Five Eyes Group’s Calls for Encryption Back Doors is a Shot Across Tech Industry’s Bow

During a keynote address at the 2016 RSA Conference in San Francisco, Brad Smith, president and chief legal officer for Microsoft made no bones how he felt about the prospect of law enforcement having the ability to pry into the private data locked in cell phones.

“The path to hell starts with the back door,” Smith said, “and we need to ensure that encryption technology remains strong.”

Two and a half years later, we’re inching closer toward hell.

With relatively little fanfare, the so called “Five Eyes” group, which represents the intelligence communities of Australia, Canada, New Zealand, the U.K. and the U.S., earlier this month issued an ultimatum disguised as a joint memo to the technology industry: Provide us with backdoor access to encrypted products and services, or else.

The memo, which was issued by Australia on behalf of the five nations, mostly establishes some agreed-upon principles to balance the need for encryption with the ability of law enforcement to do its job. It makes the argument that while encryption protects a lot of lawful information, it also hides the activities of child sex offenders, terrorists and organized crime.

“The increasing use and sophistication of certain encryption designs present challenges for nations in combatting (sic) serious crimes and threats to national and global security,” the memo reads.

That all sounds fine on the surface, but we all know what’s likely to happen if and when access like this is provided: The limits will be pressed consistently, and eventually the use of backdoors will morph into unfettered access to all encrypted data. This is exactly the fear Smith was expressing in his RSA Conference comments.

While the memo might be otherwise seen as little more than a noisemaker, the last sentence presents an ominous threat:

“Should governments continue to encounter impediments to lawful access to information necessary to aid the protection of the citizens of our countries, we may pursue technological, enforcement, legislative or other measures to achieve lawful access solutions,” the memo concludes.

In other words: If you don’t give us backdoors, we’ll do what we have to do in order to establish them ourselves.

The document does not actually compel, or even suggest, any specific government action, but its threatening conclusion represents a more aggressive stance than tech providers have heard before. And at least one respected encryption expert sees it as an important upping of the ante by the U.S. government, which has been pushing for encryption backdoors for years.

“I certainly see this banding together as a way for the U.S. government to try to exert more gravitas in the U.S. debate,” Riana Pfefferkorn, a cryptography fellow at the Stanford Center for Internet and Society, told the Washington Post.

That gravitas is already present in Australia, where the federal government is pushing for a set of decryption laws it released in draft form in August. That law is being greeted with fierce debate, including a recent IT News article in which cryptography experts called the country’s position that it can enforce such laws without weakening security for all users “public-relations puffery.”

The debate has taken on a different color in the U.K., which recently found itself in the crosshairs of the European Court of Human Rights. In a case brought forward by 16 entities including the Bureau of Investigative Journalism, Amnesty International and the ACLU, The Strasbourg, France-based court ruled earlier this month that the U.K.’s Government Communications Headquarters had violated personal privacy laws by intercepting communications, sharing it with foreign governments, and obtaining data from service providers.

It’s a ruling that clearly flies in the face of the Five Eyes memo, and is likely to be held up by privacy advocates as evidence of the potential and likely abuses of encryption backdoors.

But, as Naked Security’s Danny Bradbury hinted at in a recent post, privacy and encryption advocates might want to hold up the Five Eyes memo itself, which is compromised by self-contradiction.

Bradbury notes that in the official communiqué the Five Eyes released just before its encryption memo, the group specifically stated that, “The five countries have no interest or intention to weaken encryption mechanisms.”

How the group can rationalize that asking for backdoor access doesn’t equate to weakening encryption mechanisms is a real head-scratcher. As long as governments continue to approach this issue with that kind of thinking, tech providers have no choice but to stand up to them and protect the rights of their customers.

They might even want to consider adopting Brad Smith’s ominous words as a mantra: “The path to hell starts with the back door.”