G7 Comes Out in Favor of Encryption Backdoors

From a G7 meeting of interior ministers in Paris this month, an "outcome document":

Encourage Internet companies to establish lawful access solutions for their products and services, including data that is encrypted, for law enforcement and competent authorities to access digital evidence, when it is removed or hosted on IT servers located abroad or encrypted, without imposing any particular technology and while ensuring that assistance requested from internet companies is underpinned by the rule law and due process protection. Some G7 countries highlight the importance of not prohibiting, limiting, or weakening encryption;

There is a weird belief amongst policy makers that hacking an encryption system's key management system is fundamentally different than hacking the system's encryption algorithm. The difference is only technical; the effect is the same. Both are ways of weakening encryption.

Posted on April 23, 2019 at 9:14 AM • 26 Comments

Comments

RealFakeNewsApril 23, 2019 9:26 AM

"Encourage"?

What happens if they don't comply?

Also, this is rather futile, as the tools already exist to protect information that doesn't have any known backdoors.

How stupid are these people?

RealFakeNewsApril 23, 2019 9:27 AM

In my previous post, "known" should read "deliberately and overtly planted".

Jonathan RosenneApril 23, 2019 9:35 AM

Have they heard of OTP? Their navies used to use it a long time ago.

VApril 23, 2019 10:19 AM

"competent authorities" == loophole? (but it doesn't matter: law enforcement agencies are a different category)

Another MouseApril 23, 2019 12:52 PM

Just wondering why the FBI in the movies always breaks the front door and never the back door...

Petre Peter April 23, 2019 12:54 PM

This is an attack on encryption and on the idea that i can have a secret.

Index Finger SecurityApril 23, 2019 1:50 PM

"Build digital and media resilience through education, training initiatives, which empower people to think critically and identify misleading information, including through collaboration with civil society organisations;"

This helps me feel "safer" already /s

I'm not that smart, but do these G7 folks really think that the continued "war on terror" will be solved by controlling the web. Back at the beginning on the Afghan war I stated that killing people will not get rid of the ideology. In playing a mental devils advocate I've come up with a whole slew of offline means (and sneaky online means) to pursue that ideology. The internet an easy and visible means to those ends but not necessarily the most effective or sustainable.

Impossibly StupidApril 23, 2019 3:21 PM

Weird indeed. This really does seem to be the darkest timeline. I'm at the point where I'm not sure if these G7 "leaders" (and so many other people in power) are intentionally deceitful, grossly incompetent, woefully idiotic, or just straight up insane.

Regardless, I think the proper response to anyone suggesting an irrational course of action is: You first! The government doesn't need to wait for companies to create these "access solutions". Like currencies, they are empowered to create the exact kind of encryption algorithms they deem suitable for this, start using them for their own data security, and then mandate their use for any intersecting applications. Problem solved. Don't bug the general public regarding compliance until you have a reference implementation in the field.

Clive RobinsonApril 23, 2019 3:50 PM

What it shows is certain G7 politicians can neither reason or think logically.

Oh and by the way it is not about what we mear mortals would consider "terrorism" that is just the excuse.

It's actually about "status" and would be quite funny if the consequences were not so horrific.

Those in power like to think that they were "born to power" thus are different from the mortal clay they see all around them. They thus have a sense of entitlement over everyone else. Hence the sad joke behind "First amongst equals" because they do not believe any one is their equal let alone better than they are.

This "entitlement" spreads across their entire purview. Thus they are entitled to know what you think and say whilst you are not entitled thus have no reciprocity.

But with that sense of entitlement comes the notion of demonstrating it by status. That is much like the Roman emperor was the only person alowed to wear purple or in medieval France the "courtly lists" defined what you could or could not wear, own or use to hunt etc (the end of which kind of coincided with the improved crossbow).

It's this recognition of entitlement that is probably of more importance to such people than what the entitlement gets them.

The result is the perverse position where those with a sense of entitlement would chearfully take action to reduce their own circumstances, if it reduced more every one else's circumstances, thus increasing the all important status gap.

So reducing your privacy more than their privacy is about widening the status gap.

Such people can not be reasoned with the only sensible thing to do with them is remove them from any kind of power or influance once and for all. In times past monarchs had a few basic ways to deal with those that caused them issues. They could do this by execution, imprisonment or banishment[1]. Ironically which punishment you got usually reflected your perceived status. The Church had similar punishments including excommunication.

