Washington, DC - The five member states threaten tech companies with legislation if they don’t weaken their encryption.
One of the unfortunate things we track here at Hashed Out are calls from law enforcement officials and politicians for “responsible encryption” and/or encryption backdoors. At this point, I feel like it happens about once a month. So far we have gotten dumb requests to weaken encryption from the likes of:
- James Comey, Former Director of the FBI
- Christopher Wray, Director of the FBI
- Rod Rosenstein, Deputy Attorney General
- Amber Rudd, Former UK Home Secretary
- Theresa May, UK Prime Minister
- Malcolm Turnbull, Australian Prime Minister
And many, many more. So, it shouldn’t really come as a surprise that when the US, UK and Australia get together (along with New Zealand and Canada) as part of the Five Eyes Intelligence Alliance, that they would combine powers and come up with a monumentally stupid joint statement requesting weakened encryption and/or encryption backdoors.
They did not disappoint.
The Five Eyes Intelligence Alliance has issued a “Statement of Principles on Access to Evidence and Encryption.”
Let’s Hash it Out…
Statement of Principles on Access to Evidence and Encryption
Five Eyes’ joint statement starts out nicely enough by reaffirming the importance of encryption.
The Governments of the United States, the United Kingdom, Canada, Australia and New Zealand are committed to personal rights and privacy, and support the role of encryption in protecting those rights. Encryption is vital to the digital economy and a secure cyberspace, and to the protection of personal, commercial and government information.
Now, if you’re familiar with Larry David and the show “Curb Your Enthusiasm,” you may remember a conversation between Larry and Jerry Seinfeld where they both muse at the fact that anytime someone says, “having said that,” they are about to completely contradict the first statement they made.
That is incredibly apropos here, because Five Eyes immediately contradicts its opening paragraph.
However, the increasing use and sophistication of certain encryption designs present challenges for nations in combatting [sic] serious crimes and threats to national and global security. Many of the same means of encryption that are being used to protect personal, commercial and government information are also being used by criminals, including child sex offenders, terrorists and organized crime groups to frustrate investigations and avoid detection and prosecution.
First of all, let me make an observation as someone who has been able to make a living as a writer: this paragraph is written in a manipulative way. In web design this is sometimes called a dark pattern, in a joint statement by intelligence agencies it is, at best, hyperbolic and at worst it’s designed to play on some of your most visceral reactions. The technology is being used by criminals, adding the part about terrorists, organized crime and rings of pedophiles was just a fearmongering flourish.
What’s more confusing is the dissonance that comes from this argument. There’s no consistency as to when these governments will go out of their way to protect the rights and freedoms of the majority despite certain abuses by a minority and when they will trample the rights of the many to penalize a few.
It’s the latter in this case.
What are the Five Eyes asking for?
The five participating intelligence agencies are requesting commercial assistance from stakeholders in lawfully accessing encrypted information. Or to put it in simpler terms, they’re asking the tech industry to undermine one of its most robust technologies so they can unlock a few thousand iPhones (isn’t hyperbole fun?).
Encryption, as you well know, is a mechanism for protecting data. It essentially scrambles the data, whether at rest or in transit, so as to make it unreadable by anyone but the intended party. We talk about all kinds of encryption here, symmetric, asymmetric, public key, private key— even historical encryption. The one constant is that encryption is almost impossible to crack. It would take a supercomputer thousands of years just to crack 256-bit AES symmetric encryption. That’s a feature, definitely not a bug.
But, really since the aftermath of the San Bernardino shooting when the FBI couldn’t unlock the shooter’s phone, this has been a constant battle between the tech community and various government entities and politicians. Since then we’ve had myriad calls for “responsible encryption,” the FBI lied about the number of devices it can’t unlock and the Electronic Frontier Foundation (EFF) and the Institute of Electrical and Electronics Engineers (IEEE) have come out in adamant opposition.
This joint statement is just the latest in a long line of dumb requests.
