Five Eyes announce intentions for back door live access to secure communications

Wednesday, September 5, 2018

New Zealand tech businesses routinely find themselves subject to data access requests from government agencies.

Government access to customer data goes straight to the heart of the trust customers have in digital brands.

Notable consumer tech heavyweights including Google, Apple, Facebook and New Zealand’s own Trade Me have taken to reporting on government access in order to bolster trust in their custody of sensitive personal material.

Trade Me lead the way in New Zealand and its transparency reporting was recently the inaugural recipient of the Office of the Privacy Commissioner’s Privacy Trust Mark.

But while government already enjoys a number of rights to access your customers’ securely held personal information, it would seem they intend to go further.

Digital business would be well advised to keep an eye on the obligations that might be coming over the horizon.

A call for more access to encrypted communications

In late August Five Eyes, the signals intelligence alliance between the UK, New Zealand, Australia, the USA and Canada, called on the “digital industry to take more responsibility” and establish “lawful access solutions” to customer data when they provide ubiquitous encryption.

Ministers Andrew Little and Iain Lees-Galloway together with Attorney-General David Parker attended the Five Eyes meeting and agreed to its various statements on New Zealand’s behalf.

Although the call was for technology vendors and service providers to voluntarily establish lawful access solutions, the subtext is an expectation that Five Eyes member governments will legislate to enforce that lawful access.

What can government agencies already do?

In New Zealand, government agencies already have considerable powers to access data.

Network operators are required by the Telecommunications (Interception Capability & Security) Act 2013 or TICSA to be “interception ready”. They must, if a lawful warrant is issued, facilitate interception of communications, including decrypting them, to the extent they have provided the encryption.

TICSA applies not just to phone calls but to all data transferred over a network and to anyone who operates a public data network, including any wifi network that offers internet access to the public.

TICSA contains a discretion enabling law enforcement agencies to compel anyone offering goods, services, equipment or facilities that enable or facilitate telecommunication to assist in a search including decrypting telecommunications where they have provided the encryption.

As well as the powers under TICSA there are much more commonly understood powers that the Police and other security agencies can exercise to access customer data if they suspect a crime.

In the case of individuals they can arrest a suspect and then search them, and they can compel a person to unlock a phone or laptop or cloud storage account (although an individual can say no on the grounds of self-incrimination). These powers are contained in the Search and Surveillance Act 2012.

With a warrant, they can compel any service provider to unlock customer accounts and devices.

In through the back door: is live surveillance the future?

If the Police and GCSB already have a range of powers and methods to access your customer’s data. What then do they want?

Government agencies, and by extension Five Eyes partners, can already access your customers’ data directly by obtaining a device and having the owner or a third party unlock it, can intercept customer data through a TICSA-registered carrier, and require them (or a service provider, like Gmail for example) to decrypt it, can obtain the information from a service provider by warrant, or can demand it under the Privacy Act without a warrant.

What powers do they not already have?

 “Lawful access solutions”, it would seem, is newspeak for back door: direct and real time access to decrypted customer data.

Five Eyes’ statement talks about leveraging their “investment in emerging technologies, including digitalisation and artificial intelligence, to improve facilitation and mitigate risks through real-time intelligence and information sharing”.

If you’ve seen the movie Minority Report you will be familiar with the theme.

What next?

We will have to wait and see how the digital industry responds. For consumer-facing businesses the potential for brand damage is substantial. We’ve seen Facebook resist efforts to break end-to-end Messenger encryption and Apple refuse to unlock a suspect’s iPhone. Both of those companies are on the record about the hacking risk of back doors.

Network backbone operators like REANNZ (who have had a patchy relationship with TICSA), may also push back firmly on requests to compromise encryption because of the risk of hacking.

Civil liberties advocates throughout the Five Eyes nations can be expected to protest, loudly, any government moves to force the tech industry to facilitate automated monitoring of encrypted data. InternetNZ’s Jordan Carter has already described the move as “worrying.”

The Australian government, currently considering legislation similar to TICSA, has made it clear that it does not intend to compel any back door access.

New Zealand businesses and not-for-profits concerned about this should not be complacent. New Zealand moved early with TICSA in 2013 and may again look to lead.

Disclaimer: the content of this article is general in nature and not intended as a substitute for specific professional advice on any matter and should not be relied upon for that purpose.