This article originally appeared in LawNews (ADLS) and is here with permission.
By Diana Clement
The New Zealand government, along with its Five Eyes intelligence partners, has called for tech firms to open a ‘back door’ to encrypted communications to make it easier for law enforcement to access information.
What are the implications for law firms and their clients’ data?
Just five days before this year’s election, when the country’s attention was fixated on politics, Andrew Little – then Justice Minister and now the minister responsible for both the GCSB and NZSIS – signed a controversial statement asking technology companies such as Facebook, Google and Apple to allow access to encrypted communications and data passing through their services.
Australia has already come to the party. The controversial Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 enables Australian law enforcement and intelligence agencies to compel anyone providing a service or product that involves telecommunications or the internet to remove electronic protection, such as encryption.
Not only is it an offence not to comply but those required to turn over information are not permitted to disclose that the compulsion order even exists. New Zealand organisations which store information on Australian servers have been warned that their data might be at risk. Read more.
Tech companies encrypt – ie, scramble - their users’ messages, audio and video communications from ‘end to end’, meaning they can’t be accessed by others. This gives individuals, businesses and other organisations total privacy, but is a significant barrier to legal access to those messages by law enforcement.
The Five Eyes countries, along with Japan and India which also signed the agreement, argue that unbreakable encryption technology creates severe risks to public safety, in particular to vulnerable groups such as sexually exploited children. But any back door will affect all internet users.
And the statement Little signed is inconsistent with New Zealand’s cybersecurity strategy, which notes that secure data is fundamental to a robust and thriving society. It also warns that as more people use and do business on the internet, the payoffs from cyber and cyber-enabled crimes will increase, attracting greater numbers of cybercriminals
Lawyers whose eyes might glaze over at the mention of technology should pay attention. End-to-end encryption as a concept is simple to understand and among the data at risk are their client files and other confidential information.
ADLS Technology & Law committee member James Ting-Edwards likens unencrypted communications to a postcard that can be read by anyone whose hands it passes through. An encrypted communication would mean the postcard was placed inside an envelope.
Since whistle-blower Edward Snowden leaked classified information revealing the extent of global surveillance programs, technology companies have increasingly added security to their services, including unbreakable encryption.
End-to-end encryption is what enables business to thrive online.
Former Commerce & Consumer Affairs Minister Kris Faafoi, when launching New Zealand’s cybersecurity strategy in 2019, said encryption ranged from the basic functioning of New Zealand’s economy and society – our jobs, banks and schools – to the delivery of government and telecommunications and electricity services.
“We need to know that our systems will keep running, that our personal and commercial information is safe and that we can trust the information that we use to make decisions,” he said.
Ting-Edwards says anyone seeking to comply with privacy law and those with obligations of confidence, such as lawyers, needs encryption.
“It’s very easy to find people pushing a hard-line position on both sides of this. Now that the internet includes four billion people there are some difficult, nuanced problems about how the administration of social life, how the admin of government happens in a world where this exists.
“We really do need access to encryption for all kinds of privacy and security reasons but that’s not to say the policy and law enforcement concerns raised don’t matter. They do matter.”
Banks and professionals
Security breaches resulting from a back door could affect our communications with banks and commerce, and professionals such as lawyers and doctors who need security to ensure the confidentiality of their clients’ data, says Marcin Betkier, a law lecturer at Victoria University and a committee member of the Privacy Foundation NZ (whose patron is Dame Silvia Cartwright).
But it won’t necessarily be safe if the Five Eyes governments have their way and a back door is opened to monitor those communications and data on organisations’ servers or in the cloud. Criminals and state-sponsored actors using cyber tools for geopolitical advantage could be given a new way to break encrypted communications for their own ends.
Andrew Little’s signing of the document marked a change in our approach, Betkier says. In a report about the proposal, the foundation called for careful review and validation by the New Zealand public.
“We are concerned that the New Zealand government has signed the statement without wider public consultation or discussion,” the foundation wrote. “This is critical in light of the direct impact that undermining encryption would have on New Zealanders’ privacy and cybersecurity.”
In an interview with LawNews Betkier added: “It would be naïve to think you could have some sort of private, exclusive access for Five Eyes. Not Russia, China or North Korea. It’s not that easy.” Systems leak sooner or later.
Betkier cites the case of Moscow-based cybersecurity company Kaspersky Lab, which in 2017 either actively or passively enabled the hack of a US National Security Agency contractor’s data. The contractor was working to replace hacking tools that had been leaked by Snowden. The hacked information ended up in the hands of the Russian government.
Ting-Edwards adds: “It seems really important that New Zealand as a small participant in the multilateral order is careful not to sign up to precedents that we would be unhappy with other governments using to serve their own ends in their own ways. “
Having signed the international statement doesn’t mean it will come to fruition, however. Privacy law expert Tania Goatley, a partner at Bell Gully, says there is no legal requirement for the government to execute such statements on behalf of New Zealanders.
