BY SARAH MYERS WEST, EFF
Recently, Congress heard testimony about whether or not backdoors should be introduced into encryption technologies, a technically problematic proposal that would fundamentally weaken the security of the Internet, according to a recent report written by eleven of the world’s leading cryptographers. But while Congress is reliving these debates from the nineties (we hear they’re in these days), the Crypto Wars are very much alive and well in other parts of the world.
The United Kingdom, Netherlands and Australia have gone farther than the proposals put forward by the FBI by introducing new regulations that seek to weaken and place limits on the development and use of encryption. These efforts, made ostensibly to protect citizens against terrorism, are likely to have severe economic, political and social consequences for these nations and their citizens, while doing little to protect their security.
According to the cryptographers’ report, encryption in fact has a critical role to play in national security by protecting citizens against malicious threats. The harm to the public that can be presented by lax digital security has been illustrated a number of times over recent months: data breaches such as the hack of the Office of Personnel Management compromised the personal information of tens of millions of Americans, while weak or flawed cryptography led to vulnerabilities such as Logjam and FREAK that compromised the transport layer security protocols used to secure network connections worldwide. Encryption is not only essential toprotecting free expression in the digital age—it’s also a critical part of national security.
This is what makes law enforcement claims that encryption prevents them from pursuing criminals and terrorists so concerning, especially when it’s not backed up by evidence. Testimony by Manhattan’s DA before the Senate Judiciary Committee revealed that the office had encountered 74 iPhones whose full-disk encryption had hindered an investigation, or less than 0.1% of all cases, as EFF’s Nadia Kayyali notes. As Bruce Schneier put it recently in an interview, “[David] Cameron is unlikely to demand that cars redesign their engines so as to limit their speeds to 60 kph so bank robbers can’t get away so fast. But he doesn’t understand the comparable trade-offs in his proposed legislation.”
Cameron has said there should be no “means of communication” which “we cannot read” in the United Kingdom, which has been interpreted by some media outlets as a proposal to ban the use of encryption in the UK.
No legislation has been made available publicly yet, and a spokesperson for the prime ministerbacked off such claims in recent days, so the exact form of implementation remains to be seen. But to entertain the hypothetical, the consequences of such a move would be quite significant: not only would UK citizens be banned from using secure software and UK companies be banned from producing it, but any sort of free and open source software would be banned, due to an inability to police whether encryption had been introduced in any of the code.
A ban would likely mean, as Cory Doctorow notes, that many companies would have to relocate or completely revamp their servers as operating systems like GNU/Linux and BSD use free and open source code. Popular messaging applications including iMessage and WhatsApp would bebanned for their use of encryption. Moreover, anyone entering the UK with a phone or computer from outside of the UK would have to conform to UK standards or have their devices seized at the border.
But the likely proposal, that Cameron will seek to mandate technology companies provide backdoor access to UK law enforcement, is already having a negative impact on UK businesses. A number of technology firms, including Ghost, Ind.ie and Eris Industries, have moved out of the UK over concerns they will be forced to introduce backdoors in their encryption technologies. Leading technology companies including Apple and Google have also expressed trepidation at the UK’s planned expansion of its state power over their products.
The consequences for users’ privacy are even worse. Parliament is expected to revive the Draft Communications Data Bill, commonly known as the Snoopers’ Charter, in its next session. The bill would require Internet service providers to maintain records of users’ communications and would change authorization procedures to allow senior law enforcement officers to give monthly authorizations for bulk collection rather than requiring individual requests for the collection of data.
In combination with a mandate for backdoored encryption, this would mean a dramatic expansion of the UK’s capacity to surveil the communications and metadata of its citizens even as the state diminishes those citizens’ capacity to protect themselves from harm.
