The year 2018 saw the opening salvos of a Cold War. One side of the ongoing conflict is information technology companies, civil libertarians, privacy advocates, and academics. The other side is a multi-government coalition largely composed of law enforcement and intelligence agencies (and their private sector support infrastructure). In 2019 we will see that Cold War become hot.
The world rarely bears witness to an irresistible force meeting an immovable object. But we’ll soon see a legislative and regulatory juggernaut crash headlong into a technological and civil libertarian mountain. The results will endanger every conventional notion of cybersecurity and distributed trust.
The conflict has been brewing for decades. Between 1946 and 1956, a close working relationship developed between the intelligence communities of the English-speaking western democracies (the United States, the United Kingdom, Australia, Canada, and New Zealand), formalizing the relationship known as the Five Eyes.
In August 2018, senior intelligence and law enforcement officials from the Five Eyes nations met in Australia for their annual Five Country Ministerial conference. This is a forum wherein member states can discuss and collaborate on ways to address common security challenges. They talk about counter-terrorism, narcotics, human trafficking, violent extremism, cybersecurity, foreign interference, critical infrastructure protection, and border management. The 2018 conference added a new topic: encryption.
The conference’s official communique indicated there is an “urgent need for law enforcement to gain targeted access to data.” The Five Eyes published another document, the “Statement of Principles on Access to Evidence and Encryption,” intended to spur resolution of the “challenges to lawful access posed by encryption, while respecting human rights and fundamental freedoms.” The statement concludes with a chilling sentence: “Should governments continue to encounter impediments to lawful access to information necessary to aid the protection of the citizens of our countries, we may pursue technological, enforcement, legislative or other measures to achieve lawful access solutions.”
The statement is notable in many respects. It signaled the signatories’ intent to pursue an agenda inimical to values such as personal privacy and civil liberty, freedom of speech, and potentially due process. Their unabashed goal is access to private communications, whenever and wherever. Remember who is waging this campaign. The Five Eyes represent the so-called liberal western democracies. The countries whose national charters and legislative and judicial precedents champion notions of human rights, the primacy of the individual, and due process. Those were “table stakes” for any country claiming to value human rights as defined by those ranging from John Locke to the United Nations General Assembly. These aren’t authoritarian countries (like, for example, Russia, which in 2016 passed Federal Law of July 6, 2016 No. 374-FZ, which ordered the Federal Security Service (FSB) to develop a clandestine method to collect encryption keys); these are the countries that are supposed to be their polar opposites.
The world didn’t have long to wait for the first tangible embodiment of the statement to appear. On December 6th, 2018, the Australian government passed the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018. The new law is breathtaking in both scope and implication. Under it, the Australian government can issue compulsory cooperation notices whose purpose is to enable the government to gain access to specific users’ encrypted messages and data. These notices have potentially global impact, as the law claims jurisdiction over any entity that “develops, supplies or updates software used, for use, or likely to be used, in connection with: (a) a listed carriage service; or (b) an electronic service that has one or more end users in Australia.”
While the specter of terrorism was used to ensure the Australian law’s passage, it has broad applicability, and can be used to support investigation of any crime “punishable by a maximum term of imprisonment of 3 years or more or for life.” Australia can now demand encryption backdoors in terrible cases of copyright infringement. It also enables covert operations against anyone “involved in inquiries pertaining to” a crime with strict penalties for non-participation or disclosure. Australia can now compel any company in any country to attack the encryption protecting private information. Moreover, the law could be interpreted as enabling the Australian government to force an Australian citizen of any company to attack that company’s internal systems.
Weren’t the works “1984” and “V for Vendetta” supposed to be fictionalized accounts of a dystopian future where there is no privacy with respect to the state? Didn’t the Stasi go out of business in 1990? It’s not unreasonable to expect to see the other Five Eyes dominoes fall in 2019, at least when it comes to the civil liberties and privacy protection. Up until now those have been guaranteed by the proliferation and broad adoption of strong encryption solutions.
The United Kingdom is already the most heavily surveilled country on the planet. New Zealand’s Customs and Excise Act of 2018 imposes a $5,000 fine on any traveler attempting to enter the country who refuses to hand over passwords, codes, encryption keys and other information enabling access to their electronic devices. To date, neither the United States nor Canada have enacted legislation threatening strong encryption and effective data security. However, one only needs to read the many public speeches on the subject of “responsible encryption” made by Deputy Attorney General Rod Rosenstein to sense where the Executive Branch would like to head. The battle lines across strong encryption’s defense of privacy and liberty were drawn in 2018. And 2019 will be the year where we’re all forced to choose a side.
Founder & CEO
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.