In theory voters have the power once every few years to "banish" politicians into the political wilderness for atleast one term if not indefinately. However those with entitlement usually ensure that this can not happen to them by becoming the representative in a constituancy that votes not on a candidates or parties merrits but on traditional party lines, where they are in effect almost guarenteed to be reelected.

[1] Even today the power of banishment in it's various forms is still seen as very significant. In Britain we have the notion of "being sent to Coventry" where a group formally ostracize a member by not just 'turning their backs' but by refusing to communicaye with them or about them. In effect the person ceases to exist to the group. It's used to great effect by the likes of cults that enforce strong group membership to the exclusion of all others.

Clive RobinsonApril 23, 2019 4:49 PM

@ Bruce,

I note,

    Some G7 countries highlight the importance of not prohibiting, limiting, or weakening encryption;

Do we know which countries they are?

Also it would be interesting to make a Venn Diagram of the G7 countries and Extended Five Eye countries and those who's "Interior Ministers" were in favour of backdoors...

In the UK we have had a run of "Home Office" ministers (ie Interior Minister) that were very "no dark place" active. Even when their known past misdemeanors suggests they should not be infavor...

jamesApril 23, 2019 5:44 PM

Clive Robinson:

Those in power like to think that they were "born to power" thus are different
from the mortal clay they see all around them. They thus have a sense of entitlement
over everyone else. Hence the sad joke behind "First amongst equals" because they
do not believe any one is their equal let alone better than they are.

Those in power are in power because people put them there. Unfortunately as technology goes smarter, it seems that people go the other way around.
Encryption == Mathematics. Laws of mathematics, physics, chemistry, will always prevail no matter what. I wonder why don't they pass laws forbidding hurricanes, storms, floods or other natural disasters ? Volcanoes maybe ?

This has nothing to do with law enforcement / terrorism / human exploitation. This only has to do with control over the masses, whistle-blowers, journalists that don't agree with those in power, etc. Knowledgeable people will always use custom solutions, and so will criminals. Those in power play the usual cards (terrorism etc) to "protect" the people from the "problems" that those in power created in the first place.

Spinning and GrinningApril 23, 2019 6:06 PM

At some point people might start to wonder if we are not in a special kind of open-air prison, a panopticon.

m├╝zsoApril 23, 2019 8:13 PM

I wonder what "Internet companies" means in their interpretation? :o There're open-source tools for safe, encrypted communication that no company has control over. How are "internet companies" going to put backdoors into community built software? Or do they expect GitHub/GitLab/etc. to "inject" backdoor code into all sorts of open-source projects?

On the other hand, this is a prime example for how to use threats of "terror" and violance to centralize power and extend it's control over free speech. The same tactics as used by so many dictators and politicians.

How many "Patriot Acts" do we need before people wake up and elect representatives that care about freedom of speech and thought, and are not easily shocked into voting for stupid, mass surveillance systems?

P.S. To answer my own question, "internet companies" means the operators of today's societies' largest communication platforms. The decision makers do not have to cover all bases, they only have to cover the vast majority of all communications (largest social networks, email providers, etc.) and this means only a handful of companies, eg. Facebook, Google, Microsoft, Apple, etc. They all have major business interests in the G7 countries, so they will play by their rules.

DennisApril 23, 2019 9:55 PM

@Clive Robinson wrote, "n theory voters have the power once every few years to "banish" politicians into the political wilderness for atleast one term if not indefinately. However those with entitlement usually ensure that this can not happen to them by becoming..."

This is certianly true in theoretical terms, but in reality those who wield true power are hidden behind layers of front men (who usually are politicians). Thus, whether democract or replubican the people elected are both normalized to stand for certain ideologies.

Erdem MemisyaziciApril 24, 2019 12:52 AM

What's next? Having secrets your government doesn't know about you? That's lunacy.

Michel R.April 24, 2019 6:02 AM

The document immediately starts with a reference to a recent terrorist attack, which essentially means that what follows is rooted in emotions. Can't expect any good to come out of that.

TheInformedOneApril 24, 2019 10:12 AM

This whole debate is more a legal than technological one. If your country has laws which require businesses to provide information during the discovery phase of a legal proceeding, and the company states they cannot or will not comply because the data is encrypted, then they are in breach of request and should face consequences. Companies or individuals have every right to keep their data safe and protected, however breaking the law is, well, breaking the law. If the law is written in such a way that your government can act like a police state and you don't like it, then try to get the laws changed. The U.S. could have been the 1st to bring privacy legislation into law, except big data has been blocking such efforts through lobbying and other strategies (e.g. Facebook, Google, Microsoft, Apple). I love the quote from Edward Snowden where he says, "Arguing that you don't care about the right to privacy because you have nothing to hide is no different than saying you don't care about free speech because you have nothing to say." "When you say, 'I have nothing to hide,' you're saying, 'I don't care about this right.'

