NZCCL concern at Five Eyes plan to break encryption

The NZ Council for Civil Liberties is concerned that the members of the Five Eyes spy network (NZ, Australia, USA, Canada and UK) have stated that they wish to break end-to-end encryption to allow them to spy on the contents of all communications.

While we agree with the idea that we should be able to catch criminals, and that lawful intercept can be a part of that, we do not believe that breaking encryption like this is possible to do without weakening the technical tools we use to keep ourselves safe online. Designing effective encryption is hard enough without having to add third-party access on demand.

In their Statement of Principles on Access to Evidence and Encryption, the Five Eyes say that:

Encryption is vital to the digital economy and a secure cyberspace, and to the protection of personal, commercial and government information.

But at the same time, they say that communications carriers, device manufacturers and service providers should voluntarily provide ways for the Five Eyes governments to lawfully intercept the contents of communications (note – this is similar but much further reaching than the ISP responsibilities in the Telecomunications Interception Capabilities and Security Act). But the voluntary nature only goes so far:

Should governments continue to encounter impediments to lawful access to information necessary to aid the protection of the citizens of our countries, we may pursue technological, enforcement, legislative or other measures to achieve lawful access solutions.

Whether the measures are voluntary or compulsory, it risks everyone because methods of access available to one government will surely be demanded by all governments and we can't rely on companies to hold firm when their profits depend on access to certain markets. Our intelligence agencies should be taking measures to protect our communications from being intercepted by foreign governments, not make it easier.

We also worry about where this is taking us. As people move to use systems that are still secure, will our governments get frustrated and end up taking the Chinese approach of banning the use of any applications and services that don't provide access?

Safety and security are important but, when we look at the current threats to New Zealanders, we don't see any threats or harms that justify breaking internet security for everyone.