Open letter rejects government crackdown on encryption

Australian organisations join effort to defend access to encryption tools

More than 130 NGOs and advocacy organisations from around the world have signed an open letter calling on governments to reject policies that undermine the use and effectiveness of encryption.

“Encryption tools, technologies, and services are essential to protect against harm and to shield our digital infrastructure and personal communications from unauthorized access,” states the letter published online at Securetheinternet.org.

A number of Australian organisations have signed the letter, including the Australian Privacy Foundation, Electronic Frontiers Australia (EFA), Future Wise, Australian Lawyers for Human Rights and Blueprint for Free Speech.

Other signatories include Amnesty International, the American Civil Liberties Union, the Electronic Frontier Foundation, the Electronic Privacy Information Center, Human Rights Watch and the Tor Project.

“We encourage you to support the safety and security of users by strengthening the integrity of communications and systems,” the letter states.

Governments should not limit access to encryption or the implementation of encryption technologies, the letter states.

In addition, governments should not mandate the inclusion of ‘backdoors’ in software or services and should not undermine encryption standards.

“Governments should not, either by private or public agreement, compel or pressure an entity to engage in activity that is inconsistent with the above tenets,” the letter states.

Governments and politicians around the world have targeted access to encryption in the name of national security.

In a national security statement to parliament in the wake of the November terrorist attacks in Paris, Prime Minister Malcolm Turnbull said that the use of encrypted communications presents a challenge to Australian intelligence agencies.

Turnbull said he had asked ASIO and other agencies “to address the challenge of monitoring terrorist groups in this new environment”.

Read more: South Australia’s PIRSA seeks access to telco data

Among the leaks by whistleblower Edward Snowden were details of US National Security Agency efforts to circumvent encryption, including NSA programs to ensure the spy organisation was able to do an end run around the security features of a range of IT systems.

One document released by Snowden and published by the Guardian offered details of the NSA ‘SIGINT Enabling Project’.

“The SIGINT Enabling Project actively engages the US and foreign IT industries to covertly influence and/or overtly leverage their commercial products' designs,” the document, made public in September 2013, states.

“These design changes make the systems in question exploitable through SIGINT collection ... with foreknowledge of the modification. To the consumer and other adversaries, however, the systems' security remains intact.”

“In this way, the SIGINT Enabling approach uses commercial technology and insight to manage the increasing cost and technical challenges of discovering and successfully exploiting systems of interest within the ever-more integrated and security-focused global communications environment,” the document states.

The NSA’s FY13 budget request for the program was almost US$260 million, the document reveals.

In December Juniper revealed that a vulnerability in its NetScreen firewalls could enable attackers to decrypt VPN traffic. The vulnerability, since patched by the networking company, has been linked to the NSA.

In the UK, tech companies have raised concerns over a draft Investigatory Powers Bill in part because of its perceived potential to undermine encryption.

A submission by Facebook, Google, Microsoft, Twitter and Yahoo to a parliamentary committee examining the bill stated that the companies “believe that encryption is a fundamental security tool, important to the security of the digital economy as well as crucial to ensuring the safety of web users worldwide”.

“We reject any proposals that would require companies to deliberately weaken the security of their products via backdoors, forced decryption, or any other means,” the submission states.

Read more: Data retention: WorkSafe Victoria seeks access to telco data

“We therefore have concerns that the Bill includes ‘obligations relating to the removal of electronic protection applied by a relevant operator to any communication or data’ and that these are explicitly intended to apply extraterritorially with limited protections for overseas providers.

"We appreciate the statements in the Bill and by the Home Secretary that the Bill is not intended to weaken the use of encryption, and suggest that the Bill expressly state that nothing in the Bill should be construed to require a company to weaken or defeat its security measures.”

In the US a number of the candidates seeking nomination for president have expressed misgivings over the potential national security implications of access to encryption.

There is a challenge to strike the “right balance of protecting privacy and security,” Hillary Clinton, who is seeking the Democratic nomination, said in a speech last year.

"We should take the concerns of law enforcement and counter-terrorism professionals seriously. They have warned that impenetrable encryption may prevent them from accessing terrorist communications and preventing a future attack," Clinton said.

There are “legitimate concerns about government intrusion, network security, and creating new vulnerabilities that bad actors can and would exploit,” she added.

Clinton said that Silicon Valley and the government should work together on the issue.

Candidates for the Republican nomination have also taken aim at encryption.

Encryption tools are “the basis for secure internet banking and shopping and protecting your personal information online,” Future Wise privacy analyst Geordie Guy said in a statement.

“They are even more important in other parts of the world, where expressing an opinion can get your arrested or worse. It is not possible to weaken this security in the name of catching criminals without compromising their effectiveness for everyone.”

“Calls to undermine encryption in the name of ‘national security’ are fundamentally misguided and dangerous,” said EFA executive officer Jon Lawrence.

“Encryption is a necessary and critical tool enabling individual privacy, a free media, online commerce and the operations of organisations of all types, including of course government agencies.

“Undermining encryption therefore represents a serious threat to national security in its own right, as well as threatening basic human rights and the enormous economic and social benefits that the digital revolution has brought for people across the globe.”

Join the Computerworld newsletter!

Error: Please check your email address.

Tags encryptioncryptographyprivacy

More about Amnesty InternationalASIOBillEFAElectronic Frontier FoundationElectronic Frontiers AustraliaElectronic Privacy Information CenterEnablingFacebookGoogleHuman Rights WatchJuniperMicrosoftNational Security AgencyNetScreenNSAPrivacy FoundationTwitterYahoo

Show Comments

Market Place