More on the Five Eyes Statement on Encryption and Backdoors

Earlier this month, I wrote about a statement by the Five Eyes countries about encryption and back doors. (Short summary: they like them.) One of the weird things about the statement is that it was clearly written from a law-enforcement perspective, though we normally think of the Five Eyes as a consortium of intelligence agencies.

Susan Landau examines the details of the statement, explains what's going on, and why the statement is a lot less than what it might seem.

Posted on October 1, 2018 at 6:22 AM • 22 Comments

Comments

AlejandroOctober 1, 2018 7:28 AM

Bin Laden is dead. The threat, and resultant fears, of large scale terrorism on the homeland is not as large as before. So, there must be a new bogeyman to drum up support corruption of encryption. They fall back on the usual suspect: criminals.

If just one pedophile in the entire world is left standing on the internet, 5-Eyes must have the key to his, and all or our, electronic communication.

DroneOctober 1, 2018 7:40 AM

With half the U.S. Government clearly moving away from a "Presumption of Innocence" to a "Prove You Didn't Do It" model, it's no surprise our "Right to Privacy" is also in jeopardy.

wiredogOctober 1, 2018 9:28 AM

@drone
One major and often unstated problem the right to privacy faces in the US is that the Roe v Wade decision legalizing abortion is based at least partly on a right to privacy. So if you are, in the US, unalterably opposed to allowing abortion you have to be opposed to a right to privacy.

AndersOctober 1, 2018 9:56 AM

BTW, last year Infineon chip RSA 2084 bit problem - could it be a deliberate weakening?

Sancho_POctober 1, 2018 10:09 AM

This is a never ending story, obviously it's a misunderstanding:

”… a strategy to press providers of information and communications technologies and services to enable lawful access whenever government has legal authority to access said content, and threaten a legislative “fix” if technical solutions are not found.” (Susan Landau)

Again, they already have “lawful access” to content at the communication providers whenever gov has “legal authority”.

So what do they want?

renkeOctober 1, 2018 10:14 AM

@Anders

With Infineon, TÜV and BSI involved I strongly suspect incompentence, not malice : )

OOctober 1, 2018 11:12 AM

The only resistance to this is ECONOMIC. The entire Internet economy relies on strong encryption to protect financial transactions. Every single web store needs it. That’s TRILLIONS of dollars of transactions that occur and need to be secured.

Bruce, this is the angle that needs to be harped on over and over again, not the nerdy issues with math that no one understands (not to deride those; they just don’t resonate with people). Tell people they will not be able to safely by stuff from Amazon, Walmart, and Target. Tell people that defeating security will complexity destroy the economy. THAT’s how you get people’s attention.

SfanOctober 1, 2018 12:06 PM

@O
Beyond ecommerce and online banking, there is of course the direct threat it poses to law abiding people, industrial espionage, free markets, free press, and democratic process.

Back doors are dangerously insane, lazy, and megalomaniacal. It's like the government wants to be omniscient and omnipotent when it has a horrible record of being little but the opposite of omnibenevolent. Never in history has anything even remotely like this power ever been good or just.

Sergey BabkinOctober 1, 2018 12:21 PM

Not sure if anyone mentioned this already, but Five Eyes is quite a suitable name for this organization. There was a series of science fiction novels by Keith Laumer, patterned after the US-Soviet diplomatic relations, where Groaci, the alien race patterned after USSR, had five eyes and were proud of it!

echoOctober 1, 2018 2:20 PM

This is a fair essay by Susan. I believe she could have made firmer arguments on the legal theory side to better bring out this side of the argument. I'm not the biggest fan of Pirvacy International for historical reasons but this is something they should be more clearly advocating for. Overall I believe the ebb and flow of the media misses this and this is where strident voices of authoritarianism tend to be heard by default and the pop science end of the discussion which people more readily relate to is missed and a vacuum the extremists step into.

