MASSIVE LNG PLANT FOR B.C.
ALARM RAISED ‘Five Eyes’ allies want ‘backdoor’ on tech devices
OTTAWA • Canada joined its intelligence allies recently in demanding that technology companies co-operate with law enforcement agencies in allowing access to encrypted communications, like Facebook and text messages, heating a long-simmering controversy.
Cybersecurity experts, privacy advocates and even the companies themselves insist there’s no way to build “backdoors” into consumer electronics without compromising the overall security of the device.
“Any backdoor that’s there for good guys can always be exploited by bad guys,” said Matthew Dubé, the NDP critic for public safety.
The issue has been making headlines since 2016 when Apple successfully pushed back against an FBI request to circumvent iPhone security features on a device belonging to one of the perpetrators of the San Bernardino shooting. The FBI eventually cracked the phone using other methods. Intelligence agencies have been demanding this kind of access since the early ’90s.
In late August, the Five Eyes intelligence alliance — comprised of Australia, Canada, New Zealand, the United Kingdom and the United States — issued a renewed call for “lawful access to information” to keep its citizens safe.
“Privacy is not absolute,” the communiqué reads, adding that the countries “may pursue technological, enforcement, legislative or other measures to achieve lawful access solutions” if companies don’t co-operate.
To some experts that sounds like a threat, but Canadian officials say it’s just a request and reject the idea that they’re requesting backdoors.
“Encryption is critical to safeguarding our cybersecurity, privacy and the digital economy. However, it has also created gaps for law enforcement and national security agencies,” said Scott Bardsley, the press secretary for Public Safety Minister Ralph Goodale, in an emailed statement. Goodale’s office declined an interview request.
Bardsley said the allies want to “explore shared solutions with industry while protecting our cybersecurity and respecting individuals’ rights and freedoms.”
Whether or not a backdoor has been requested has become a topic of debate, but most experts agree there is little distinction between a backdoor built into a device’s encryption algorithm and a tool that circumvents the encryption.
Although similar requests for co-operation have been made in the past, that “is the most aggressive call we’ve seen,” said Tamir Israel, a lawyer at the Canadian internet Policy and Public Interest Clinic.
The big change, according to Israel, is that governments are now saying “fix it for us or we will fix it for you.” That’s led to concerns among privacy experts that the government will try to legislate a requirement for tech companies to build backdoors for law enforcement.
When encryption is done properly, the information on the device will not even be visible to the company that made it. The government would essentially be asking them to hack their own products.
“They’re clueless. They think they can fix the problem? I don’t even know what that means,” said Ann Cavoukian, a former Ontario privacy commissioner and head of the Privacy by Design Centre of Excellence at Ryerson University. “You can’t just create the odd backdoor” without compromising everything, said Cavoukian.
Israel said the idea that there’s a growing technology gap between bad actors and law enforcement is “not an empirically sound statement.” Although encrypted communications may make things more difficult, it’s counter-balanced by the massive amount of publiclyavailable information on the internet that can be a gold mine for investigators.
The Canadian government could also hope that some other country solves the problem for them by passing a similar law, Israel said.
Because the security features are such a fundamental part of any device, it would be impractical to build and rebuild on a country-by-country basis. If a country passes legislation that requires security changes, each company would have to decide whether to play ball or withdraw the product from the country entirely.
Right now, all eyes are on Australia, which is moving ahead with legislation that includes three important measures for law enforcement. The first, to create a process for voluntary requests to tech companies; second, a process for requiring co-operation using the company’s existing capabilities; and third, a mechanism that forces companies to create new tools to bypass security on a device.
The bill doesn’t target encryption algorithms directly, instead finding other ways to bypass the device’s security. Security experts have been sounding the alarm about the proposed legislation, saying it could encourage bad actors to use similar tactics as the ones that would be available to law enforcement.
In 2015, a paper in the Journal of Cybersecurity compared these kinds of requirements to leaving a house key under the doormat. It’s convenient if someone forgets their key, but it also seriously compromises the overall safety of the people living in the house.
ANY BACKDOOR THAT’S THERE FOR GOOD GUYS CAN ALWAYS BE EXPLOITED BY BAD GUYS.