Five Eyes has three principles that its statement affirms:
- Mutual Responsibility – Government entities need the assistance of various stakeholders in obtaining access to encrypted information.
- Due Process is Paramount – Any attempt to access encrypted data must be underpinned by the rule of law, meaning a warrant is required.
- Freedom of Choice for Lawful Access Solutions – “We don’t care how you break your encryption for us as long as you do it.”
Obviously, I’m paraphrasing a bit there. Here’s the actual text from what is the third and most crucial principle:
The Governments of the Five Eyes encourage information and communications technology service providers to voluntarily establish lawful access solutions to their products and services that they create or operate in our countries. Governments should not favor a particular technology; instead, providers may create customized solutions, tailored to their individual system architectures that are capable of meeting lawful access requirements. Such solutions can be a constructive approach to current challenges.
Should governments continue to encounter impediments to lawful access to information necessary to aid the protection of the citizens of our countries, we may pursue technological, enforcement, legislative or other measures to achieve lawful access solutions.
As you can tell from the second paragraph, the request for “technology service providers to voluntarily establish lawful access solutions” is business-voluntary. Meaning that regardless of the rhetoric it’s couched in, it’s compelled. Because if the tech sector pushes back these five intelligence agencies have already stated they will throw their full arsenal into forcing this issue. This is not the first time that threat has been made, either.
Why are “Lawful Access Solutions” dangerous?
When someone says “Lawful Access Solutions” they are typically referring to one of two options: key escrow or an encryption backdoor. Let’s go over what both of those mean and then we’ll talk about why they’re stupid.
Key escrow is a system where a copy of the private key used for decryption is provided to a third party to be securely stored. If a government needs access to an encrypted device, the idea is that they can be provided with a copy of the key by the third party.
Encryption backdoors are a little more complicated. They typically rely on the random number generators (RNGs) at the heart of most cryptosystems. If you can crack the RNG, you can likely crack the cryptosystem. In fact, most attacks on encryption are actually attacks on RNGs. The NSA is accused of trying to push a backdoor into a 2007 National Institute of Standards in Technology (NIST) publication that dealt with random number generators. The backdoor involved elliptic curves, specifically DUAL_EC_DRBG. That standard has a relationship to a secret set of numbers. Anyone that knows those numbers can effectively predict the standard’s output and break any encryption schemes using it.
So why are key escrow and encryption backdoors dumb ideas? Well, with key escrow the keys are only as safe as the third party. That’s a ton of trust to put in any government entity or private organization. The government can barely keep its own data secure, asking it to look after millions of private keys would be both a security risk and a bureaucratic nightmare. And with a private organization you’re assuming that it can keep the keys secure itself, plus you’re counting on it not to go out of business, go rogue or have a non-malicious data incident that accidentally wipes some of the keys.
And consider this, a single private key can be a valuable commodity for hackers and cyber criminals, so imagine what a massive target an entire database of private keys would be. This is just not a good idea. Now, that’s not to say key escrow can’t work. It can in some very specific contexts, for instance the banking industry has found some uses for it. But on a large scale? No. Not a good idea.
And then we have encryption backdoors. Once again, we would have to rely on government entities to safeguard the backdoor, whether it be a number set or some other mechanism. And that’s not a given. But beyond that, this weakens encryption. Other entities, the same group of people Five Eyes is trying to stop, would eventually find a way in. The very existence of a backdoor is enough of a vulnerability to undermine the entire cryptosystem. And that just cannot happen.
Beyond that? When has purposely stunting a budding technology ever been the right answer? Encryption has been around for thousands of years, but its use and applications have grown exponentially since we entered the digital age.
In many ways, encryption represents one of our strongest layers of security, not just in the private sector, but on a national and international level, too. We cannot afford to undermine a technology that has the potential to protect so many, just so that we can access data from a few.
If anything breaks our encryption in the foreseeable future it should be quantum computing, not government interference. Suggesting otherwise is missing the big picture.