'Five Eyes' spy network and access to your private data: What it means for you
Friday, 7 September 2018
If you've ever sent someone encrypted messages that you didn't want anyone else to read, listen up: Five Eyes wants to be able to access encrypted emails, text messages and voice communications.
The Five Eyes intelligence network has warned tech companies they'll be demanding 'lawful access' to all encrypted communications. If they don't play ball, the network may consider 'other measures'.
The network that is made up of New Zealand, the United States, Britain, Australia, and Canada met last week.
And it sent out a memo stating 'Privacy laws must prevent arbitrary or unlawful interference, but privacy is not absolute.'
READ MORE: Internet society fears 'Five Eyes' could undermine the internet
But the intelligence network doesn't necessarily want to access your messages.
It says it wants to be able to legally access private information that has been encrypted for crime-fighting purposes.
Encryption was being 'used by criminals, including child sex offenders, terrorists and organised crime groups', the memo said.
The problem for Five Eyes is encryption is getting better, and it's harder for analysts to access encrypted data to fight crime.
BREAKING DOWN ENCRYPTION
Common encrypted messaging apps include WhatsApp, Signal, and Facebook Messenger. There are many others.
Encryption is a way of scrambling a message, so that the only way to unscramble it is with a 'key' held by the intended user.
If someone intercepts an encrypted message, there is no way for them to decrypt it (without a supercomputer and a spare thousand years), Internet NZ's Outreach and Engagement director Andrew Cushen says.
It's a 'way to check and verify information: who it's coming from, whether it's private to the intended recipient, and if it's been tampered with'.
Internet NZ's discussion on encryption says it has three parts:
- Encryption of data while it's on a device (locking the information down when it's being stored).
- Encryption of data as it's moving between computers and services (locking the information when it's moving around).
- Making sure that these fit together to give you end to end encryption.
Signal and WhatsApp encrypt messages on your phone as you write them. They remain encrypted as they are sent and are only decrypted on the phone of the person you are communicating with.
Facebook Messenger encrypts messages from the sender to its server. It then encrypts them again between its server and the recipient, BBC reports.
You can get end-to-end encryption with Messenger, but you have to activate 'secret conversation' in the app, BBC says.
Internet NZ says one recommendation by Five Eyes - the 'other measures' approach - could possibly break end-to-end encryption.
That is a concern for New Zealanders, it says.
WHAT FIVE EYES PROPOSES
Five Eyes says its Governments 'encourage information and communications technology service providers to voluntarily establish lawful access solutions to their products and services that they create or operate in our countries … Should governments continue to encounter impediments to lawful access to information necessary to aid the protection of the citizens of our countries, we may pursue technological, enforcement, legislative or other measures to achieve lawful access solutions.'
In short, it has asked tech companies to allow access to encrypted data voluntarily, but if not, they'll look at laws to make it happen.
'What Governments want, is an extra key to unscramble the message in transit, and if that isn't possible, another way to get the unencrypted data before or after it has been encrypted,' Internet NZ's Cushen says.
'They are talking about legislation to compel 'communication and information service providers' (providers) to build 'lawful access' mechanisms into their services. This could mean building backdoors into encrypted services, so that governments can access encrypted communication.'
THE RISKS
Internet NZ says what Five Eyes says it may do is a 'very' big threat to privacy.
Encryption and the internet go hand in hand - you need to for safe online shopping and banking and making sure websites are legitimate.
Without it, no one would have trust in the internet, Cushen says.
The problem is, if the Government changes legislation to allow 'back doors into encryption' to have the option to see our data, others will potentially be able to use them.
It would affect 'everything' - apps, emails, shopping, banking, all online security.
'New Zealand already has a lawful intercept framework for phone and Internet service providers. The proposal seems to be breaking encryption to extend that to messaging services like WhatsApp.
'But once encryption has a weakness, it's hard to see that being limited. Things like your online banking, and cloud services our Government and businesses rely on, would all potentially be targets for eavesdropping by Governments and criminals based on weaknesses in encryption.'
New Zealand's Privacy Commissioner, John Edwards, isn't as concerned as Internet NZ.
'I don't think the … principles [Five Eyes] discussed at their meeting amounts to any kind of call to action or any kind of threat to introduce new powers. It's simply a restatement of principles that are probably pretty well embedded in New Zealand law already,' Edwards said.
New Zealand already has clear legal framework for addressing these issues - the Telecommunications (Interception Capability and Security) Act 2013 already means communications providers have to provide assistance, Edwards says.
'That, combined with the Search and Surveillance Act means that if a provider of communications technology has a means of granting access to law enforcement or intelligence agencies they can be required to provide that assistance.'
Edwards doesn't think the Five Eyes statement showed an intention to move the law on from what we have already.
'I don't think there's any threat in terms of New Zealanders' ability to protect their communications with encryption technology …
'Certainly as far as I'm aware there's no proposal in New Zealand that New Zealand consumers need to be concerned about.
'It would be legitimate to be concerned if there were channels of communication New Zealanders were relying on to protect their data and communication that were provided by organisations that would be subject to these laws in other countries. That may put in peril New Zealander's communications in those other jurisdictions.'
The privacy commissioner is keeping an eye on the issue - particularly to ensure any efforts by law enforcement or intelligence agencies to access private communications obeyed the law.
ALTERNATIVES
Cushen says there are alternatives for keeping Kiwis safe without breaking technologies, but they'll require the right people.
'It's vital the government discuss these topics with a wide range of people and organisations - the tech sector, law enforcement, small and medium businesses who depend on safe online services, human rights, privacy advocates and more.'
DEFENDING ENCRYPTION
Large companies have been strong in their defence of their users' right to encryption, Cushen says.
One example is Apple after the San Bernadino terror attack in December 2015 that killed 15 people.
'[Apple] refused to help decrypt a suspect's phone, and further refused to build a universal backdoor to their systems. Law enforcement ended up paying a third party to break into the device.
'For many of these companies, like Signal and Telegram, encrypted messaging is their value proposition, and they take it seriously. We don't see them backing down easily.'
ENCRYPTION IS FOR EVERYONE
Internet NZ says encryption is a great thing. It's the foundation the internet runs on.
'We want to make sure [it's not used as] this scaremongering thing that it's something that terrorists use to talk to each other - it's something that everyone uses to talk to each other.'