Privacy not absolute: US among consortium of nations calling for encryption back doors
The privacy of Internet users "is not absolute," according to a statement from a five-country coalition that includes the United States following a meeting about security, with the overall theme demanding technology companies to make social networks and messaging services safer and to offer more support to government agencies to break encryption and access potentially sensitive data.

The meeting, which took place from August 28 to August 29 on Australia's Gold Coast, and included representatives from the governments of the United States, United Kingdom, New Zealand, Canada, and Australia. Described as a forum for collaboration between the countries on domestic security issues, this year's meeting focused on cyber security, counter-terrorism, and countering violent extremism.
In a "Statement of Principles on Access to Evidence and Encryption," the group claims they are committed to personal rights and privacy, supporting the role of encryption to protect said rights. At the same time, the "increasing use and sophistication of certain encryption designs" are said to make things difficult for security agencies in combatting serious crimes and threats to national security, with the same encryption systems used to protect citizens also protecting criminals and terrorists.
"Privacy laws must prevent arbitrary or unlawful interference, but privacy is not absolute," the statement reads. "It is an established principle that appropriate government authorities should be able to seek access to otherwise private information when a court or independent authority has authorized such access based on established legal standards. The same principles have long permitted government authorities to search homes, vehicles, and personal effects with valid legal authority."
Calling the increasing gap between the ability for agencies to lawfully acquire the data and the ability to use said data a "pressing international concern" that requires informed debate, the statement goes on to note "Each of the Five Eyes jurisdictions will consider how best to implement the principles" of the statement.
Three principles are offered in the statement, with the first of "Mutual Responsibility" passing some of the responsibility to other stakeholders, including firms involved in telecommunications. Highlighting a "will to work with technology providers" to ensure citizens have access to their data, it goes on to note these firms also need to help assist with the execution of legal orders.
In the majority of cases, major tech companies already provide assistance, with Apple even issuing guidelines in 2014 on how law enforcement and other agencies can request user data. In the case of 2015's San Bernardino attack, the FBI requested data from Apple just three days after the attack, and for some requests, providing data within the same day.
The second principle reaffirms that all assistance that governments request from tech companies is "underpinned by the rule of law and due process protections," in order to maintain democratic societal values.
The last, "Freedom of choice for lawful access solutions," encourages tech companies to "voluntarily establish lawful access solutions to their products and services that they create or operate" in the countries. While governments should not favor a particular technology, the firms providing access should be able to create their own custom solutions tailored to their particular architecture, while still being capable of providing lawful access.
The Freedom of Choice section seems to be a request for companies to produce a "back door" into their products, something that has been central to similar encryption debates over the years. While providing backdoor access would help governments, critics and the companies themselves argue that it would fundamentally weaken encryption for everyone, and wouldn't stop determined criminals from moving on to another more-secure platform or creating their own hard-to-crack encryption scheme.
In a separate statement on "Countering the Illicit Use of Online Spaces," the governmental group discuss the need for online spaces to be safe, and are "gravely concerned" about illegal online content, "particularly the online sexual exploitation of children." Noting that the dark web is not the only source for such content, the group claims social networks and other communications systems are "perpetuating the most abhorrent kinds of child sexual exploitation."
There is also a need to build upon existing efforts to combat terrorist use of online spaces to share radicalization materials, with the group noting that some process has been made to tackle the issue, but it is far from complete. Lastly, the same online spaces are being used to "undermine democratic institutions," an issue that is "delegitimizing the benefits and opportunities that communications and social media platforms create."
The group makes a number of demands for firms in the industry, including the need to develop and implement ways to prevent illegal content from being uploaded at all, and to immediately takedown content that makes it online. For existing content, automated and human systems are needed to "seek out and remove legacy content."
To protect users, the group recommends user safety is built into the design of all online platforms and services. The companies should also set "ambitious industry standards" over such content, and to increase assistance to smaller firms in developing and deploying their own illicit content countermeasures.
The Five Country Ministerial finishes by suggesting "Through the same innovation and cross-sectoral collaboration that has underpinned so many technological advances, the challenge of countering illicit online content is not insurmountable."

The meeting, which took place from August 28 to August 29 on Australia's Gold Coast, and included representatives from the governments of the United States, United Kingdom, New Zealand, Canada, and Australia. Described as a forum for collaboration between the countries on domestic security issues, this year's meeting focused on cyber security, counter-terrorism, and countering violent extremism.
In a "Statement of Principles on Access to Evidence and Encryption," the group claims they are committed to personal rights and privacy, supporting the role of encryption to protect said rights. At the same time, the "increasing use and sophistication of certain encryption designs" are said to make things difficult for security agencies in combatting serious crimes and threats to national security, with the same encryption systems used to protect citizens also protecting criminals and terrorists.
"Privacy laws must prevent arbitrary or unlawful interference, but privacy is not absolute," the statement reads. "It is an established principle that appropriate government authorities should be able to seek access to otherwise private information when a court or independent authority has authorized such access based on established legal standards. The same principles have long permitted government authorities to search homes, vehicles, and personal effects with valid legal authority."
Calling the increasing gap between the ability for agencies to lawfully acquire the data and the ability to use said data a "pressing international concern" that requires informed debate, the statement goes on to note "Each of the Five Eyes jurisdictions will consider how best to implement the principles" of the statement.