“However, the general role of a government in any society is to ensure its citizens are protected and that parameters are put in place to ensure the safety of those citizens.” Executing the international statement therefore might be seen by government representatives as necessary to protect the more vulnerable members of New Zealand’s society.
Goatley says it indicates the signatories generally support encryption technologies, but that encryption that wholly precludes legal access to any content should be addressed, to enable access to illegal content in circumstances where access is authorised, necessary and proportionate, and subject to strong safeguards and oversight.
If the government introduced strong safeguards and oversight and supported encryption technologies as it stated, then there are some good policy arguments in favour of implementing the international statement, she said.
But Goatley says several concerns might arise around implementation. These include a definition of what constitutes illegal content, who will monitor enforcement agencies to ensure their access and use of information is only for enforcement and safety purposes, and whether there would be penalties for non-compliance or unjustifiable intrusions into personal privacy.
Another concern, she says, may be the extent to which it is permissible to erode individual privacy rights to protect the vulnerable. “This is particularly significant where organisations do not actually know what the relevant content is or might contain.”
Implementation of the type called for in the international statement also raises privacy risks from an organisational perspective, says Goatley. “These include mapping data flows and, in particular, understanding where data is collected, held, used and disclosed, understanding the legal obligations and access powers that may apply to organisations as a result, and ensuring customer data is properly protected and not illegally disclosed in that context.”
Not a first
If the statement becomes reality it wouldn’t be the first time a government has demanded access to end-to-end encryption. As discussed, Australia has passed legislation enabling lawmakers and enforcement to compel communications providers to provide certain assistance in accessing content.
The Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 has been criticised for being inadequately debated, poorly drafted and draconian.
An amendment was passed in 2019 and the law was subsequently reviewed by an Independent National Security Legislation Monitor which has recommended extensive amendments. The Australian Parliamentary Joint Committee on Intelligence and Security (PJCIS) is undertaking a review.
In the United States, the FBI has unsuccessfully attempted to require Apple to provide tools for bypassing the security restrictions on iPhones belonging to suspects.
The question is whether any of this legislation is necessary.
Undermining encryption is not the only way to access data, says Betkier. Law enforcement agencies can access communications when necessary even without this back door. He cites the example of EncroChat, a secure telephone network in Europe favoured by criminal groups. French police hacked into the network, broke the encryption and cracked open millions of messages. It was big news for law enforcement.
Playing on emotions
The Privacy Foundation expressed its concerns about the emotional language used in the Five Eyes statement and the fact that it offered little in terms of a solution.
“Such discourse creates a false illusion that everyone who stands for privacy also supports individuals who use the internet for these sorts of illegal activities,” it says. “This is, of course, not the case and we agree that law enforcement agencies need to have tools and processes to protect individuals and vulnerable groups in society.”
Betkier says we need to discuss this more rationally as a nation. “What can law enforcement agencies do? Right now, it looks like they just want everything. If there is no easy way, they just keep reporting that emotional communication.”
Translation into law?
As Goatley points out, the government has not brought in specific anti-encryption legislation and has not indicated it intends to do so. “Rather, to date its focus appears to be engaging in constructive dialogue, which is likely to involve consultation with industry experts.”
This approach, she says, is generally preferable and would help avoid shortfalls in the equivalent Australian law.
The Australians are struggling with the law of unintended consequences. So too, the foundation noted, could New Zealand if it were to enact similar legislation.
The foundation noted: “It will reduce confidence in e-commerce, independent journalism, whistleblowing and many other sectors or scenarios where the confidentiality and integrity of information is essential. For example, it may be a direct threat to vulnerable communities (like LGBTQ) and to groups that oppose authoritarian regimes across the globe.”
Another unintended consequence might be whether New Zealand could continue to be considered an ‘adequate’ country under Europe’s General Data Protection Regulation (GDPR) privacy rules, says Goatley. This is soon to be reviewed by the European Commission.
Any weight the EU might place on a back door to end-to-end encryption remains uncertain, Goatley says.
How might it work?
The foundation says the statement does not present practical proposals for achieving its aims of maintaining public safety while protecting privacy and cybersecurity through encryption.
“Law enforcement agencies may have a number of alternative means of accessing digital content that does not require them to break encryption through exploiting vulnerabilities in an individual’s device or tracking their online activities to glean further information.”
Ting-Edwards says it would help if the Five Eyes governments could publish technical designs so relevant parties could scrutinise and discuss them.
“We can trust software systems only when the design is presented and people can independently look at them and test them and see what breaks to assure them the systems do what they say on the box and they don’t have any surprising impacts.”
Diana Clement is a freelance journalist. This article originally appeared in LawNews (ADLS) and is here with permission.