The Netherlands is similarly considering legislation that would combine an expansion in surveillance powers with limits on cryptography in a slightly different form, through the capacity to compel decryption of data. It recently launched public consultation on a proposed update to the Intelligence & Security Act of 2002 which expands the country’s surveillance capabilities to include non-specific interception. In combination with intelligence services’ existing authority to compel anyone to decrypt stored data and communications either by handing over keys or by providing the decrypted data, citizens of the Netherlands face significant incursions on their privacy.
Mandating end-users decrypt their data is in many ways problematic, particularly because it reverses the presumption of guilt. If the user doesn’t have the private key or passphrase to access the decrypted data, there is no way for them to prove this is the case—and they could face felony or misdemeanor charges for their failure to comply.
But the mandate to decrypt also includes other parties, including intermediaries and online service providers, which would introduce another complicated twist. According to analysis of the bill by Matthijs Koot, this provision is written in such a way as to facilitate bulk interception of encrypted communications where mandated by a Minister. The existing law already grants legal room for the use of hacking, which could be used in order to obtain the information necessary to decrypt data, or using third party agents or informants in order to obtain this information, for example by intercepting someone’s keys in order to decrypt their data—all of which would present greater challenges to protecting user privacy.
There’s still time for these provisions to be amended in response to public comments. The Dutch Review Committee on the Intelligence & Security Services has already raised a number of important questions about the bill, including whether the expansion of interception powers will be effective and necessary, how the privacy of innocent citizens should be protected and what the minimum requirements of oversight should be. We’re hopeful that critique will also come from within Parliament, given that Dutch representatives opposed similar measures when proposed by the Council of Europe in January, according to EDRi. But the proposal of such measures is indicative of a range of challenges to encryption broader than UK and US-proposed backdoors.
Recently passed revisions of Australia’s Defence Trade Controls Act may likewise have a deleterious effect on the development and use of encryption technologies. The DTCA is a permitting regime that regulates trade in military technologies and dual-use technologies, including encryption. The newest list of these technologies introduces the risk of overbreadth by setting an extremely low bar for what forms of encryption classify under this regime—regulating not only encryption software itself, but the systems, electronics and encryption used to implement, develop, produce and test it.
All it takes is for such an ambiguously-written regulation to be re-interpreted or over-enforced, and a country with an apparently positive approach to strong encryption could quickly morph into a state that silences or even prosecutes its own security researchers. While such regulations exist on the statute books, statements by politicians declaring their intent to prevent the privacy of encryption contribute to this climate of uncertainty, without any need for a new law.
In this case, the planned introduction of criminal provisions to the Defence Trade Controls Act has raised serious questions about the safety of distributing or even teaching encryption among researchers. Daniel Mathews, a lecturer at Monash University, is concerned that thespecifications are so imprecise that “the only cryptography not covered by the DGSL is cryptography so weak that it would be imprudent to use.”
Moreover, they risk being interpreted in such a way as to make the teaching of cryptography and even other areas of mathematics illegal without obtaining a permit. The EFF recentlysigned on to a letter from members of the International Association for Cryptologic Research expressing concern over the law, saying it “subjects many ordinary teaching and research activities to unclear, potentially severe, export controls.” The amendments to the Act were passed in April and will come into effect next year.
The Danger of Setting New Norms
The unintended consequence of these efforts to provide law enforcement unfettered access to communications for users’ privacy and the security of the Internet far exceeds the benefits that would be gained.
Even with amendments, the regularity with which these debates occur presents a risk that they begin to set the norm: given the geopolitical weight of the nations in which they’re being considered there’s potential that such proposals could set precedent for other nations to follow suit. And as EFF lawyer Nate Cardozo noted in a panel at the recent Crypto Summit, even more dangerous is the potential for silent capitulation by technology companies regardless of whether there’s a law on the books.
Already, FBI Director James Comey praised the UK’s proposal for being “a little bit ahead of us” on encryption policy in his testimony before the Senate Intelligence Committee, suggesting such policy measures are progressive rather than outdated and ill-informed. It’s time to leave the Crypto Wars behind, and treat encryption as a part of national security rather than a threat to it.