NZ and others call for encryption changes, but all roads lead to backdoors

A statement from the governments of seven countries, including New Zealand, seeking to find new ways for authorities to gain access to end to end encrypted criminal content is not similar to requesting backdoors to data, according to Minister of Justice Andrew Little.

E2EE means the data between a sender and receiver can only be viewed by the two parties. Companies using E2EE in their products often claim it is impossible for them to decrypt messages or content despite hosting it on their platforms.

Little was New Zealand’s signatory on the statement alongside representatives from the other Five Eyes nations of the US, UK, Canada, and Australia. India and Japan also signed.

The statement says encryption plays “a crucial role” in the protection of personal data and privacy, but certain implementations of encryption can pose “significant challenges to public safety” if it allows criminal activity to go untraced.

Little told BusinessDesk the statement was asking for an access model akin to a search warrant.

“In the way the police exercise a search warrant on a house, or have to be authorised to do so through a warrant and knock on the front door, the same would happen with access to encrypted material that constitutes criminal offending on social media platforms.”

He added, “it’s not about backdoors.”

“Most of what they’re talking about amounts to requiring a backdoor,” Stephen Hall, chairman of secure cloud storage company Mega told BusinessDesk. “A backdoor is actually an open front door, because anyone who holds a backdoor can be hacked and can open the door,” suggesting the move would leave the authorities themselves more susceptible to hacking.

“If there’s some overall master key that law enforcement could use, then it’s open for that law enforcement to be hacked.”

Criminal crack down

Little said the signing countries want to have a more defined conversation with technology companies in order to crack down on child abuse online.

“We want to have a dialogue to ensure that the benefits of encryption are sorted, but the dark side of it isn’t allowed to conceal criminal offending.” 

A dialogue may well be a first step to cooperation, but a change to how companies host encrypted data would be necessarily in order for them to be able to hand over unencrypted data to authorities. 

The statement calls on the need for technology companies to talk directly with governments to “facilitate legal access” to encrypted communications. The only service the report calls out by name is Facebook Messenger, which currently does not enable E2EE by default. It argues if a default E2EE was enabled, it’d make cracking down on child abuse much harder for authorities.

The US National Center for Missing and Exploited Children reported a total of 16,836,694 alerts from electronic service providers in 2019 about the online exploitation of children. Of this number, 15,884,511 were reported by Facebook, more than 94 percent of the total.

Hall said this means one of two things.

“Either Facebook is the global centre of child abuse and no one else [other platforms] has a problem with it, or Facebook is doing an excellent job of reporting as it is required to, and the others are doing a dismal job.” Both are worrying possibilities.

A conundrum

Hall praised the statements’ acknowledgement that encryption is required for personal privacy and the operation of modern banking institutions but pointed out that in order for authorities to be given access to encrypted data, a backdoor must necessarily exist.

“They’re asking for the impossible – for encryption to continue, but for them to somehow to have special access.”

Little referred to “social media” companies and platforms as the focus, and well he might given the number of child abuse reports on Facebook’s platform. But Mega, the NZ company offering encrypted voice, video, and storage is not a social media company, yet it would be affected by the suggested changes and would likely be required to decrypt customer data where it currently can’t.

Hall said Mega already complies with court orders but stops short of decrypting data as it operates user-controlled end to end encryption. “We are subject to warrants of various sorts. If it’s a court ordered warrant, we would supply the encrypted data, and it’s up to the authorities to obtain the password to be able to decrypt it.”

A change would likely mean the government would probably ask Mega to decrypt the data, undermining the company’s promise of secure data storage.

Little said the proposals would mean the government could “engage with the social media companies, ideally with the idea of getting an agreement. In terms of the way individual countries would engage or deal with it, that might require not just an agreement with the social media companies but with inter-country agreements.”

There doesn’t appear to be blanket law applicable to the situation and authorities are struggling with how to tackle criminal activity on global internet services.

“There is a balance to be achieved between the rights of privacy and rights of freedom of speech and expression”, while “ensuring that that doesn’t become a cover to allow serious criminal offending to happen,” said Little.

“That’s why the dialogue is so important, that’s why what the encryption statement asks for is engagement between authorities and those social media platforms.”

But Hall says there is already engagement, and “the authorities are already more than submerged in the reports they are currently getting and can’t cope with them, so for them to be crying that they desperately need open access to encrypted data is really missing the point. They can’t cope with the reports they are currently getting.”

The suggestion is willing companies are already open to dialogue and want to help authorities, but those authorities are overwhelmed enough to push for easier legal access to encrypted communications.