Five Eyes and EU Renew Emphasis on Encryption

In separate but potentially related developments, a few key governments are again arguing that end-to-end default encryption is foiling law enforcement efforts, especially regarding child sexual abuse material (CSAM).

Twitter

FVEY and EU see a future where there will be encryption law enforcement can access as needed. Tech thinks differently.

Cocktail Party

Some of the Five Eyes nations and the European Commission (EC) are again addressing the risks posed by end-to-end encryption. Two officials from Five Eyes nations make the case the problems posed by encrypted communications are getting worse, with one claiming more children will be victimized online if a social media giant follows through with plans for end-to-end encryption. The EC approached encryption as part of its broader to combat crime in the European Union (EU) and noted criminals are increasingly using encrypted communications. All the governments envision discussions with the technology industry and other stakeholders that would result in encryption strong enough to protect legitimate communications and transactions while allowing law enforcement and intelligence agencies access to illegal communications and content. One of the Five Eye governments is considering with banning the use of encryption on communications platforms in legislation expected to be introduced this year.

Meeting

Again, a British official is discussing encryption in the context of CSAM, the issue most likely to maximize the leverage the United Kingdom’s (UK) government might have in the larger encryption debate. The Home Secretary is renewing her call for Facebook to abandon plans to encrypt message platforms like its WhatsApp already is. She was invited to address a charity pledged to protect children on the occasion of the release of a report and discussion detailing the harm encryption does to children.

Separately, an Australian intelligence official highlighted the harm encryption and other secure communications have wreaked on his government’s ability to investigate violent extremism and counter-terrorism.

Finally, the EC’s proposed crime strategy took note of the difficulties encryption posed and claimed it would detail the “way forward” in 2022.

Geek Out

The United Kingdom’s (UK) Home Secretary Priti Patel spoke at the National Society for the Prevention of Cruelty to Children (NSPCC) roundtable event the day after it released a NSPCC/YouGov survey that allegedly “found 33% of UK adults support using end-to-end encryption on social media and messaging services, but this jumps to 62% if it’s rolled out only if and when tech firms can ensure children’s safety is protected.” NSPCC also released a report and discussion paper on encryption:

Patel took on Facebook’s plans to introduce end-to-end encryption for all its messaging services (Facebook Messenger and Instagram; WhatsApp already uses end-to-end encryption). She asserted “[w]e cannot allow a situation where law enforcement’s ability to tackle abhorrent criminal acts and protect victims is severely hampered.” She further contended “[s]adly, at a time when we need to be taking more action… Facebook is still pursuing end-to-end encryption plans that place the good work and the progress that has already been made at jeopardy.” Patel claimed “[o]ffending is continuing, and will continue – these images of children being abused just continue to proliferate, even right now while we are speaking. But the company intends to blind itself to this problem through end-to-end encryption which prevents all access to messaging content.” She argued “I want to make it clear that the government does support encryption, where of course companies can protect users’ privacy, and there are many areas where this is important.” Patel asserted the British government’s belief “it is possible to implement end-to-end encryption, the service, in a way in which is also consistent with public protection and child safety.” However, to date, neither the British government nor any other like-minded government has introduced a proposal to achieve this goal, and, in her remarks, Patel did not mention any such forthcoming proposal.

Patel also asserted her government and the other Five Eyes governments are united. She remarked “[d]uring my own recent discussions with my counterparts in the US, Canada, Australia and New Zealand, we were absolutely united and calling upon the industry to ensure that services are safe by design.” Patel stated that “[c]ompanies themselves should do more, and can do more, to endorse and transparently implement the CFAA voluntary principles on child sexual abuse.”

A couple of things bear discussion. First, the Biden Administration has largely been silent on the encryption issue, so, if Patel is to be believed, they may be aligned with the Trump and Obama Administration’s fight with technology companies over encryption. Second, she said the Five Eyes nations were “united” that “services are safe by design,” which may not be a reference to encryption per se and may reflect agreement on content moderation or some other facet of the complex issues of the online world. Third, Patel referenced the 2020 Voluntary Principles to Counter Online Child Sexual Exploitation and Abuse the Five Eyes and other stakeholders agreed upon that the U.S. Departments of Justice (DOJ) and Homeland Security (DHS) claimed in their press release do the following

The voluntary principles provide a common and consistent framework to guide the digital industry in its efforts to combat the proliferation of online child exploitation.  The voluntary principles cover the following themes:

  • Prevent child sexual abuse material;
  • Target online grooming and preparatory behavior;
  • Target livestreaming;
  • Prevent searches of child sexual abuse material from surfacing;
  • Adopt a specialized approach for children;
  • Consider victim/survivor-led mechanisms; and
  • Collaborate and respond to evolving threats.

