Five Eyes nations stare menacingly at tech biz and its encryption
US, UK, Australia, New Zealand and Canada mull leaning hard for access to your info
Officials from the United States, the United Kingdom, Canada, Australia and New Zealand will discuss next month plans to force tech companies to break encryption on their products.
The so-called Five Eyes nations have a long-standing agreement to gather and share intelligence from across the globe. They will meet in Canada with a focus on how to prevent "terrorists and organized criminals" from "operating with impunity ungoverned digital spaces online," according to Australian prime minister Malcolm Turnbull.
In the most forthright call yet from a national leader to break encryption, Turnbull told Parliament: "The privacy of a terrorist can never be more important than public safety – never."
Turnbull's comments reflect a more vague but similar response from UK prime minister Theresa May earlier this week in which she said she was focused on "giving the police and the authorities the powers they need to keep our country safe." And the UK authorities have already put in a legislative placeholder for breaking encryption into Blighty's Investigatory Powers Act. Australia's administration is rather enamored with that new UK law, and hopes to implement it Down Under.
It is in the United States where the issue will ultimately be decided however, since the most widely used encrypted services – ranging from Apple's iPhone to Facebook's WhatsApp messaging – are developed and run by US companies.
Not so much
Even the UK's heavily criticized anti-encryption law recognizes that it may be powerless to enforce encryption breaking on products and services that come from overseas – and online that geographic boundary doesn't exist.
The Five Eyes group is also going to have to decide how to deal with the mathematical realities of encryption. If companies are forced to insert a backdoor into their encryption products in order to make their contents accessible, there is nothing to stop a malicious third party from doing the same: you cannot wall off a vulnerability.
Security experts have called the argument put forward by law enforcement and politicians – that they want access but don't want the bad guys to be able to do the same – "magical thinking." The Five Eyes group needs to reach a decision on how to answer the inherent conundrum of magical thinking. Europe, which has been making its own noises about anti-encryption legislation, needs to do the same.
It is also possible of course that the vast and massively powerful spying machinery owned and run by the Five Eyes could be focused on cracking encryption. To isolate specific messages of concern and then throw all computing resources at them.
Or, a third way could be for the security services from the five nations to oblige tech companies to develop a way to undermine specific devices – ie, create a piece of software that could be sent to an individual's phone that would allow spies direct access to the device and so enable them to bypass encryption protection.
America's National Security Agency is already known to have developed software that uses undiscovered vulnerabilities in software to give itself access to people's phones. If you have full access to someone's phone (or other device), all the encryption in the world won't make a difference.
Although some tech companies have been public in their determination not to introduce backdoors – such as Apple and its feud with the FBI, and Facebook's fight with the Brazilian authorities – it is notable that others have been silent or have called for compromise. Google, for example, has stayed out of the fray, while Microsoft has repeatedly implied it is open to a shared solution.
Where exactly the decision comes down will be hard to say – not least because the security services will want the details to be as secret as possible. Next month in Canada, they will likely emerge with a plan. ®
Sponsored: Becoming a Pragmatic Security Leader