Not long after the UK echoed several countries’ demand for the creation of encryption backdoors by technology companies, a Parliament petition has been filed to urge the government not to go ahead with its plans to force the enabling of encryption backdoors.
The Parliament petition was launched by application security specialist Sean Wright who said that while it is true that criminals often exploit the privacy that end-to-end encryption provides to plan and carry out malicious and illegal activities, creating encryption backdoors will altogether endanger the security and privacy of billions of well-meaning Internet users worldwide.
“It has been reported that governments around the globe, including the UK Government, wish to see technology and service providers implement encryption backdoors in the services which they offer. The UK Government should not enforce this approach,” the petition reads.
“While the intention behind this is well-intended (to catch criminals), it could simply result in driving criminals to utilise their own services which do not contain backdoors, while putting the privacy and security of law-abiding citizens at risk. Implementing a backdoor in an encryption algorithm defeats the purpose of the encryption algorithm, and we believe this cannot be done securely.”
Wright’s decision to launch the Parliament petition was influenced by a proposal issued by the Five Eyes Alliance, along with India and Japan, to urge technology companies to enable backdoors in their encrypted systems so that law enforcement authorities can access content related to child sexual exploitation and abuse, violent crime, terrorist propaganda, and attack planning.
The joint statement, issued in October by the United States, the UK, Australia, New Zealand, Canada, India, and Japan, read that even though the governments support strong encryption which plays a crucial role in protecting personal data, privacy, intellectual property, trade secrets, and cyber security, absolute encryption that prevents companies from moderating content and facilitating the investigation and prosecution of offences will only encourage criminals and terrorists.
The alliance urged technology companies to “enable law enforcement access to content in a readable and usable format where authorisation is lawfully issued, is necessary and proportionate, and is subject to strong safeguards and oversight” and to “engage in consultation with governments and other stakeholders to facilitate legal access in a way that is substantive and genuinely influences design decisions.”
The governments added that end-to-end encryption, that precludes lawful access to the content of communications in any circumstances, will also severely undermine companies’ own ability to identify and respond to violations of their terms of service and will prevent them from responding to serious illegal content and activity on their platforms, such as child sexual exploitation and abuse, violent crime, terrorist propaganda, and attack planning.
“In light of these threats, there is increasing consensus across governments and international institutions that action must be taken: while encryption is vital and privacy and cyber security must be protected, that should not come at the expense of wholly precluding law enforcement, and the tech industry itself, from being able to act against the most serious illegal content and activity online.
“The WePROTECT Global Alliance, NCMEC and a coalition of more than 100 child protection organisations and experts from around the world have all called for action to ensure that measures to increase privacy – including end-to-end encryption – should not come at the expense of children’s safety,” the statement read.
In an article posted on his personal blog, Wright said that if we do put some type of mechanism into place which would allow law enforcement to be able to read private data, it may jeopardise legitimate use of encryption for ordinary law abiding citizens.
Even if technology companies allow the use of public encryption keys instead of private keys, it will also lead to a serious risk as the decryption key will still be held outside of the intended recipients, he added.
Based on various concerns around the use of encryption backdoors, Wright said that such a proposal requires a lengthy debate to provide answers to legitimate questions that seek to preserve the security and privacy of billions of well-meaning Internet users worldwide.
For instance, if encryption backdoors are enabled by technology companies, how do we ensure that oppresive regimes don’t start using this to spy on their citizens? How do we prevent this practice/proposal from being abused? What if public key encryption is not suitable, what will be used then? What happens when the criminals simply move off onto a platform with no encryption “backdoors”?
“While I do see the request and desire for what is being proposed, I simply fail to see it being implemented securely in practice. In my opinion there is simply too much at stake,” Wright wrote.
“Ultimately this will not be my decision to make, and I accept that. But I do want to ensure that the appropriate questions are being asked, and that they are in fact dealt with. The intent of the petition is to ensure that the appropriate questions are asked, that a debate is had around the proposals and that they are simply not blindly implemented.”
The Parliament petition will require at least 10,000 signatures to merit a response from the government and if the number of signatories exceeds 100,000, the petition will be considered for debate in Parliament.