After a summit in Australia at the end of August, 5-eyes countries (US+Israel, Canada, UK, Australia, New Zealand) made a statement that tech companies should give access to their data and communications. Why? Because “privacy is not absolute”. Why? Well, the pretext is to catch pedophiles and terrorists, as always. In effect, it means being able to spy on citizens and get their personal data at will.
It’s not the first time that the governments of 5-eyes countries have asked the tech giants to give access to certain data – you might remember the San Bernardino terror attack (2015) and Apple’s refusal to give FBI access to one of the shooter’s iPhones.
But what’s different this time?
The Five Country Ministerial 2018 made the request in a form of an ultimatum. Ignoring it would lead to the data being taken by force. This is reminiscent of martial rhetoric – threatening to occupy some land. Only this is the land of Freedom.
What does the statement and Official Communiqué say?
The 5-eyes argue that the same means of encryption used to protect personal, commercial and government information are used by criminals to frustrate investigations and avoid detection and prosecution.
On one hand, not having access to information vital for stopping a terrorist attack sounds like a serious issue. But on the other hand, there are more benign uses than harmful ones, and those would also be affected. The second claim that 5-eyes make is that “privacy is not absolute” and government authorities have been searching homes, vehicles, and personal effects with valid legal authority given by a court or an independent authority. One problem rises from this sentence: having an option to search someone’s car doesn’t make it easier for criminals to steal that car. If law enforcement has the option to access end-to-end encrypted data (e.g. a WhatsApp conversation), that means it can also be more easily accessed by third-parties. Due to the nature of this type of encryption, there is no middle ground where authorities can access end-to-end encrypted data (which even the company offering the service with such feature cannot decipher it) but the criminals can’t.
Finally, it warns that if tech companies will deny lawful requests to access certain encrypted data, all 5 governments may pursue technological, enforcement, legislative or other measures to achieve lawful access solutions. These “lawful access solutions” worry us because in order for something to be lawful, there’s got to be a law. And if all 5 governments pass some bill that obliges companies in their jurisdiction to cooperate by giving access to encrypted data, the situation becomes very Orwellian.
What’s interesting about the ultimatum as a format of notice?
If the tech companies do not comply, 5-eyes governments have to use force or else they will be caught bluffing. This would seriously damage the reputation of the US and its partners as authoritative countries, therefore, such a scenario is highly unlikely.
If the tech companies do not comply and the 5 eyes-countries use force, this might cause massive resistance, moving companies to countries with no data retention laws or at least anywhere outside the 5-eyes or even 14-eyes jurisdiction. This plan would force companies to spend resources to get out of a situation that was forced upon them. They have already been lobbying foreign governments to lessen data restrictions, such as the rule to keep all information about users from their country in local servers. This might prove to be a loss for the 5 eyes governments because it would be even more difficult to access the data.
If the tech companies comply, that would put the security and privacy of millions of users in serious jeopardy, while at the same time providing limited assistance in taking a bite out of crime. It would also bring governmental organizations closer to private property, paving a way for even stricter control that can go undocumented, just like with the NSA.
An alternative for the tech companies would be to accept the ultimatum but negotiate the terms, which would both give them time to think about the possible solution and also show that this is not an ultimatum but a call for dialogue, which may last well over the deadline that is yet to be named.
Furthermore, there is a more detailed document about the meeting. It states that the tech companies have been invited to participate in discussions about cybersecurity in the past, but they declined. In other words, the decision was made without them. Of course, accepting such an invitation would be a PR disaster for Facebook, Apple or any other tech giant and everybody would be writing damning texts about these meetings!
The Encryption part is what sounds pretty ambiguous: “The five countries have no interest or intention to weaken encryption mechanisms”. Of course, this sentence is followed by a “but” – the government must be able to access encrypted information, including end-to-end encryption, which implies weakening this mechanism. For us it sounds like punching someone in the solar plexus and telling them “I’m your friend”.
The rest of the document is a bunch of propaganda urging to cooperate and coordinate forces for a better tomorrow. The only exception is a call to create a taskforce to prepare a report on measures to fight modern slavery, forced labour, and human trafficking both offline and online, which might include some even more privacy-restricting ultimatums.
Should we open Pandora’s box?
Indeed, opening the encrypted information is like opening Pandora’s box. A new term, “responsible encryption”, has been coined for the masses. It means your personal data sent over the net is encrypted but law enforcement can always check if needed. This reminds Russia’s “guided democracy”, where your votes are being guided and if you do things right, you don’t have anything to worry about – that’s the classic birdsong of pro-surveillance hawks. Unfortunately, it’s not as easy as government officials may want it to be. The US is not alone in this – Australia and the United Kingdom are standing behind, probably so that we don’t see the issues they have already had with data privacy. Last year, Big Brother Watch released a 137-pager about UK policemen making over 2000 data breaches throughout the last five years. After this, almost 300 policemen were fired, while 70 were convicted of crimes or received a police caution.
Australia? In 2016, a small defence contractor had their systems hacked and 30 Gigabytes of secret information about military aircrafts stolen. It’s not known who the thief was but it has clearly shown one thing – it’s not decryption but encryption we should be concerned with right now. And yet, even after these examples, politicians continue their rhetoric about the need to create more security holes.
This 5-eyes statement calls for an end to the end-to-end encryption, where your messages cannot be read without a key that even WhatsApp doesn’t have. If one exists, there’s always a chance it can be stolen. This exact thing has happened in the US, not once and not twice, starting from 2011 and RSA’s SecurID authentication tokens, and hopefully ending with the 2017 Adobe private key leak.
Theresa May blamed end-to-end encryption as a safe way for terrorists to plan attacks, but the point is that such measures do not guarantee all terrorists will be caught. Yet they guarantee that privacy will be more difficult to protect. Is that the price to pay? Even with such measures in action, you would still have ways to coordinate crime. It seems that end-to-end encryption becomes a scapegoat for criminal activities despite this being a much more complex problem, related to socio-economical and psychological factors our blog is not competent to discuss.
Thesslstore.com, a seller of security certificates, wrote in response to this statement that high-level law enforcement officials and politicians contact them regularly, asking for backdoors. They break the statement down and show may of its issues, raising the question: is it possible that justifying their actions by invoking terrorists, pedophiles and the like has caused politicians to believe their own words?
What does this mean for the privacy industry and VPN users?
For people who already use VPNs it means the service they paid for may soon no longer protect them.
Expect to see a new episode in the fight between those VPNs who are able to counter this government move and those who are not, but will continue to pretend it has no effect on them.
What we know for sure is that we want our VPN out of the 14-eyes, or at least out of the 5-eyes jurisdiction. If it’s bad for the users, it’s bad for the industry and vice versa. VPNs once at the top of the list might fall down, just because they are based in a 5-eyes jurisdiction.
To encrypt or not to encrypt? That is not the question
No matter how good the government’s intentions are, there are certain limits you cannot breach and one of these is a person’s right to privacy and anonymity. By allowing such a law to be passed, we would be taking a step back in terms of human rights here in the Western world. It’s ironic that politicians discuss how undemocratic regimes in Russia or China are, failing to notice that we’re moving in the same direction. Therefore, this is something we should speak about and not leave on the margins of everyday news. If somebody slowly creeps up on your back, chances are he will leave a knife in it.