectation for industry to meet.

The good news is that service providers who "voluntarily establish lawful access solutions" will have "freedom of choice" in how they do it. "Such solutions can be a constructive approach to current challenges," the document said, cheerily, before ending with a warning.

"Should governments continue to encounter impediments to lawful access to information necessary to aid the protection of the citizens of our countries, we may pursue technological, enforcement, legislative, or other measures to achieve lawful access solutions."

The document is the Statement of Principles on Access to Evidence and Encryption. It's one of three statements to come out of the Five Country Ministerial (FCM) meeting of the homeland security, public safety, and immigration ministers of the five Anglosphere nations. They were joined by the attorneys-general of these nations, who have met annually as the so-called Quintet of Attorneys-General for a decade now.

These are, of course, the same nations that participate in the so-called "Five Eyes" signals intelligence (SIGINT) sharing arrangements under the UKUSA Agreement, although these close allies cooperate both diplomatically and operationally at a number of levels.

The FCM meeting also issued an Official Communiqué, and a Statement on Countering the Illicit Use of Online Spaces.

Taken together, the three documents represent a toughening-up of the governments' attitudes to the regulation of online communications. For diplomatic language, some of the communiqué's wording is blunt.

"While senior digital industry representatives did not accept our invitation to participate in discussions on pressing issues regarding the illicit use of online spaces, we reiterated the need for digital industry to take more responsibility for content promulgated and communicated through their platforms and applications," it said.

"We called for the further development and expansion of capabilities to prevent upload of illicit content, and to execute urgent and immediate takedowns."

The communiqué also "reiterated the importance of industry investment in human and automated detection capabilities, underscoring the need for major companies to set industry standards and to help smaller companies deploy these capabilities [and] for increased efforts to counter foreign interference and disinformation conducted via online platforms".

Plenty of the language is familiar, however, as the nations agree to wording that they've already been using domestically. This is particularly the case for Australia, which has been leading these five-nation discussions on addressing the apparent threats of end-to-end encryption.

One thing continues to be missing from these statements, though, and that's any recognition whatsoever that emerging technologies give law enforcement agencies new abilities. You know, artificial intelligence (AI), face recognition, gait recognition, and traffic analysis of all kinds.

The statement on encryption, for example, took the usual formula about law enforcement agencies losing visibility and turned it up to 11.

"The increasing gap between the ability of law enforcement to lawfully access data and their ability to acquire and use the content of that data is a pressing international concern that requires urgent, sustained attention and informed discussion on the complexity of the issues and interests at stake. Otherwise, court decisions about legitimate access to data are increasingly rendered meaningless, threatening to undermine the systems of justice established in our democratic nations," it said.

Threatening to undermine the systems of justice established in our democratic nations? Really?

"All governments should ensure that assistance requested from providers is underpinned by the rule of law and due process protections," it reassured. But where is the discussion about the need for those protections to be reviewed and enhanced, given the phenomenal growth in the amount of data available about each and every one of us?

Without a doubt, law enforcement agencies will have to find ways of dealing with the changes being wrought by the fourth industrial revolution. We all will. But politicians need to consider all of the implications, and all of our needs, not just those of the cops.

Our governments have agreed to "encourage" service providers to "voluntarily" establish lawful access solutions, with an implied threat of coercion if they don't. Yet the suspicion of such capabilities in, say, Chinese-made 5G equipment, or Russian-made anti-virus software, gets them banned.

It strikes me as a bit rich to accuse other nations of dodgy surveillance practices, while at the same time building the legislative and technical infrastructure to do much the same thing to your own citizens.

If the governments want to bring the citizens along with them on this journey, then their statements need to do more than just start with the same "we value your privacy" bulldust as all the commercial operators we're beginning to despise.

Related Coverage

No backdoors for Australian encryption, just a riddling of ratholes

Draft legislation intended to give cops and spooks access to encrypted communications should keep encryption strong. But the powers it proposes aren't just about fighting paedophiles, terrorists, and organised criminals.

PGP encryption won't protect your data. But PURBs can.

You may think that encrypting your sensitive files with, say, PGP may protect your data - but you'd be wrong. Most encryption formats leak a lot of plaintext metadata, and that's a problem. Here's what you need to know.

Australia's semantic sleight of hand on encrypted messaging revealed

Newly-released documents confirm that the Australian government's commitment to 'no backdoors' to weaken encryption algorithms doesn't preclude backdoors elsewhere in the secure messaging pipeline.

Australian security trio aim for unbreakable encrypted data environment

Vault, QuintessenceLabs, and Ziroh Labs have joined forces to build a system for strong encryption of user data for government.

WhatsApp could be a bad choice for your encrypted business messages (TechRepublic)

A CheckPoint Research report unveils how hackers can intercept and alter WhatsApp messages.

Editorial standards