Five Eyes is turning into a charicature of over-tailored English villians dropping monocles into their whisky, loud Americans with cameras hanging around their necks wearing check trousers, and brazen Australians who think wearing a tie with their teeshirt and work trousers is good enough to pass muster in the club. I suppose I'm being snobby about these things. I just don't find position statements like Five Eyes released is very impressive. They seem more like half baked comments with little working through and need filling out with material such as provided by Bruce and Susan among others.

Clive RobinsonOctober 1, 2018 3:31 PM

@ sfan,

It's like the government wants to be omniscient and omnipotent

The laws of physics prevents that, so fools and lunitics ascribe it to deities...

Which brings up the salient point of institutional insanity due to a shared "God Complex"... In the past such delusions in individuals have given rise to incarceration, electroconvulsive therepy, and the old ice pick through the eye socket full frontal lobotomy...

One can but hope as they say...

Clive RobinsonOctober 1, 2018 4:39 PM

Missing History

I'm not sure is Susan Landau knows this or not but when she says,

    While law enforcement describes the problems posed by encryption as “going dark,” the NSA view is not as dire as that of FBI.

The whole "going dark" nonsense effectively started with FBI Director Louis Freeh, back last century. And it's an almost entirely faux argument, in that the FBI and other law enforcment agencies appear to get convictions without crypto access in by far the majority of cases where crypto has been used.

Freeh tried every trick he could including "secret briefings" in the EU and other countries to try and persuade them to "go first" such that he could then use it as leverage in the US, where it eas entirely unwelcome.

Unsuprisingly he was told NO and the secret got leaked, which should have clipped his air-miles. However his basic personality did not allow him or his policy to be wrong in his mind, or that of his successors...

Which is why ever since then it has been standard policy of the FBI to keep doing this[1] ad nauseam.

Unfortunatly a rather misbegotton bunch of UK politicians in part granted his wish with RIPA which by all rights should have been strangled before birth. The few cases brought before the judiciary have been treated with extream caution with judges treating it like unexploded ordinance.

It was the same UK politicians that later rolled out the red carpet for the WMD lies thus paving the way for a MIC bonanza, and an uncoutable number of deaths, criplings, tourtures, disappeared and much worse in the way of terrorism. Much to the obvious pleasure of UK MP and Minister Jack Straw[2] and later head of MI6 Sir John Scarlett, who got the top job in 2004 after brown nosing his way and manufacturing faux evidence as part of Tony Blair PM's Cabinate Office joint inteligence committee, that basically went against most of what the DIS (who's job it should have been to gather together analyse and apraise such information) said.

So such people such as Straw and Freeh[3] some how manage to survive despite their more than significant failings.

[1] Obviously they don't believe in Einstein's definition of madness, more likely they do believe in the "Grinder" process...

[2] Jack Straw had considerable "previous" on breaking rules to gather personal information on people for political reasons. It goes back atleast as far as when he was working for Labour leader and PM Harold Wilson when he accessed records he had no right to looking for dirt over the issue of the then alleged boyfriend of the Liberal party leader. Who alledgadly had his dog shot in front of him by a hired hitman,

https://www.bbc.co.uk/news/uk-44336859

[3] If you check out Mr Freeh, you will find he was a thoroughly unpleasant individual that failed his basic duties of care and repeatedly interfered with quite legal investigations. As such he should have been fired or jailed, but like "Ceasers Wife" he got a pass on his quite dispicable behaviour...

Clive RobinsonOctober 1, 2018 5:11 PM

@ Bruce, ALL,

There is another aspect I have not seen mentioned very much but it needs to be raised often and loudly.

Manufacturing of communications equipment is "global" in nature. Manufacturers of mobile phones for instance have absolutly no desire to hold inventory for different nations. Thus if one nation mandates something by law then all nations phones will have it as a result[1].

So if Australia passes it's legislation then every consumer communications device will have it added by default unless other nations pass legislation against it.

The question then defaults to market size... In theory Eire (southern Ireland) had legislation to that effect, but the EU of which it is a member has issued directives since that may have a legal effect on it.

