The deployment of the Enigma Machine by Nazi forces in World War II, and the cracking of its cryptographic systems by allied codebreakers heralded an immense increase in international interest in encrypted systems. Since then there has been an exponential rise in the use of the internet for the communication and storage of data, resulting in growing investment in strong encryption techniques from major technology firms.
There have been major developments in digital encryption in recent times, end-to-end (e-2-e) encryption and full disk encryption becoming more commonly and regularly used. A key event in this was the launch of WhatsApp’s e-2-e encrypted messages in April 2016; since then there has been a half a billion rise in the number of active users on the application, with a total of 65 billion messages transferred via the application daily. With the everyday use of encryption on the rise, governments worldwide feel that they are losing control of data they consider necessary to help prevent and fight crime, terrorism and extremism.
Moreover, the sophistication of devices and software are outgrowing governmental ability and resources. The debate over allowing government Intelligence Agencies backdoors into databases, devices and messaging servers has been a long-lasting one; with the major question being whether government-mandated backdoors would change the ability of law enforcement to prevent and solve crime and whether the associated risks are worth it.
Encryption is the process of converting information from plain text into code. The code is incomprehensible to an individual reading it unless they have access to a decryption key, which is used to translate the code back into plain text. The use of encryption is generally deemed necessary by all organisation to protect customer data from malicious cyber activities. The rise of data protection regulation, such as the EU’s General Data Protection Regulation (GDPR) has contributed to the increased media scrutiny and coverage of data breaches. Strong and well-managed encryption systems are a core component in combating dangers associated with holding and transmitting personal data.
The role of encryption in the world of data protection is clear and prominent in protecting the confidentiality of data for billions of online users. However, it has also been argued that encryption has played a key role in the facilitation of crime and terrorism.
Following the 9/11 attacks, U.S. Intelligence agencies have worked to prevent a string of Al-Qaida plots through the interception of communications, driving them to turn to encrypted communications, initiating the release of the own encryption tool “Mujahedeen Secrets” in 2007.
There has been a general trend for terrorists, and their supporters, in increasing their use of sophisticated encrypted communication systems to facilitate their activities and remain undetected. The use of mainstream encrypted technology, once frowned upon over suspicions of government surveillance, has also been observed as governments continue to claim that they have no oversight of these platforms.
The cases have led to governments worldwide asserting the need to access the underlying data behind encrypted applications and devices. Members of the Five Eyes intelligence services (Australia, Canada, New Zealand, United Kingdom and the United States) have all publicly campaigned for the implementation of backdoor access to products created by tech firms, such as Apple and Facebook.
On 06 December 2018, Australia became the first country in the Five Eyes to successfully pass a bill allowing Australian Intelligence agencies access to encrypted messaging services, despite disapproval from major technology firms over the serious risk posed to general privacy worldwide.
The Westminster attacks in March 2017, wherein a British terrorist drove a car into pedestrians on Westminster Bridge and stabbed an unarmed police officer, is a commonly raised argument in the call for backdoors. The terrorist’s use of WhatsApp to discuss details of the attack are highlighted as a reason for increased government access to communications using the app. This isn’t the first high profile case prompting government campaigns against encryption in mainstream technology.
The Federal Bureau of Investigation (FBI) took legal action against Apple Inc. following the San Bernardino attacks in October 2015, where an encrypted iPhone 5 belonging to the attacker was found. The FBI initiated several court cases in an attempt to get Apple to unlock the device, which were welcomed with much resistance from Apple the case ended when a third party successfully unlocked the device. In this case it was discovered that the attacker did not use this device to help facilitate the attack, and in fact used burner devices which were destroyed immediately after the attack.
This demonstrates the pre-emptive nature of terrorists in general when committing sophisticated and well planned attacks and the distrust in mainstream technology. The two incidents above continue to raise the question of whether, when it comes to national security, government agencies should have the right to compel technology firms to decrypt devices/files/communications based solely on the agencies’ assessment of the value of the data that they hold?
The analysis of criminal activity shows there is some clear benefit to government access to cryptographically protected devices and communications for global security. However, there are numerous fears about the possibility for abuse of these powers or for similar demands to come from governments in countries renowned for mass surveillance of their domestic population (this can already be seen in legislation in China and Russia).There are also worries concerning how such backdoors could be secured so that only the intended users can access them.
Even closely guarded state-level exploits and information can leak into the public domain, as highlighted by the Snowden, Vault7, and Shadow Brokers releases. Access to backdoors would immediately become an incredibly valuable target, attracting interest from across the threat actor spectrum.
Government surveillance remains a powerful tool for the detection and prevention of serious crime. However, are government-mandated backdoors the best tool for this? It can be assessed with high confidence that these backdoors will be a major target for sophisticated cybercriminals and nation state actors; successful targeting of these backdoors has the potential to result in a huge breach of privacy affecting huge swathes of the population.
In addition to the significant technical burden of protecting these backdoors from the attentions of sophisticated and capable threat actors, there are also wider moral questions about maintaining the balance between privacy and security, which will ultimately be up to individual governments to communicate to their citizens. For the moment, the approval of legislation in Australia is an interesting testbed to see how governments may seek to use such backdoor powers and will likely serve as a future template for what we will see in other Five Eyes nations.