As reported in the media, Patel’s remarks seemed to focus on the encryption of data in transit and not on the encryption of data at rest. This may be due to the fact that western intelligence services have been able to hack into encrypted phones and computers through their own services or through the use of a third party vendor. This was recently documented in the backstory of how the U.S. Federal Bureau of Investigation (FBI) contracted with an Australian security firm to break into a terrorist’s encrypted iPhone averting a legal showdown with Apple.

Moreover, at the beginning of the month, WIRED reported Patel is reportedly considering enjoining Facebook from implementing full encryption on Messenger and Instagram through the issuance of a Technical Capability Notice (TCN). London may also opt to add language to its forthcoming “Online Safety Bill” barring the use of encryption, which would be a first among western nations. In December, upon the release of the Online Harms White Paper: Full government response to the consultation, Patel and Digital Secretary Oliver Dowden stated the government of Prime Minister Boris Johnson will introduce this legislation in 2021. They added:

  • The response will set out how the regulations will apply to communication channels and services where users expect a greater degree of privacy – for example online instant messaging services and closed social media groups which are still in scope.
  • Companies will need to consider the impact on user privacy and that they understand how company systems and processes affect people’s privacy, but firms could, for example, be required to make services safer by design by limiting the ability for anonymous adults to contact children.
  • Given the severity of the threat on these services, the legislation will enable Ofcom to require companies to use technology to monitor, identify and remove tightly defined categories of illegal material relating to child sexual exploitation and abuse. Recognising the potential impact on user privacy, the government will ensure this is only used as a last resort where alternative measures are not working. It will be subject to stringent legal safeguards to protect user rights.

However, Dowden remarked in March that encryption would not be a part of the Online Harms Bill even though he conceded he and Patel frequently discuss this issue.

Patel has been an outspoken opponent of Facebook’s plans to expand its use of end-to-end encryption to other platforms. In 2019 she signed an “open letter” to Facebook CEO Mark Zuckerberg also signed by the former U.S. Attorney General, the former acting U.S. Secretary of Homeland Security, and Australia’s former Minister for Home Affairs. Notably, the two other members of the Five Eyes intelligence alliance, Canada and New Zealand, opted not to sign this letter. Nonetheless, Patel and her counterparts urged Zuckerberg not to “proceed with its plan to implement end-to-end encryption across its messaging services without ensuring that there is no reduction to user safety and without including a means for lawful access to the content of communications to protect our citizens.” These officials referenced the communications their governments have had with the social media platform on this issue and noted “Facebook has not committed to address our serious concerns about the impact its proposals could have on protecting our most vulnerable citizens.” They claimed “[w]e support strong encryption…[and] respect promises made by technology companies to protect users’ data…[but] “[w]e must find a way to balance the need to secure data with public safety and the need for law enforcement to access the information they need to safeguard the public, investigate crimes, and prevent future criminal activity.” The officials asserted that “[c]ompanies should not deliberately design their systems to preclude any form of access to content, even for preventing or investigating the most serious crimes.”

Patel and her counterparts called on Facebook to do the following:

  • Embed the safety of the public in system designs, thereby enabling you to continue to act against illegal content effectively with no reduction to safety, and facilitating the prosecution of offenders and safeguarding of victims;
  • Enable law enforcement to obtain lawful access to content in a readable and usable format;
  • Engage in consultation with governments to facilitate this in a way that is substantive and genuinely influences your design decisions; and
  • Not implement the proposed changes until you can ensure that the systems you would apply to maintain the safety of your users are fully tested and operational.

Earlier in 2019, the Five Eyes issued a communique in which it urged technology companies “to include mechanisms in the design of their encrypted products and services whereby governments, acting with appropriate legal authority, can obtain access to data in a readable and usable format.” Interestingly, at that time, these nations lauded Facebook for “approaches like Mark Zuckerberg’s public commitment to consulting Governments on Facebook’s recent proposals to apply end-to-end encryption to its messaging services…[and] [t]hese engagements must be substantive and genuinely influence design decisions.” This communique followed the Five Eyes 2018 “Statement of Principles on Access to Evidence and Encryption,“ which articulated these nations’ commitment to working with technology companies to address encryption and the need for law enforcement agencies to meet their public safety and protection obligations.

As mentioned, the NSPCC’s release of a report and discussion paper on encryption were the occasion for Patel’s remarks. In its report on end-to-end encryption, the NSPCC contended:

This report examines the ways in which children are exposed to online harms, the current online safety system and legal intrusions permitted to allow citizens to enjoy a safe and secure online experience. It discusses how the industry’s plans for expanding End-to-End Encryption (E2EE) risks tipping the balance in favour of adult users, at the cost of children’s safety. It then considers whether privacy and safety can ever practically co-exist and explores how the risks to children of E2EE could be mitigated, whether through technical countermeasures or through ‘upstream’ interventions that reduce children’s exposure to harm.

