A Criticism of the Five Eyes' Statement of Principles

An student issue analysis for MIS41240 at University College Dublin.

Written by Conor Walsh, Summer 2019. Dublin.

Introduction

The Five Eyes (FVEY) intelligence alliance's 'Statement of Principles on Access to Evidence and Encryption' was published in September 2018. The document was issued by the Attorneys General and Interior Ministers of FVEY's five member states.

The statement appears to be a public commitment by FVEY to the principles of privacy, security and legal process. In reality however, the document reads more like a threat to technology and communications companies to provide intelligence agencies with access to encrypted user data. The statement warns that if these companies refuse to voluntarily surrender desired data, they will face FVEY's use of 'technological, enforcement, legislative or other measures to achieve lawful access solutions'.

FVEY justifies its position by committing to three principles that promote privacy rights, due process and public security. In the following section, I will critique each of the three principles individually.

FVEY's Statement of Principles is impossible to take seriously

1. Mutual Responsibility

The first principle relies on the assumption that it is in the best interest of the citizens of FVEY's member states that their encrypted data is accessible to intelligence agencies whenever mandated by 'lawful orders'. However, the supposed benefit to society of widespread backdoor (a covert means of access to encrypted or other data) access to data is neither proven nor a given. As Christopher Soghoian, principal technologist and senior policy analyst at the American Civil Liberties Union, argues, backdoors are fundamentally in conflict with good security. The presence of a backdoor in a communications system places every user's data at risk of being compromised, not just intelligence targets. Backdoors can provide a point of access for hackers. As Stephanie Pell, assistant professor at the Center for Internet and Security at Stanford contends, encrypted communications systems with 'lawful interception' backdoors are much more likely to suffer a major loss of communications confidentiality than systems without this feature.

Compounding this problem, as documents leaked by Edward Snowden and others revealed, the UK and US, via the Government Communications Headquarters (GCHQ) and the National Security Agency (NSA), are intercepting and decrypting communications not just linked to undoubtedly harmful activity such as terrorism and organised crime, but also citizen medical records and even Chancellor Angela Merkel’s phone communications.

My view is that intelligence agencies already possess the vast resources, experience and knowledge necessary to effectively collect vital security information needed to protect their societies from cyber threats, without the need for backdoors to private data. Backdoors are too invasive and pose too great a risk to personal privacy and security. Backdoors to encrypted information and communications are not in the interests of the general population, despite the misleading claims made by FVEY.

2. Rule of Law and Due Process are Paramount

This principle contradicts the long-standing principles of FVEY's intelligence agencies and the uncomfortable reality of their day-to-day activities.

FVEY intentionally ignores that some or all of its intelligence agencies are unlawfully recruiting technology employees to reveal proprietary information about their employers' technology and data. This gives the agencies direct access to vast populations of data and communications. Moreover, companies such as AT&T and Microsoft have covertly provided access to considerable amounts of corporate data. This is the same data that these companies have represented as encrypted and private to their business customers.

The US Constitution protects citizens from unlawful search and seizure, and the four other FVEY members profess to enforce similar laws. GCHQ however possesses the unlimited power to store any Internet communications for up to five days, allowing time to decrypt and analyse communications as they can or please. This may be legal under UK law, but GCHQ does not respect international sovereignty in this regard. For example, Snowden's leaked documents also revealed that GCHQ monitored Irish phone conversations. It could also be argued that the powers granted under the Patriot Act in the US, despite certain restrictions and oversight provisions, virtually eliminate due process in accessing citizens’ data.

Under agreements between FVEY's member states, information that is obtained in one state in a manner that is illegal in all of the other states can be lawfully distributed to any of the FVEY states' intelligence agencies.

For these reasons, I argue that FVEY's trading of data to bypass local data storage laws contradicts this principle's stance that the rule of law, including local laws, should be adhered to and respected.

3. Freedom of Choice for Lawful Access Solutions

This principle is wilfully blind to the de facto lack of citizens' and companies’ choices as to whether their data is accessible to the international intelligence apparatus. The NSA pressured the Communications Security Establishment to include its flawed version of Dual_EC_DRBG (the US's preferred encryption standard) in Canada's procurement requirements, the NSA & GCHQ exert immense computing power to break legitimate encryption, and the law is otherwise readily manipulated or ignored entirely by intelligence agencies to force 'cooperation' and conceal their activities.

Conclusion

In my view, FVEY's principles are insincere and deceptive. FVEY’s intelligence agencies promote backdoor access under the veil of enhancing security, but they are fully aware that backdoors can weaken overall security. FVEY attempts to maintain the appearance of offering free choice to companies by using terms such as 'voluntary cooperation' in their statement, but contradict this sentiment by providing companies with no viable alternative to surrendering their data. Likewise, the principles of 'due process' and 'lawful order' are contradicted by FVEY's operating practices. The principles were being broken by FVEY before they were conceived and will continue to be disregarded for the foreseeable future. Simply put, FVEY's Statement of Principles is impossible to take seriously.