‘Public outreach’ needed for ‘progress’ on encryption backdoors: gov’t doc
News | 05/26/2020 11:42 am EDT
In order to make “progress” on the issue of access to encrypted communications, the federal government will have to reach out to the public and try to bring stakeholders onside, according to briefing documents prepared for Public Safety Minister Bill Blair.
“One of the main difficulties that impedes governmental efforts to change lawful access policies, legislation or funding is the public’s lack of understanding and trust around these issues,” outlines the document, which was prepared for Blair when he was named Public Safety minister last fall and obtained through Access to Information.
The briefing document reiterates that Canada’s position is in favour of “mitigating” the challenges of encryption “through cooperation and positive relations with industry.”
In order to achieve this, the government will have to increase efforts to convince the public, it says.
“Any progress on encryption will require more transparency, including strong public outreach and improved communications,” it said.
“It would also be essential to engage key stakeholders and gain the support of prominent voices in industry and academia.”
The document outlines that the use of encryption has grown in recent years, and that an increasing number of personal-use communications products and services are using strong encryption as the default. For instance, it notes all Apple Inc. devices have full disk encryption by default, while Facebook Inc. plans to combine its Facebook Messenger, WhatsApp, and Instagram into one encrypted platform.
It’s a trend the briefing binder says has harmed the ability of law enforcement and national security agencies to do their jobs.
Chris Parsons, senior research associate at the Citizen Lab at the University of Toronto’s Munk School of Global Affairs, said in a phone interview that previously, Canadian governments’ policies on cryptography hadn’t changed since the late 90s, and were generally in favour of strong encryption. But in the past few years, there has been a shift in the attitude of Five Eyes countries.
In September 2018, Canada joined its Five Eyes counterparts — Britain, the United States, Australia, and New Zealand, with which it shares national security data and intelligence — in issuing a warning about access. The five countries said if governments continue to face difficult hurdles to lawful access to data created by encryption without private sector “solutions,” they “may pursue technological, enforcement, legislative or other measures” to get around that. Last summer, they called for access to encrypted materials.
In recent years, Parsons said, “we saw our allies routinely come out and advocate for there to be backdoors or ways of decrypting strongly encrypted communications.”
Blair’s briefing binder notes that encryption “protects the integrity of critical national infrastructure, individuals, and businesses, from malicious intrusion, including everything from telecommunications and transportation systems to financial services and the energy sector.”
It states that “Canada’s position is to support safeguarding encryption while being a proponent of mitigating its challenges through cooperation and positive relations with industry.”
But strong encryption and options for additional access are mutually exclusive, according to Parsons.
“You can’t have it both ways. You either want strong encryption or you want backdoors.”
If we insert backdoors to gain access to, say, a criminal’s phone, “we’re also inserting the exact same backdoor into the tool and communications and structure that’s used by journalists, by prime ministers, by security officers and so forth. So we really can’t add in a back door and only have it used to target bad persons. It will be exploited by other persons,” Parsons said.
The ramifications would be international — those backdoors would not only be open to Canadian law enforcement and security agencies, but also those in countries like Russia or China.
The materials prepared for Blair say encryption has “seriously impeded law enforcement and national security agencies’ ability to investigate in cyberspace, even when the agencies obtain the appropriate authorization from a judge to intercept the communication of a suspect.”
Parsons said if the government is serious in its arguments, they have been told “by many groups, many times, that they can start producing information and numbers,” about the extent of the issue.
He said that producing “statistically relevant and statistically viable data” would be one way for the RCMP to “at least open up the debate so it’s a little bit less of ‘we have secret numbers that tell us bad things, you must do what we say’.”
The partially-redacted version of Blair’s briefing materials doesn’t include any such figures; while it makes a reference to “as much as 67% of data that the CSIS lawfully collected in the fiscal year 2017-2018,” the rest of that sentence is redacted.
“Encryption is a significant obstacle for the full spectrum of law enforcement and national security investigations,” notes another partially-redacted sentence.
Also redacted are the next steps Public Safety and other federal agencies plan to take on the issue.
Blair’s press secretary Mary-Liz Power didn’t answer questions about what those next steps would involve, but did say in an emailed statement that “our government knows that encryption is critical to safeguarding our cybersecurity and the digital economy. Encryption has also created challenges for law enforcement and national security agencies.”
A statement from a Public Safety Canada spokesperson said that the federal government “favours a collaborative approach with industry and other stakeholders to address the serious challenges posed by encryption for investigators, while also safeguarding human rights, privacy, cyber security and the digital economy,”
Parsons said the reality created by the COVID-19 pandemic that has led much of the country to work from home highlights the importance of encryption, as more Canadians are using technology like virtual private networks (VPNs) and encrypted messengers. Meanwhile, agencies like the Communications Security Establishment (CSE) and the U.S. National Security Agency (NSA) have warned that “that people working at home are being targeted because their security is insufficient. The solution to that problem is not ‘oh we should further weaken the availability of encryption of individuals in their homes, where they’re going to be working for the foreseeable future,” Parsons said.
He added that the ongoing debate over 5G networks vendors and whether to ban Huawei Technologies Co. Ltd. equipment from the next generation network buildouts is another reason not to put in backdoors.
If there are concerns about security of 5G network equipment, he said, “one of the many ways to reduce the threats associated with with, you know, can we trust the vendor, is to enable and facilitate strong end to end encryption, so that even if the vendor isn’t trusted, even if their devices are compromised, they’re unable to access the content.”
— With reporting by Anja Karadeglija at firstname.lastname@example.org and editing by Adam Langenberg at email@example.com