What to Expect from the Five Eyes’ Threat on Encrypted Data

A group of representatives from five nations met early this month to issue a multinational demand on tech companies. This group, called the Five Eyes, or FVEY, issued a memo which would require that tech companies develop backdoor access to encrypted user data for governmental use. The pact was motivated by governmental intelligence agencies’ repeated dead-ends on investigations wherein encrypted data is unobtainable. According to the issued memo, any company unwilling to volunteer this type of access will be provoked to do so, by this government entity.

This isn’t the first move in the long-standing conflict between government intelligence entities and tech companies, globally or domestically. Since 2013, governments have pushed heavily on global tech giants to make encrypted data accessible for intelligence purposes. The early-September meeting marks an escalation where legal or other action has been threatened.

TL;DR

• Like all classic spy organizations, Five Eyes (FVEY) began in response to WWII and includes several of the world’s greatest powers. Now, this groups wants to force data companies to give them a backdoor into all user data.
• Encryption serves as a method to protect user privacy.
• If companies agree to creating backdoors, they will likely face backlash from customers. However, more extreme outcomes could create more danger than safety for the public.
• Legal penalties may not give companies a chance to defend the ethics of user privacy.
• Data that would become available to the government via encryption backdoors includes health, financial, and other personal information.

The history of the Five Eyes

The Five Eyes group includes the United States, the United Kingdom, Australia, New Zealand, and Canada. FVEY, for short, includes members of the major intelligence agencies in all five countries including the NSA, FBI, CIA, DIA, and NGA, here in the U.S.

The group originates as a post-WWII intelligence coalition, near the time of the inception of our own Central Intelligence Agency. FVEY has since developed other inter- and intra-national intelligence efforts such as ECHELON during the Cold War. ECHELON was used in the mid- to late-20^th century to tap phones, collect faxes, capture email communications, and intercept data. Although participatory governments refuse to openly confirm its existence, ECHELON reportedly remains one such global protocol for monitoring and intercepting communications.

FVEY efforts to monitor citizens were mapped over to the world wide web in the late 90s, ramping up considerably after the 9/11 attack. The FVEY has co-aligned to take down governmental enemies and world leaders and perform collaborative investigations. The groups bug foreign offices, perform insider investigations, and partner with other countries – like the Nine Eyes and Fourteen Eyes.  Though intelligence-sharing is common in pacts and treaties between many countries worldwide, the FVEY pacts are more secretive and function on more of a trust economy.

What is encryption?

Encryption is a method of preventing data theft, data infiltration, hacking, or privacy invasion. To encrypt data, the service provider will scramble up the data during transmission. This technology evolves constantly and is impenetrable for hackers because the encryption algorithm changes with every message. Services like Facebook messenger, WhatsApp, Telegram and others are encrypted in this end-to-end manner. The intent is to make sure that individuals can communicate in a private manner, but that’s not all. Encryption protects heavily sensitive data – personal records, financials, HR data, and legal information. Without this end-to-end encryption being protected, these types of private data could become susceptible to hackers and upended by enemies.

What risks do tech companies face if they comply?

The risks are serious, but variable. Companies that exist on the premise of encryption – like WhatsApp, for example – could cease to exist as they do now. Companies that use encryption for certain sub-services– like Facebook, with their messenger platform – could see a dramatic decline in usage. Compliant companies could see initial backlash, criticism and boycotting from users. However, if all companies forcibly comply, user outrage will turn to apathy.

The outrage from consumers would only be the beginning of a larger downfall. Companies who provide governmental access into encrypted data could end up violating their own user or privacy agreements. Lawsuits could ensue, but worse – this endeavor could end in hacking and data breaches unlike anything we have seen before. Large-scale criticism has already swept through the cryptography and security communities, as they warn of dangers that FVEY doesn’t address. What happens if encryption-reversal or another back-door creates an access point for global enemies? What happens if making decryption possible, also makes hacking and data theft possible? Critics also refute the idea that backdoors to encryption would help investigators solve crimes at all.

Congress introduced a bill in May of this year to block efforts to enforce backdoors. The bipartisan bill, titled the Secure Data Act, would prevent encryption workarounds. Congresspersons wrote the bill on the principle that malicious entities can and will steal infiltrating technology from the Five Eyes. If the Five Eyes plan to purport their own legislation to enable backdoors, the clashing efforts could be racing to completion against a backdrop of anxiety over security.

 

What happens if tech companies refuse compliance?

According to the Five Eyes memo, any company unwilling to comply could encounter “technological, enforcement, legislative, or other measures” to come to a lawful agreement on access. This could mean that the governmental entity has devised a technical approach to combat encryption. Perhaps more likely, FVEY intends to push forth legislation to force compliance and put companies at risk of penalties. In this case, legislation may not apply retroactively, but could require companies that use encryption to employ a more interception-susceptible form of security. Companies may incur large fines, involuntary compliance, or forced shut down for failure to comply. While the language surrounding this threat from Five Eyes is serious, the go-forward plan remains abstract.

The demand rests with tech companies

It is likely that while the Five Eyes threatens a potential “technological” enforcement of their latest demand, they don’t have the tech to back that up. The group has called upon the tech corporations themselves to develop whatever technology necessary to undo their own encryption and make backdoors a possibility. Further, the alliance calls upon tech companies to form solutions preventing users from uploading illicit and illegal information at all. If nothing else, the accountability rests with these companies to triage and execute the swift takedown of illegal information.  The retroactive and ongoing removal of illegal or harmful content is currently underway for most social and chat apps. However, encryption reversal presents a challenge for any company that offers it as part of their terms of use.

What can users like us expect from this most recent push for access?

Consumer impact depends on how the government approaches enforcement and how tech companies choose to push back. If FVEY takes a technological approach and has access to an unknown technology that’s able to bypass encryption, the tech world will quake. In this unlikely scenario, previously encrypted data could become threatened for infiltration. If the government plans to require companies to un-encrypt or halt the use of encryption as we know it, we will all become less private online. Teenagers selling weed through WhatsApp might feel annoyed, but the rest of us have larger concerns. Namely, our health portals, financial apps, and other private and encrypted data zones will be fair game.

While FVEY may not care about what law-abiding citizens are keeping private online, hackers and exploiters might. Stay cognizant about what you do online and who captures your data. This FVEY summit happened very quietly with very little news coverage. We continue to hope that technology companies will protect their users’ data but that reality remains threatened.