Thursday, August 1, 2019

End-to-End Encryption - Five Eyes and the Illusion of Privacy

The five nations that make up the Five Eyes (FVEY) group, the United States, Canada, Australia, New Zealand and the United Kingdom have just concluded a security summit, held in London, and agreed on joint action that could ultimately impact our privacy.  This is not terribly surprising given the group's previous attempts at prying into our personal lives under the guise of protecting us from various forms of threatening behaviour.

The meeting was attended by the Home Affairs, Interior, Security and Immigration Ministers of the five nations.  In the words of the United Kingdom's Home Secretary Priti Patel, the purpose of this two-day meeting was to "respond to a challenging and rapidly changing global environment, strengthening our influence on the world stage to promote our prosperity and security".  The focus was on "Emerging Threats" and how to address the opportunities and risks that new technologies pose, particularly related to cybersecurity, online harms and encryption.  It is the group's focus on encryption that I will address in this posting.  As you will soon see, the meeting had little to do with promoting our security and more to do with reducing the illusion of our privacy.

Let's start by looking at the Ministerial Communique that emerged from the meeting:






While the communique does outline basic actions that FVEY will take to counter foreign interference in elections in their respective jurisdictions at the very end of the communique (basically an afterthought), it leans heavily toward actions that the group believes are necessary to combat "the epidemic" of online child sexual exploitation and abuse.  While there is no doubt that online child sexual exploitation is a problem, the methods suggested by those in attendance at the meeting are far-reaching and could have a permanent  and intended consequence for the online community as a whole.  To find out what FVEYs has in store for use, we have to refer to the press release dated July 30, 2019 from the office of the aforementioned Priti Patel.  Here are some key quotes with all bolds being mine:

"During a roundtable with tech firms, ministers stressed that law enforcement agencies’ efforts to investigate and prosecute the most serious crimes would be hampered if the industry carries out plans to implement end-to-end encryption, without the necessary safeguards.

They added that encrypted services could mask the full scale of harms on the internet and put vulnerable users at risk.

The Five Eyes are united that tech firms should not develop their systems and services, including end-to-end encryption, in ways that empower criminals or put vulnerable people at risk.

We heard today about the devastating and lifelong impact of child sexual exploitation and abuse and agreed firm commitments to collaborate to get ahead of the threat.

As Governments, protecting our citizens is our top priority, which is why through the unique and binding partnership of Five Eyes we will tackle these emerging threats together.

Also speaking at the conclusion of the two-day conference United States Attorney General William P. Barr said:

The Five Eyes partnership is vital. Throughout this week, we have had substantive, frank and positive discussions surrounding our shared duty to protect public safety, including those related to the internet.

Encryption presents a unique challenge. We must ensure that we do not stand by as advances in technology create spaces where criminal activity of the most heinous kind can go undetected and unpunished.

Indeed, making our virtual world more secure should not come at the expense of making us more vulnerable in the real world. We are grateful for the leadership of Home Secretary Patel in facilitating these critical discussions and shared commitment to safety for all."

You will notice the quote from U.S. Attorney General William Barr, an attendee at a related meeting held in London.  Here is an additional quote about the contentious issue of encryption from Willam Barr at the International Conference on Cybersecurity held in New York City on July 23, 2019, again, with all bolds being mine:

"Among the most critical advances in cybersecurity has been the development of advanced encryption techniques and their deployment in a range of important applications.  Encryption provides enormous benefits to society by enabling secure communications, data storage and on-line transactions. Because of advances in encryption, we can now better protect our personal information; more securely engage in e-commerce and internet communications; obtain secure software updates; and limit access to sensitive computers, devices, and networks.