Three principles are offered in the statement, with the first of "Mutual Responsibility" passing some of the responsibility to other stakeholders, including firms involved in telecommunications. Highlighting a "will to work with technology providers" to ensure citizens have access to their data, it goes on to note these firms also need to help assist with the execution of legal orders.
In the majority of cases, major tech companies already provide assistance, with Apple even issuing guidelines in 2014 on how law enforcement and other agencies can request user data. In the case of 2015's San Bernardino attack, the FBI requested data from Apple just three days after the attack, and for some requests, providing data within the same day.
The second principle reaffirms that all assistance that governments request from tech companies is "underpinned by the rule of law and due process protections," in order to maintain democratic societal values.
The last, "Freedom of choice for lawful access solutions," encourages tech companies to "voluntarily establish lawful access solutions to their products and services that they create or operate" in the countries. While governments should not favor a particular technology, the firms providing access should be able to create their own custom solutions tailored to their particular architecture, while still being capable of providing lawful access.
The Freedom of Choice section seems to be a request for companies to produce a "back door" into their products, something that has been central to similar encryption debates over the years. While providing backdoor access would help governments, critics and the companies themselves argue that it would fundamentally weaken encryption for everyone, and wouldn't stop determined criminals from moving on to another more-secure platform or creating their own hard-to-crack encryption scheme.
In a separate statement on "Countering the Illicit Use of Online Spaces," the governmental group discuss the need for online spaces to be safe, and are "gravely concerned" about illegal online content, "particularly the online sexual exploitation of children." Noting that the dark web is not the only source for such content, the group claims social networks and other communications systems are "perpetuating the most abhorrent kinds of child sexual exploitation."
There is also a need to build upon existing efforts to combat terrorist use of online spaces to share radicalization materials, with the group noting that some process has been made to tackle the issue, but it is far from complete. Lastly, the same online spaces are being used to "undermine democratic institutions," an issue that is "delegitimizing the benefits and opportunities that communications and social media platforms create."
The group makes a number of demands for firms in the industry, including the need to develop and implement ways to prevent illegal content from being uploaded at all, and to immediately takedown content that makes it online. For existing content, automated and human systems are needed to "seek out and remove legacy content."
To protect users, the group recommends user safety is built into the design of all online platforms and services. The companies should also set "ambitious industry standards" over such content, and to increase assistance to smaller firms in developing and deploying their own illicit content countermeasures.
The Five Country Ministerial finishes by suggesting "Through the same innovation and cross-sectoral collaboration that has underpinned so many technological advances, the challenge of countering illicit online content is not insurmountable."
Comments
It’s time to turn the table and accuse them of violating our privacy by not safeguarding our data.
How about this thought -- putting a backdoor in place actually creates its own threat to national security? National security isn't just a product of direct government ability to snoop on suspected criminals but it also includes protecting the privacy, secrets, and sensitive information of its citizens.
An insecure "backdoor" that criminals or hostile governments could use to access the private information of law-abiding citizens (or companies, or governments) would be a very bad thing
The problem is that a "secure backdoor" simply may not exist, and any attempts to create one might land us in the second case.
I wonder if a solution might be to have variation in encryption schemes with respect to the computational cost of breaking the encryption. So, encryption of personal communication among ordinary folks (iMessage, mail, social media, etc) uses encryption that is strong enough that it can't be broken using, say, a $10k computer crunching for a week but can be broken using, say, a $1 million computer crunching for an hour or two.
Then use progressively stronger (aka, more costly to break) encryption for higher value data and for more trusted individuals/groups.
I used to be one of those people who monitored the improper use of government devices.
What they want is all the time full monitoring of everyone, from when you wake up, when and where you take a p***, to who you know, ato what you buy. Cameras in our bedrooms. in our cars, in our workplaces, on the streets. When governments fear their own citizenry, the people lose.
ikrupp
Sadly you are absolutely right. Outside of a few of us on tech blogs, and inside the industry, nobody gives a crap. Either they don't understand the danger and write it off as more tech mumbo jumbo, or they simply say "I have nothing to hide" which betrays real ignorance.
Without strong security, nothing is secure, nothing is private, and no one is safe. Todays innocent web search, is tomorrow's reason to arrest for being an "enemy of the people".
EDIT: Let me add one more thing. It's not just governments. The Black Hats are equal, and in some cases ahead of governments. If there is a back door, they WILL exploit it. They will get into your computer, your phone, your bank accounts, your credit cards, your medical records. There are some very nasty operators that would love to get ahold of all of this information. Some to misuse for profit. Some just to cause mayhem. What would happen if Country A was having a dispute with Country B so one day Country B woke up and found all government and company records, and their whole part of the internet just gone, dead? What do you think would happen if one morning the core financial records and their backups for Apple were suddenly just gone? What about all the records for the USDOD? What about your bank, what would they do if tomorrow morning they found that all of their assets had been transferred to an offshore account? What about your computer if it got hijacked and all records obliterated? Without strong security no country, no corporation, no individual is safe.
They are masking their original intent by throwing the carrot of “protecting consumer privacy” (to those who are too stupid to realize what’s going on) while tacking on the sole purpose of this consortium—demanding backdoor access.
They will beat the drum until the public has enough this government is “concerned about their privacy”, then they will make it into law.
Then we’re seriously fucked.
That’s what this is all about.