The Five Eyes nations are going to meet in Ottawa, Canada, this week to discuss how to thwart encryption used by terrorists, or anyone who may be a surveillance target. The “Five Eyes” alliance includes five major English-speaking countries: the United States, the United Kingdom, Canada, Australia, and New Zealand. The discussions about weakening encryption will extend to the G20 summit next month.
Crypto War #1
The first crypto war started when the NSA wanted to put a chip on all computers that would act as a key escrow, which supposedly only the NSA and other government agencies could access. This chip was called the “Clipper chip.” The proposal failed because security experts, civil liberties groups such as the EFF and EPIC, and some senators opposed it.
The privacy and security activists argued that such a chip would expose everyone to hacking, as there would be no way to truly secure the Clipper chip. History proved the activists right, as over the following years, researchers found multiple vulnerabilities in the proposed key escrow mechanism.
Some security experts, such as Phil Zimmermann, who invented the PGP protocol, also started offering ways to communicate securely that wouldn’t use the Clipper chip and would therefore make the government’s argument moot and the chip itself useless (for the intelligence agencies’ objectives).
The EFF and other organizations also used the argument at the time that even if encryption would be thoroughly banned in the U.S., there wouldn’t be a way to stop it outside of the United States anyway.
Crypto War #2
Over the past few years, especially after the Snowden revelations, multiple governments have tried to pass increasingly aggressive surveillance laws. In part, they wanted to make legal what the intelligence agencies were caught doing illegally in Snowden’s leaked documents, and they also likely wanted to pass such laws before too many people had a chance to do something about those activities.
In the U.S., former FBI chief James Comey tried to use a terrorism case to establish a precedent that would force U.S. companies to decrypt end-to-end encrypted communications or encrypted local storage on iPhones and other devices.
However, this didn’t seem to work too well for the agency, as not only were many iPhone users outraged about the FBI’s fight to decrypt iPhones, but the courts were also starting to set the opposite precedent: that the government can’t compel companies to decrypt devices or communications when they don’t hold the decryption keys.
As such, the FBI backed down and said it found an alternative method to unlock the device, although it never revealed what was on the device, and whether the whole public fight was even worth it.
Around the same time, Senators Dianne Feinstein and Richard Burr were also preparing an anti-encryption bill. Meanwhile, France was considering a law of its own to mandate decryption of devices. The U.K. was also in the process of passing the Snoopers’ Charter. This surveillance bill seemed vague enough on the encryption issue to allow an interpretation that the government could mandate decryption of communications “where technically feasible.”
For the most part, this fight (or war) was won, because the security experts and civil liberties agencies were also quick to remind governments that creating backdoors or banning encryption would not only have catastrophic cybersecurity results, but also economic ones.
Plus, they may not even achieve their goal, as terrorists and other targets of intelligence agencies could switch to either open source solutions or their own proprietary encryption solutions, if they know encrypted communications in certain countries is compromised.
Crypto War #3 - A More Coordinated Assault On Encryption
Even though the governments appeared to have backed down for a while, they now seem to be cooperating to launch a new, much more coordinated assault on encryption. They presumably believe that at the very least the companies which would have to implement the backdoors and key escrows would not have much wiggle room to oppose them. It’s easier for a company such as Google or Microsoft to say it will exit a country if it doesn’t like it’s laws, but much harder if 20 of the richest countries say it.
For starters, Google seems to have already preemptively capitulated on this issue, promising to give authorities what they want “as long as they respect privacy rights.” However, it’s not clear whether or not Google is demanding specific action or laws from governments before allowing them access to their data, or it is only looking for a promise that the governments will “behave.” Of course, that’s not likely to count for much, given the history of abuses from surveillance agencies. Google has also recently signaled that it would stop developing solutions for end-to-end encrypted communications.
The U.S. and U.K. remain two of the countries most interested in weakening encryption, but Australia seems to have appeared lately as another country that’s also interested in doing that. Two years ago, Australia also passed a mass surveillance and hacking law, allowing its intelligence agencies to hack whole networks within the country. The backdooring of encryption looks to be the next step in that plan.