The purpose of this report is to raise understanding of the impact that ubiquitous end-to-end encryption would have on children’s online safety. The NSPCC commissioned PA Consulting to collate the viewpoints of a broad range of stakeholders, representing Civil Society organisations, industry, law enforcement and governments, to identify potential mitigations and trade-offs that should be considered. There are diverse and often conflicting opinions on the extent to which platforms should adopt online privacy and safety features, but the overwhelming majority of participants agree that child safety must remain one of the key considerations at the forefront of that debate. This report aims to provide a balanced narrative based on viewpoints obtained from engagement with experts across the community, with a child-centred focus.

The NSPCC concluded:

The good news is that it is entirely possible to design and build safer platforms. The analogies set out at the start of this report – the development of safety standards in cars, the expectation of safety on playgrounds and the coexistence of high standards of safety and security in financial transactions – serve as a reminder that the ingenuity exists to find a way through challenges of this nature. However, as discussed throughout, there are complicated trade- offs to be made in order to reach an appropriate balance, and it is unlikely that industry will get there alone. Regulation that incentivises industry to put the needs of children and young people at the heart of their design approach is not necessarily an impediment to commercial success but is a much- needed driver of culture change. Any regulatory approach should be principles-based, in order to futureproof progress to the greatest extent possible.

The discourse on E2EE needs to move beyond a polarised debate that sees privacy and safety pitted against each other, towards a broad and balanced understanding of the risks and opportunities faced. This must reflect both the needs of children and adults, in recognition that one third of UK internet users are under the age of 18 and that this is an inherently vulnerable population. There is a need to greatly increase engagement from the public and to ensure that civil society provides a balanced view to inform responses, including from tech firms, governments and regulators, to ensure it strikes the right balance and that we have the right protections in place.

It bears note that while the NSPCC claimed “it is entirely possible to design and build safer platforms” (likely an euphemism for encryption law enforcement could access), it does not offer much in the ways to do so.

In its discussion paper, the NSPCC asserted:

  • End-to-end encryption poses considerable child abuse risks when integrated into social networks, where abusers may be able to readily exploit other design features on the site to contact children and target them for sexual abuse.
  • Arguably, the risks of E2E are significantly heightened on social networks because of the central role they play in allowing abusers to identify and contact children, and to initiate well-established grooming pathways, in which children are subsequently abused through messaging or livestreaming products.
  • Much of the discussion about negative impacts inevitably focuses on the significant challenge that end-to-end encryption presents for law enforcement. E2E is likely to result in considerable negative impacts for policing. For example, E2E is likely to reduce the ability of law enforcement to access evidence, undertake investigations and prosecute offenders that exploit online services to commit abuse.
  • However, it is arguably in the immediate reduction of a platform’s ability to moderate content, and the corresponding reduction in upstream threat capability, that the greatest impact of end-to-end encryption is likely to be felt.
  • The balance of these risks is often poorly reflected in the broader civil society debate.

In conclusion, the NSPCC contended:

  • The NSPCC urges tech companies to refocus their approach to end-to-end encryption – recognising that the privacy and safety of all users should be maximised, including children and young people who are so frequently poorly served by decisions taken about the products they use.
  • But if tech companies will not protect the needs of their child users, and work towards a balanced settlement, it is entirely appropriate that legislative and regulatory remedies should be used to secure it – with companies required to ensure their upstream capability to detect and disrupt child abuse is not lost.
  • There is a particular opportunity for the UK to drive international consensus on the issue, including during its ongoing Presidency of the G7. Through the introduction of proportionate
  • but child-centred regulation, that reflects the contours of the re-framed debate as set out in this discussion paper, the UK can create a global model for how we create legal and regulatory safeguards to achieve the optimal balance between safety and privacy.

