This past weekend, the Department of Justice joined law enforcement from six other countries in issuing their hopes for the future of encryption.
The letter was signed by U.S. Attorney General William Barr and his counterparts from the United Kingdom, Australia, New Zealand and Canada, with support from India and Japan.
The group started things off in the right direction. The letter goes over just how critical encryption is to our rapidly developing society. They pointed to the “crucial role” it plays in protecting personal data, privacy, intellectual property, trade secrets and cyber security.
But it’s a lot deeper than credit card numbers. The letter went further into the impact that encryption has for those living under repressive regimes. Encryption is a life or death thing for a lot of journalists, human rights defenders and other marginalized vulnerable populations.
After setting this bar for how important encryption is to a high-tech society moving forward, the tone starts to change a bit. The letter takes on a new direction that starts by addressing the challenges encryption creates, particularly when it comes to protecting the safety of sexually exploited children.
“We urge industry to address our serious concerns where encryption is applied in a way that wholly precludes any legal access to content,” the letter read. “We call on technology companies to work with governments to take the following steps, focused on reasonable, technically feasible solutions.”
First off, the international consortium of law enforcement wants companies to “embed the safety of the public” in the systems they are designing. The letter argues this will enable companies to act against illegal content and activity effectively with no reduction to safety.
The two most direct ways to look at this is it’s either a clean-your-own-house reference with the idea of embedding a willingness in company cultures to take more intrusive steps to find offenders on their platforms, or it’s a demand for a backdoor. Their definition of embedding safety includes facilitating the investigations and prosecutions, so it’s a safe bet it’s leaning more toward the backdoor perspective.
The letter wants the tech industry to, “Enable law enforcement access to content in a readable and usable format where an authorization is lawfully issued, is necessary and proportionate, and is subject to strong safeguards and oversight,” and, “Engage in consultation with governments and other stakeholders to facilitate legal access in a way that is substantive and genuinely influences design decisions.” The various law enforcement agencies want to be assured they are as deeply embedded in the development process as possible around the globe as encryption continues to develop.
Law enforcement argues that the companies have a responsibility to provide themselves a mechanism to protect the public and stated:
“End-to-end encryption that precludes lawful access to the content of communications in any circumstances directly impacts these responsibilities, creating severe risks to public safety in two ways:
By severely undermining a company’s own ability to identify and respond to violations of their terms of service. This includes responding to the most serious illegal content and activity on its platform, including child sexual exploitation and abuse, violent crime, terrorist propaganda and attack planning; and
By precluding the ability of law enforcement agencies to access content in limited circumstances where necessary and proportionate to investigate serious crimes and protect national security, where there is lawful authority to do so.”
The letter said in light of the threats created by these secure communications, there is increasing consensus across governments and international institutions that something must be done. But they don’t provide how these new backdoors might impact the journalists, human rights defenders and vulnerable populations.
“While encryption is vital and privacy and cyber security must be protected, that should not come at the expense of wholly precluding law enforcement, and the tech industry itself, from being able to act against the most serious illegal content and activity online,” the letter reads.
Law enforcement believe these mechanisms that would only give the few a window into people’s online lives wouldn’t impact data protection or people’s privacy rights. Specifically saying, “However, we challenge the assertion that public safety cannot be protected without compromising privacy or cyber security. We strongly believe that approaches protecting each of these important values are possible and strive to work with industry to collaborate on mutually agreeable solutions.”
The fundamental argument is about being able to maintain the level of data security since this whole letter is about encryption. How could you possibly do that if you’re talking about building your window? That window in the structure in itself makes it less secure.
Think of a steel pole with two people talking to each other through it. But Billy wants to cut a hole in and listen. In the process of bringing Billy’s dream to life there’s no way to keep the same integrity of privacy in the conversation. If someone walked up to Billy’s hole how would we know? Does Billy even know how to tell if someone is standing there next to him looking? The list of variables goes on.
We asked the American Civil Liberties Union for its take on the letter.
“End-to-end encryption enables free speech — no matter how the Department of Justice tries to spin its longstanding attempts to force technology companies to build government backdoors into our encrypted communications, there’s a reason their arguments have been consistently rejected,” Kate Oh, policy counsel with the ACLU, told L.A. Weekly.
Oh argues encryption is our strongest defense against repressive governments, hackers and organized crime.
“Encryption also enables journalists, dissidents, whistleblowers and human-rights defenders to freely express themselves, organize and expose governmental abuse without fear of retribution,” Oh said. “Instead of trying to break encryption, which would compromise everybody’s communications, the U.S. government should focus on using the substantial powers it already has to investigate crime and protect national security, within the bounds of our Constitution.”
Karen Gullo, senior media relations specialist and analyst with the Electronic Frontier Foundation, told L.A. Weekly the plan is more of the same terrible ideas we’ve heard from the DOJ and the FBI about backdoors to encryption.
“Neither agency is credible on this issue,” Gullo said. “They have a long track record of exaggeration and even false statements in support of their position. The AG has claimed that the tech sector will design a backdoor for law enforcement that will stand up to any unauthorized access, ignoring the broad technical and academic consensus in the field that this risk is unavoidable.”
Gullo argues encryption mechanisms that would include law enforcement requests simply aren’t encryption. “Encryption with special access for select entities is just broken encryption — security backdoors for law enforcement will be used by oppressive regimes and criminal syndicates, putting everyone’s security at risk,” she said.
Another point is why do we need to lower security around our all data if law enforcement is already finding ways to target the specific people using encryption tools like Tor for nefarious purposes? Last month, the DOJ’s Joint Criminal Opioid and Darknet Enforcement team joined Europol in a victory lap to announce the results of Operation DisrupTor. The action led to the seizure of 274 kilograms of drugs that included fentanyl, oxycodone, hydrocodone, methamphetamine, heroin, cocaine, ecstasy, MDMA, and medicine containing addictive substances in the United States. It was more than half of the global take on the operation.
“The 21st century has ushered in a tidal wave of technological advances that have changed the way we live,” said DEA Acting Administrator Timothy J. Shea at the time. “But as technology has evolved, so too have the tactics of drug traffickers. Riding the wave of technological advances, criminals attempt to further hide their activities within the dark web through virtual private networks and tails, presenting new challenges to law enforcement in the enduring battle against illegal drugs. Operation DisrupTor demonstrates the ability of DEA and our partners to outpace these digital criminals in this ever-changing domain, by implementing innovative ways to identify traffickers attempting to operate anonymously and disrupt these criminal enterprises.”
The DEA said Operation DisrupTor led to 121 arrests in the United States, two in Canada, 42 in Germany, eight in the Netherlands, four in the United Kingdom, three in Austria, and one in Sweden. Plus they’re still working to identify the individuals behind a number of dark web accounts.
This raises the question that if efforts are currently finding success in the age of encryption, why should we destabilize the security of all data period? The name Operation DisrupTor is a pun referencing the Tor operating system. The node-based secure anonymity network is popular with spies, activists, drug dealers and everyone in between on the wrong side of their local ruling classes around the world. The principle the system uses was developed by the United States Naval Research Laboratory, but Tor itself is open source.
These law enforcement entities are waving their victory flags across multiple time zones while they’re asking for more access to our secure data.