As the Federal Government, we welcome these improvements to privacy and security, and will work to preserve and strengthen them. But at the same time, we must recognize that our citizens face an array of threats to their safety far broader than just cyber threats. Hackers are a danger, but so are violent criminals, terrorists, drug traffickers, human traffickers, fraudsters, and sexual predators. While we should not hesitate to deploy encryption to protect ourselves from cybercriminals, this should not be done in a way that eviscerates society’s ability to defend itself against other types of criminal threats.  In other words, making our virtual world more secure should not come at the expense of making us more vulnerable in the real world. But, unfortunately, this is what we are seeing today. 

Service providers, device manufacturers and application developers are developing and deploying encryption that can only be decrypted by the end user or customer, and they are refusing to provide technology that allows for lawful access by law enforcement agencies in appropriate circumstances.  As a result, law enforcement agencies are increasingly prevented from accessing communications in transit or data stored on cell phones or computers, even with a warrant based on probable cause to believe that criminal activity is underway. Because, in the digital age, the bulk of evidence is becoming digital, this form of “warrant proof” encryption poses a grave threat to public safety by extinguishing the ability of law enforcement to obtain evidence essential to detecting and investigating crimes. It allows criminals to operate with impunity, hiding their activities under an impenetrable cloak of secrecy. As you know, some refer to this eclipsing of the Government’s investigative capabilities as “going dark.” While encryption protects against cyberattacks, deploying it in warrant-proof form jeopardizes public safety more generally.  The net effect is to reduce the overall security of society.  I am here today to tell you that, as we use encryption to improve cybersecurity, we must ensure that we retain society’s ability to gain lawful access to data and communications when needed to respond to criminal activity."

Here's what he has to say about the Fourth Amendment to the Constitution and how it relates to the issue of end-to-end encryption and the state's right to know all of your business:

"This proposition should not be controversial. It simply reflects the balance struck in the Constitution itself and maintained since the Founding era.  The Fourth Amendment states:

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

The Fourth Amendment strikes a balance between the individual citizen's interest in conducting certain affairs in private and the general public's interest in subjecting possible criminal activity to investigation. It does so, on the one hand, by securing for each individual a private enclave around his “person, house, papers, and effects” — a "zone" bounded by the individual's own reasonable expectations of privacy. So long as the individual acts within this "zone of privacy,” his activities are shielded from unreasonable Government investigation. On the other hand, the Fourth Amendment establishes that, under certain circumstances, the public has a legitimate need to gain access to an individual’s zone of privacy in pursuit of public safety, and it defines the terms under which the Government may obtain that access.  When the Government has probable cause to believe that evidence of a crime is within an individual’s zone of privacy, the Government is entitled to search for or seize the evidence, and the search usually must be preceded by a judicial determination that "probable cause" exists and be authorized by a warrant.

The key point is that the individual’s right to privacy and the public’s right of access are two sides of the same coin.  The reason we are able, as part of our basic social compact, to guarantee individuals a certain zone of privacy is precisely because the public has reserved the right to access that zone when public safety requires.  If the public’s right of access is blocked, then these zones of personal privacy are converted into “law-free zones” insulated from legitimate scrutiny.

Since the Founding, advances in technology have disrupted this balance in different ways.  Sometimes, technology creates new spheres of privacy that the drafters of the Fourth Amendment could not have thought to enumerate, such as with the advent of the telephone.  Sometimes, technology gives law enforcement new means to invade privacy that were previously unimaginable, such as thermal imaging devices.  And sometimes, technology makes it easier for suspects to evade law enforcement even when there is a lawful basis to investigate, such as automobiles — or to bring us back today’s topic, data encryption."

Given that FVEY's mandate allows the member nations to share data with each other, you can pretty much assure yourself that the recent moves that could force the technology world to provide a "backdoor" into encrypted communications for governments will lead to less privacy for all of us.  While Mr. Barr claims that this is not a breach of a basic right written into the United States Constitution, his viewpoint is obviously slanted in favour of the Department of Justice and his own best interests.  Bit by bit, in the name of fighting terrorism and now in the name of fighting against those who exploit children, our rights as citizens are disappearing. 

No comments:

Post a Comment