In mid-March the Australian Security Intelligence Organisation’s (ASIO) Director-General of Security Mike Burgess made remarks on the ASIO’s annual threat assessment and provided a view on encryption from the vantage of intelligence services:

  • Spying is a race to innovate: between the spies and the spy catchers, and between those intent on inflicting violence on our citizens and those who seek to prevent it.
  • ASIO is particularly skilful at this. We know our success depends on our ability to fuse new technologies, opportunities and advantages into our existing skillsets, and to imagine new ways of doing things.
  • That imperative to innovate is reflected in all aspects of our business, and we have been changing how we are structured and how we do business to ensure we are the most creative, most innovative, most modern organisation we can be.
  • We’re particularly focused on being at the crest of the new world of data. Lawfully used, bulk data, modern analytics and machine learning provide rich opportunities for ASIO as an organisation to be more effective and more precise—as well as proportionate—in how we do our business.
  • But the environment we operate in is a challenging one. We are seeing an exponential uptake of encrypted and secure communication platforms by violent extremists. Even supposedly unsophisticated targets are routinely using secure messaging apps, virtual private networks, fake emails and number generators to avoid detection.
  • Now please don’t get me wrong—encryption is fundamentally a force for good. But we need to recognise how it is being used and abused by terrorists and spies.
  • Last year I revealed that end-to-end encryption damages intelligence coverage in 90 per cent of our priority counter-terrorism cases. Now the figure is 97 per cent.

Burgess claimed that encryption is “damag[ing]” intelligence operations in “priority counter-terrorism cases.” He further asserted “violent extremists” are moving to encrypted and secure communications platforms.

Australia has taken a muscular approach to encrypted and secure communications than its other Five Eye partners. In testimony to Australia’s Parliament in August 2020, Burgess explained the intelligence services had used the 2018 statute “Telecommunications and Other Legislation Amendment (Assistance and Access) Act” and stated

  • I completely agree that the security and privacy of information is vitally important. Encryption is a good thing. But the same technology that enables Australians to use online shopping, banking and social networking platforms is also obscuring the capabilities and plans of people who threaten our safety and security. 
  • Right now, a foreign spy will be using encryption to hide an attempt to steal our secrets, interfere in our democratic processes or undermine our sovereignty. Right now, a potential terrorist will be using encryption to contemplate an atrocity, radicalise the vulnerable or share a hateful ideology.
  • It is no exaggeration to say that almost all communications of investigative value would be difficult or impossible to access in an intelligible form without lawful access tools such as those available under the Assistance and Access Act. 
  • Encrypted communications damage intelligence coverage in nine out of 10 priority counter terrorism cases.
  • We needed to take advantage of the new powers within 10 days of the legislation coming into effect – a clear indication of its  significance to our mission.
  • Since then, the Assistance and Access Act has repeatedly proved important in counter-terrorism and counter-espionage  investigations.
  • But I want to stress that we only use it in a very targeted and proportionate way. All up, we have used the industry assistance powers fewer than twenty times, and always to protect Australians from serious harm.
  • And the internet did not break as a result!

There seems to be the suggestion the Australian used its new powers to issue orders to technology companies to help them crack encrypted or secure communications. Of course, Burgess was not clear on this, and there have not been leaks from Canberra about the nature of the assistance provided to the Australian intelligence services.

Another facet of encryption arose in the EU. In the EC’s “EU Strategy to tackle Organised Crime” it discussed the problem encryption presents to law enforcement more broadly:

The search for leads and evidence, including lawful access to communications data, is the cornerstone of law enforcement investigations and prosecutions, bringing criminals to justice. As our lives and activities have moved online more than ever, footprints of crime are also digital. Organised crime is planned, executed and concealed online, marketing illegal substances and products and finding ingenious ways to launder profits, unhindered by physical borders. The scale of the problem is amplified by fast developing technologies. The shift of some leads and evidence from a physical to an online space brings a variety of challenges, including the speed with which the data can be moved across jurisdictions, or the ability to hide behind encryption. In addition, some evidence-gathering instruments and measures designed for physical evidence are not yet fully adapted to the digital world. This may hamper or slow down criminal investigations and prosecutions because data is not available or accessible in a timely manner.

Like the Five Eyes nations, the EC called for discussions between all the relevant stakeholders to find a solution:

More broadly, the Commission will steer the process to analyse with the relevant stakeholders the existing capabilities and approaches for lawful and targeted access to encrypted information in the context of criminal investigations and prosecutions. These approaches should not result in a general weakening of encryption or in indiscriminate surveillance. This analysis will not only focus on addressing the current obstacles but will also anticipate the likely evolution of encryption and decryption technologies, and the necessary cooperation with academia and the private sector to this end. In addition, the Commission is enhancing its efforts in the field of standardisation to maintain lawful interception capabilities in the context of 5G and beyond. As a result of this process the Commission will suggest a way forward in 2022 to address the issue of lawful and targeted access to encrypted information in the context of criminal investigations and prosecutions that shall be based on a thorough mapping of how Member States deal with encryption together with a multi-stakeholder process to explore and assess the concrete options (legal, ethical and technical).

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

National Museum of Computing, Bletchley Park, Bletchley, Milton Keynes, UK; Photo by Alex Motoc on Unsplash

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s