The Electronic Frontier Foundation (EFF) recently published an in-depth report on the “Five Eyes” alliance: an international coalition made up of intelligence service leaders from Canada, New Zealand, Australia, the United Kingdom, and the United States. During their meeting in June, members of the Australian delegation stated their focus was to "thwart the encryption of terrorist messaging."
Australia has since followed through on their promise to break encryption. On July 14, Prime Minister Malcolm Turnbull announced plans to introduce new legislation that would force social media and messaging companies to decrypt secure messages for the sake of national security.
Danny O’Brien of the EFF believes the Five Eyes alliance may rely on the United Kingdom’s Investigatory Powers Act to form the basis for an international ban on encryption technology. Distressingly, the UK bill is broadly written and grants the government unprecedented surveillance powers.
“Companies could be prohibited from fixing existing vulnerabilities, or required to introduce new ones in forthcoming products,” O’Brien writes. “Even incidental users of communication tech could be commandeered to become spies in her Majesty's Secret Service: those same powers also allow the UK to, say, instruct a chain of coffee shops to use its free WiFi service to deploy British malware on its customers. (And, yes, coffee shops are given by officials as a valid example of a ‘communications service provider.’)”
Theresa May, the author of the Investigatory Powers Act, has repeatedly called for international agreements to “regulate cyber space.” Now, its clear Australia wants to follow suit. This kind of alliance should distress online privacy advocates across the world.
“In venues like the Five Eyes meeting, we can expect Britain to advocate for others to adopt IPA-like powers,” O’Brien explains. “In that, they will be certainly be joined by Australia, whose Prime Minister Malcolm Turnbull…would be happy to adopt the compulsory compliance model of the United Kingdom (as, he implied at the time of the Apple case, would President Trump).”
Unfortunately, the “Five Eyes” alliance represents just the latest chapter in the international debate on encryption. Despite its fundamental role in cyber security and our digital economy, government officials have consistently called for encryption backdoors. While cyber criminals and bad actors have certainly taken advantage of encryption technology, most organizations rely on encryption to secure user names, manage their keys, prevent data misuse, and much more.
International threats to encryption have affected the spending and security practices of organizations around the world. However, instead of discouraging businesses from utilizing this vital technology, these bills have had the opposite impact.
According to a Venafi survey conducted during RSA, one of largest security tradeshows in the world, recent geo-political changes have made 75% of IT professionals personally more concerned about privacy. As a result, 71% said their organization is more concerned about data privacy concerns too. In addition, two thirds (66%) of security professionals said their organization has considered expanding its use of encryption due to changes in the political landscape.
Ultimately, calls for encryption backdoors cause much more harm than good. The Five Eyes alliance will only make the cyber security industry less effective and safe.
As O’Brien concludes: “Intelligence agencies and their secret alliances are no model for oversight and control of the much broader surveillance now being conducted on billions of innocent users of the public Internet. Britain's radical new powers shouldn't be exported via the Five Eyes, either through law, or through data-sharing agreements conducted without judicial or legislative oversight.”
Is your organization concerned about government enforced backdoors?