Australian Attorney General George Brandis said in a recent statement that at the next Five Eyes meetup, Australia will lead the discussion on the “involvement of industry in thwarting the encryption of terrorist messaging.” Australian Prime Minister Malcolm Turnbull will also bring-up encryption at the G20 summit that will be held in Germany later this year.
Germany has recently passed a law that allows the police to install malware on devices as part of investigations. Such laws were previously made invalid by Germany’s courts, so it remains to be seen if this one will stand. The country has some of the strongest privacy-focused Constitutions in Europe, and the European Union also abides by a privacy and human rights-focused Charter of Fundamental Rights as well other more specific privacy-preserving legislation. However, this hasn’t stopped some German politicians from the Angela Merkel administration from trying to weaken those privacy protections over the past few years.
France also wants to re-open the discussion about banning or weakening encryption later this year, after previously rejecting the idea of mandatory decryption for devices.
Canada has recently expressed its own wishes to gain the ability to decrypt devices and communications on demand, although the public commenting page was quickly pulled down afterwards.
Backdoors Harm Cybersecurity
As security experts have argued for almost three decades now, and as it has been proven time and time again, backdoors are a bad idea and are in direct conflict with strong cybersecurity. If governments decide that backdoors are needed and that’s the end of it, then they will be making a conscious decision to compromise security around the world, and make the internet even less secure than it is today.
One of the most recent examples includes the WannaCry ransomware, which Microsoft said was made possible by vulnerabilities and tools stockpiled and created by the NSA. The agency was said to have created an interception tool that was then discovered by "the bad guys,” which eventually put networks around the world at risk through a global ransomware attack.
If the intelligence agencies decide to once again promote a hardware-level backdoor to deal with encryption running on smartphones and computers, everyone will be at risk when, not if, malicious actors start using it, and there likely won't be an easy fix. Microsoft is still trying to get its users to patch the vulnerabilities that made WannaCry possible, and it could take years before the vast majority of systems are patched.
Alternatively, the governments may propose that online services companies don’t give users the option to encrypt data with their own keys. This would include the iPhone and Android’s encryption features, Windows Bitlocker, and the encryption used by Signal and WhatsApp.
However, even this would create long-term harm to personal cybersecurity as well as the security of online servers. It would essentially stop companies from deploying encryption that would make it much harder for attackers to steal sensitive information in data breaches.
End-To-End Encryption Is Required For Strong Cybersecurity
There’s a reason why a European Parliament committee recently proposed that all online communications services adopt end-to-end encryption in the future. End-to-end encryption is much more effective against “one-stop-shop” hacking, where the attacker can suddenly gain access to records of millions of accounts at once. If that wasn’t the case, then the intelligence agencies wouldn’t be trying so hard to ban such encryption or backdoor it. They’ve seen first hand how much harder it is to steal end-to-end encrypted information, and they employ some of the best hackers in the world.
Even though end-to-end encryption may not be deployed at a wide scale right now, and even though some major technology companies such as Google are already backtracking on adopting it, in the future end-to-end encryption could be vital for the delivery of some perhaps yet to be invented services.
For instance, without end-to-end encryption, users may not allow companies to gain access to their medical information, or to analyze their DNA data, because they don’t trust the companies to be able to look at that data directly.
In the '90s, we didn’t know if encryption would be necessary, because we didn’t know that, for instance, we would one day want to buy almost everything from online stores. However, -commerce may have been hampered without encryption because too many people would be reluctant to send their credit card information over the internet. In the same way, we don’t know what type of services may require end-to-end encryption in the future.
Banning end-to-end encryption or weakening it may hurt not only today’s economies, but the potential growth of future economies, too. This is one aspect governments need to take into account, along with the infringement on users' privacy rights and the cybersecurity hazard they could be creating on the global internet.