World Leaders Seek Broad Powers to Get Around Encryption
In March, just before he began killing people in a terrorist attack in London, Khalid Masood sent a WhatsApp message. A top U.K. official, Home Secretary Amber Rudd, infuriated by the government investigators’ inability to see the contents, called the app’s end-to-end encryption “completely unacceptable.”
Rudd’s reaction signaled the opening of new hostilities in the ongoing conflict between governments and technology companies over privacy and security. In the U.S., the fight has quieted a bit since Apple Inc. and the FBI faced off last year over access to encrypted data related to the San Bernardino shooting in California. But internationally, governments from the U.K. to Australia are seeking broader powers to get around encryption and other security measures in the name of public safety and law enforcement.
Following another two deadly attacks in Manchester and London, Prime Minister Theresa May and French President Emmanuel Macron at a June meeting on national security said a shared goal would be greater access to encrypted messaging. Australian Prime Minster Malcolm Turnbull has hammered on a similar message in recent weeks, casting encryption as an obstacle to the rule of law online. “The privacy of a terrorist can never be more important than public safety. Never,” Turnbull told Australia's parliament last month. “This is not about creating or exploiting back doors as some privacy advocates continue to say, despite constant reassurance from us. It is about collaboration with and assistance from industry in the pursuit of public safety.” This month, Turnbull announced that his government will introduce legislation to address when and how technology companies must provide access to data and communications.
Official statements issued after a late June meeting of the “Five Eyes” security alliance—comprised of Australia, the U.K., Canada, New Zealand, and the U.S.—and the Group of 20 meeting in July further underscore this push. Five Eyes issued a statement after the meeting noting, “encryption can severely undermine public safety efforts by impeding lawful access to the content of communications during investigations.” The group plans to seek “engagement with communications and technology companies to explore shared solutions.”
The insistence, from Turnbull, for example, that these efforts aren't about installing back doors or breaking encryption, likely reflects the political lessons learned in the struggle of the FBI vs. Apple. Apple Chief Executive Officer Tim Cook argued in an open letter at the time that “weakening encryption would hurt only the well-meaning and law-abiding citizens who rely on companies like Apple to protect their data. Criminals and bad actors will still encrypt, using tools that are readily available to them.”
No government wants to appear to weaken security for its citizens, especially when it comes to their smartphones. Still, they want access to the data. The U.K. has gone the furthest in setting up new rules to get at the data, with a broad update to the government’s surveillance powers that came into force in December. May introduced the measure in 2015 before she became prime minister. The Investigatory Powers Act, which has earned the nickname the Snooper's Charter, allows the government to compel companies to hack their own customers, for example, by introducing malware into their devices. Under the law, the government can issue technical capabilities notices (TCNs) to telecommunications operators, including mobile phone and social media companies, which require companies to participate in and maintain the technological conditions to accomplish ongoing, real-time surveillance, and provide the contents of communications—not encrypted—to the government. Companies that receive TCNs could also be required to inform the government of any changes to their product or service before implementation—which raises the prospect of the government asking companies not to update security, or implement end-to-end encryption, because it might interfere with access to data, privacy advocates say.
The effect of these new powers is a direct blow to safety and cybersecurity for everyone, says Danny O’Brien, international director of the Electronic Frontier Foundation in San Francisco. “If the government has the ability to tell, secretly, a tech company, ‘OK, we want to change the software on the phones to do the following,’ it doesn’t really matter if, by the letter of the law, you’re not really breaking encryption,” he says. “If we make this sufficiently insecure that the government has access to this, then other governments, other states, and hackers would have access to it.”
The government is still in the process of implementing the rules for the technical capabilities notices and has kept its consultation with companies limited and secretive, further raising the alarm of privacy advocates. Eventually, these so-called statutory instruments must be voted on by Parliament.
The U.K. home office referred a request for comment to a July 14 statement from Security Minister Ben Wallace, posted on its website: “Technical advances present ever-evolving opportunities for terrorists, criminals and paedophiles. These regulations will help make sure that we maintain the capabilities to confront this challenge, subject to strict safeguards.”
Tech companies and advocacy groups such as Human Rights Watch have expressed concerns that the U.K. law will set a precedent and encourage other countries to pursue similar powers for legitimate purposes (aiding criminal investigations, thwarting terrorist attacks) or more sinister objectives (mass surveillance of political dissidents).
Apple declined a request for comment for this story; a spokesman pointed to the company’s submission on the proposed U.K. legislation in December 2015. “If the U.K. Government forces these capabilities, there’s no assurance they will not be imposed in other places where protections are absent,” the company wrote.
Jim Killock, executive director of the Open Rights Group in London, believes that the U.K. is setting a precedent. “They’re kind of trying to organize an international consensus for people to make these changes and create these legal compulsions," he says, “but in order to do that they need to get many people demanding this, and get statutes on the books.”
—With Thomas Penny