Federal law enforcement agencies from the U.S. and several of its closest allies cosigned a statement over the weekend calling for tech manufacturers to provide law enforcement personnel a mechanism to pierce through encryption whenever necessary.
The statement "calls on technology companies to work with governments to ...embed the safety of the public in system designs, thereby enabling companies to act against illegal content and activity effectively with no reduction to safety, and facilitating the investigation and prosecution of offences and safeguarding the vulnerable," noting that encryption could potentially thwart investigations into child exploitation and other online crime.
The long-held debate pitting law enforcement against security researchers, tech companies, consumers, security vendors and companies with data to secure will soon enter its fourth decade. The statement released this weekend did not include any new arguments. But there was a new twist. In addition to being signed by law enforcement leaders of the Five Eyes intelligence alliance (the U.S., U.K., Canada, Australia and New Zealand) the statement by two new allies "Japan" and "India" — though not any specific person from either nation.
"It's really just the same old call for backdoors with all the problems of a call for backdoors," said Ryan Polk, senior policy advisor with the Internet Society, an internet standards development and open internet advocacy body.
The problem is that mechanisms for law enforcement to circumvent encryption inherently weaken security by adding an additional layer of access and potential human error. The reality is that the CIA, NSA, Apple, Microsoft, and several law-enforcement agencies have all had substantial leaks of securely held data over just the past five years.
"You can't have security without secure end-to-end encryption, whether that's national security, vulnerable populations or businesses protecting intellectual property, employees or customers," said Polk.
Polk noted there are a variety of ways for determining law enforcement to get the same information without intentionally building exceptional access into secure products. In the El Chapo case and the recent Michigan plot to kidnap the governor, police were able to obtain encrypted messages by cultivating an informant with access. Several contractors are available to hack devices for law enforcement, providing the same access to a device as a backdoor, as Cellebrite reportedly did when it cracked an iPhone belonging to the San Bernardino, Calif. shooter for the FBI in 2016.
And for all the newly encrypted communications, there are even more new sources of information that aren't encrypted, including IoT devices, pervasive video cameras in public, license plate trackers and boatloads of metadata.
While the DOJ has been consistent about its desire for exceptional access, this new call comes just before a presidential election determining Attorney General Bill Barr's future. That may cause vendors to lend less credence to the demand, after already remaining pretty steadfast in its position on the issue previously.
"It's unlikely that makers of encrypted devices or services are going to change their stance on this issue based on this letter or at this time," said Greg Nojeim, senior counsel for the Center for Democracy & Society.