Denton ScratchApril 24, 2019 11:41 AM

@muzso (apols for missing umlaut):

"I wonder what "Internet companies" means in their interpretation?"

As someone else noted, it means mass service providers. These are the providers that (in the UK) are required to block access to Pirate Bay, and are about to be forced to implement an age-verification system to control access to YouPorn etc.

But anyone can rent a virtual server and install a VPN, or a proxy server; or you can subscribe to a shared VPN system; or you can just rent a server that is not in UK jurisdiction (e.g. an Amazon EC2 instance in Virginia). You can rent such systems in the UK, from UK companies. They are dirt-cheap. At their simplest, they are so easy to use that a ten-year-old could use one. Hosting companies are not included in the meaning of "Internet companies", when we are discussing blocking and backdoors.

So I gag at the sight of politicians posturing about backdoors and blocking. I just can't believe that we are governed by such a bunch of prudish, ignorant morons. The internet passed these idiots by 20 years ago; most of them have private secretaries whose main job is to read their email for them. I doubt most of them can even spell 'VPN'.

We are speaking of the G7, right? the leaders of the wealthiest and most powerful nations in the world? That G7? It's sad to see a group of such people pissing in the wind like that.

NameApril 24, 2019 2:09 PM

@TheInformedOne

No, it's not just a legal issue, because if the law requires anyone other than the intended recipient to be able to decrypt things, then the law is technically banning both real privacy and proper ordinary common encryption. Legalities and technicalities are related in this way.

You see, if encryption is technically banned by law, then common protocols like TLS and SSH are also illegal... and then all e-commerce, banking, and remote access of anything over the internet is also banned. Never mind the economic impact, you haven't needed to drive down to the building where your server machine is physically located to manage it for many years now. It's a reversal of decades of advancement, both socially and economically, as well as technologically. Oh, sorry, brick and mortar stores, we need all of you back, no more Amazon...

"Oh but don't be absurd, they'd never do that..." you say.. right... I agree they'd never intentionally do that, but unknowledgeable people in government do all sorts of ridiculous things unintentionally, once you try following their laws technically... Just look at the mess GDPR is causing technically, with a whole new "cookie consent" industry rising up, trying to help the masses get compliant and put popups on every webpage worldwide! (at least, for anyone that resides in or does any business in Europe, which most of the world does worldwide business). Trying to legally control or alter basic math (i.e. encryption) in any way will make that look like a cake walk.

Impossibly StupidApril 24, 2019 3:09 PM

@TheInformedOne

This whole debate is more a legal than technological one.

No. Mathematics is a fundamental science. And the strongest encryption operations (i.e., using an OTP) are incredibly easy, too. Anyone who thinks they can legislate against reality firmly plants themselves in one of the four categories I mentioned above (or worse).

cannot or will not comply because the data is encrypted, then they are in breach of request and should face consequences

If they weren't the ones who encrypted it, how do you expect them to comply?

If the law is written in such a way that your government can act like a police state and you don't like it, then try to get the laws changed.

As though opposing a police state were an easy task. As though this story isn't yet another example of how ardent some people are to move the laws in the opposite direction.

MikeApril 25, 2019 4:48 AM

@TheInformedOne

"If the law is written in such a way that your government can act like a police state and you don't like it, then try to get the laws changed. "

This could be true if politicians weren't bought and paid for.

Burt XApril 25, 2019 9:59 AM

@IndexFingerSecurity killing people will not get rid of the ideology

It will, if you kill enough of them. You may have to kill all of them, or nearly all of them, and sow the fields with salt.

But the West no longer has the sand for this kind of conquest. The Romans would be ashamed of us. At some point, a warrior-like culture with fewer moral qualms is going to wipe us out. Nietzsche would not miss us.

SimmonApril 26, 2019 10:49 AM

Reads like the Australian T.O.L.A. changes are making a move into the G7 countries.

Oh, and the guy in Christchurch, didn't use any encryption, only standard https in the streaming to facebook about 30 or so after after emailing 30+ New Zealand government address his manifesto.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.