Large as it is physically Australia has comparitively quite a small population (~25M)and many don't have what many would consider mobile phones unless they live and work in cities and suburban areas. Thus it is a small but nether the less stratigic market for some mobile phone manufacturers. Where as Ireland is just part of the EU with the Northern half about to leave (via Brexit leaving the south Eire population at ~5M)

[1] Have a look at the history of GPS in phones for this. As with so many Intelligence Community requirments for spying, it was pushed as an unarguable against "Health and Safety" feature.

Jack's Complete Lack Of SurpriseOctober 1, 2018 7:30 PM

@Clive Robinson:
Have a look at the history of GPS in phones for this. As with so many Intelligence Community requirments for spying, it was pushed as an unarguable against "Health and Safety" feature.

And ID checks for handset and SIM cards has been mandatory in Australia practically since forever. The main reason: to ensure the identity of the caller to emergency services. The real reason: well, you can only guess.

Interestingly the US doesn't have such checks (I guess) due to "burner phones". Perhaps they need to invest in such laws, if only to keep the surveillance state level across invested nations. (China has required IDs since about 2010, also for reasons quite possibly unrelated to medical health and safety).

meOctober 2, 2018 4:22 AM

@Anders, @renke

yes, imho probably a backdoor.
the chip was fips approved and also approved by other entity.
they are supposed to extensively test it before approving but they missed a basic statistic problem.
how?

GeorgeOctober 2, 2018 4:45 AM

@ Clive Robinson,

"Which brings up the salient point of institutional insanity due to a shared "God Complex"... In the past such delusions in individuals have given rise to incarceration, electroconvulsive therepy, and the old ice pick through the eye socket full frontal lobotomy..."

Thus, the "invisible hand" therein described by its original author cannot be a government of the people. Government influence cannot be "invisible" for the sole reason that governmets must exert its influence thru rules and regulations, both of which are clearly written documents that must be publicly accessible.

One cannot follow rules, and regulations, that were not made visible.

The "memorendum of understanding" only exists among those who are "in the know"

DroneOctober 4, 2018 5:23 PM

@wiredog, Roe v Wade has nothing to with your Right to Privacy. How Roe v Wade is administered/enforced may impact your Right to Privacy (and that varies significantly by region), but the ruling itself doesn't. Saying that Roe v Wade and your Right to Privacy are inextricably linked is a ploy used by the Far-Left to weaponize voters against anyone that doesn't do what they say. Do yourself a favor, think critically before swallowing that baited hook. I'm Pro-Choice by the way.

Steve GOctober 8, 2018 8:44 AM

@Clive Robertson

“Large as it is physically Australia has comparitively quite a small population (~25M)and many don't have what many would consider mobile phones unless they live and work in cities and suburban areas.”

Are you serious? Have you ever been to Australia? Australia has extremely high urbanisation - about 86% of the population lives in cities/suburban areas (CIA World Factbook estimate).

Most people have smartphones too. What the hell are you talking about that most people wouldn’t “consider a mobile phone”?

Clive RobinsonOctober 8, 2018 5:13 PM

@ Steve G,

Are you serious?

As you basically said what I said but with different words, I guess that makes you as serious as I am.

What the hell are you talking about that most people wouldn’t “consider a mobile phone”?

I perhaps ought to ask you more or less the same question of,

Have you ever been to Australia?

But add "non urban and city areas" because I think you would know what I was talking about if you had lived and worked in those areas...

The last time I checked the Telstra mobile network was the largest in Australia, and whilst claiming to cover 99.3 per cent of the population it only covered a little under 2.4 million square Km. But Australia is about 7.7 million square Km, so they actually cover less than a third of Australia...

Yet people in vehicles communicate from all over. How do you think they do that?

Should I say "over" or "out"?

EricOctober 10, 2018 9:31 PM

@Drone

"With half the U.S. Government clearly moving away from a "Presumption of Innocence" to a "Prove You Didn't Do It" model, it's no surprise our "Right to Privacy" is also in jeopardy. "

It is our right as we the people to alter or to abolish current forms of government and reform new systems if the current systems become destructive. Is not up to them, is up to us.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.