While encryption helps to protect personal, commercial and government information, it is also a tool used by criminals to frustrate investigations and avoid detection and prosecution. How will law enforcement address the risks presented by encryption, while not infringing on our privacy?
How do the ‘Five Eyes’ view encryption?
The ‘Five Eyes’ is an alliance of nations for the purpose of joint cooperation on matters of intelligence. It is comprised of Australia, Canada, New Zealand, the United Kingdom, and the United States.
While the Five Eyes nations support the role of encryption in protecting personal rights and privacy, the increasing use and sophistication of encryption presents challenges in combatting serious crimes and threats to national and international security.
While privacy laws are in place to prevent arbitrary or unlawful access to private data, it is an established principle that government authorities should be able to seek access to private information when a court or independent authority has authorised such access based on established legal standards.
The question is, where is the line drawn between legitimate and unlawful access to data and what are the guiding principles?
What principles do the Five Eyes follow?
The Five Eyes affirm a number of key principles in relation to encryption, which are outlined by the Australian Government Department of Home Affairs.
Providers of information and communications technology and services are subject to the law, which can include requirements to assist authorities to lawfully access data, including the content of communications. Law enforcement agencies in the Five Eyes countries need technology providers to assist with the execution of lawful orders.
However, due to the increasing use and sophistication of encryption technology, there may be more cases where it is increasingly difficult to access information. This could create some complex legal terrain to navigate, blurring the boundaries between what is a legal and illegal request for access to data.
For example, will a law enforcement agency be able to legally compel Facebook to send someone a Trojan horse, in order to extract information for use in a criminal investigation? Will Facebook be acting legally in assisting with this request, and will rejecting such a request be seen as not complying with the law?
Rule of law and due process
Access by authorities to the information of private citizens should only occur pursuant to the rule of law and due process, in order to maintain the values of our democratic society. This lawful access should always be subject to oversight by independent authorities and/or subject to judicial review.
Freedom of choice for lawful access solutions
The Governments of the Five Eyes encourage information and communications technology service providers to establish lawful access solutions to their products and services, which may be tailored to their individual system architectures.
To date, however, governments are still experiencing significant impediments to lawfully accessing personal information for a criminal investigation. If the current state of affairs continues, governments may pursue technological, enforcement, legislative or other measures to achieve lawful access solutions.