Prior to the beginning of the G7 summit in France, encryption experts around the world wrote an open letter to G7 leaders asking them to not undermine encryption. While the end of the summit didn’t result in any pro-encryption statements from the G7 leaders, the fact that there weren’t any more calls for lawful access may be a relief.
Lawful access is a legal concept about how governments can intercept or seize information as part of law enforcement or intelligence activity. Some governments want to legally require companies to provide to law enforcement and intelligence agencies access to encrypted content. Even though cryptographers and encryption experts had warned that there isn’t a way to set up encryption so that only “good guys” can read it and “bad guys” can’t, government officials continue to argue that there must be a technical way to make this happen.
The G7 Open Letter was a “call to the G7 and other world leaders not to undermine encrypted services in pursuit of law enforcement access to encrypted content,” said Christine Runnegar, senior director of Internet Trust at the Internet Society. That includes not asking for intentional backdoors in services and products that use encryption, not disclosing vulnerabilities in a timely manner so that they can be patched, disabling encryption where it is turned on by default, and banning/restricting the use of encrypted services.
Insisting on this course of action would undermine the security of digital communication and data, and make everyday activities such as online banking, online shopping, and keeping in touch with friends and family hard to do.
“[Notably,] we ask you to protect and promote strong encryption which is the foundation for our digital economies, digital societies, and interdependent lives,” the experts wrote in the the A Joint Call to World Leaders for a Secure and Trusted Digital Economy. The letter was signed by over 30 global organizations, including the Internet Society, Access Now, Electronic Frontier Foundation, Association for Progressive Communications, and the World Wide Web Foundation.
These are troubling times. The United Kingdom and Australia have passed legislation requiring service providers to be able to hand over to law enforcement the contents of encrypted communications. India wants message traceability for end-to-end encrypted messaging apps. The government of Kazakhstan asked the country’s internet service providers to encourage users to install a government-controlled root certificate on their computers. The United States has long called for lawful access, and Attorney-General William Bar signaled that the Department of Justice is willing to push for lawful access, especially for personal encrypted messaging apps such as WhatsApp.
At the last G7 ministers summit in April, the finance ministers expressed support for law enforcement to have backdoor access to encrypted communications, while acknowledging the importance of “not prohibiting, limiting, or weakening encryption.” The resolution from that summit urged technology companies to “establish lawful access solutions for their products and services, including data that is encrypted,” for law enforcement (and related authorities) to access when necessary (in the case of an investigation, for example), “while ensuring that assistance requested from internet companies is underpinned by the rule of law and due process protection.”
This G7 summit did not release a similar statement.
However, the “Five Eyes” nations—intelligence agencies from the United Kingdom, United States, Australia, Canada, and New Zealand—met in London recently, and echoed the demands for backdoor access (UK’s GCHQ has called it a “ghost protocol”) so that they can investigate serious crimes and acts of terrorism. UK police have claimed that at least one of the people involved in the terror attack on the London Bridge used the encrypted messaging app WhatsApp, but that they are unable to see the contents of the messages.
For the encryption experts, it was critical they reminded the G7 leaders that encryption technologies “protect the integrity and confidentiality of digital data and communications” by securing web browsing, online banking, and critical public services like electricity, elections, hospitals and transportation. The demands for lawful access brings “uncertainty and impact to customers’ buying decisions” because they are wondering who to trust with their data, Runnegar said. The diminished trust in security products and, by extension, the company itself, would have “consequences for tech export markets, jobs, and innovation in the security industry,” Runnegar said.
Just before the G7 leaders met, a coalition of trade groups representing some of the largest technology companies in the United States, Europe, and the Asia-Pacific sent a letter of 12 recommendations on global technology issues. In that letter, which touched upon digital trade, cross-border data flows, tax policy, and AI, the trade groups recommended the G7 enhance cybersecurity by using “risk-based approaches grounded in global, consensus-based, industry-led standards and best practices.” The letter was signed by trade groups such as the Information Technology Industry Council (ITI), Computer & Communications Industry Association, the Communications and Information Network Association of Japan, Software and Information Industry Association, and techUK.
The groups said the member countries should “Oppose measures that force disclosure of source code, algorithms, encryption keys, or other sensitive information as a condition of doing business,” something companies are worried will happen more as countries pass their own laws around encryption.
“Other countries look to the G7 when making their own policies and laws, so what the G7 countries do could be replicated across the world,” Runnegar said. “We are asking leaders to set the right example on encryption.”