International Encryption Laws Are Weak and Subject to Erosion

Everyone agrees privacy rights are essential, but figuring out exactly where to draw the line between total privacy and granting government agencies access to private communications is more problematic. The two sides don’t see eye to eye, despite appearing to agree about the importance of privacy.

Governments claim that they need to bypass encryption protections for the sake of national security. Privacy advocates fear that, however justifiable the need for security is, setting a precedent of sidestepping encryption creates an opening that can be abused by the government as well as opportunistic hackers.

Existing encryption laws are weak or poorly defined, and even citizens who live in countries that currently enjoy robust privacy protections can’t necessarily depend on the laws staying intact. Laws are always in flux and can be weakened anytime.

Indeed, there are signs that legal protections associated with end-to-end encrypted messaging are being undermined in Europe right now.

EU Draft Council Encryption Resolution

In November of last year, the EU Draft Council Resolution on Encryption pushed for laws that would give the government increased access to encrypted messages without really saying how. They don’t claim to be fighting end-to-end encryption, but critics warn that’s precisely what they’re doing.

While the text is just a draft policy paper, privacy advocates have cause to worry. Text from the resolution does anything but assuage people’s fears:

“Encryption is a necessary means of protecting fundamental rights and the digital security of governments, industry and society. At the same time, the European Union needs to ensure the ability of competent authorities in the area of security and criminal justice, e.g. law enforcement and judicial authorities to exercise their lawful powers, both online and offline.”

The resolution fails to address in any concrete terms the legal criteria or burden of proof governments would need to demonstrate before they could access encrypted communications.  Perhaps even more problematically, the resolution contains no technical explanation for how the government could have a back door into encrypted communications without leaving a gaping security vulnerability nefarious parties could exploit.

In the above quote, “competent authorities” refers to law enforcement agencies with competence in their field, not in technical matters involving encryption, which are well beyond a government official’s domain knowledge.

A well-intended law enforcement agent with a justifiable need to access encrypted communications may accidentally create the conditions for flagrant privacy infringements by opportunistic hackers or other nefarious parties.

In other words, even if the government’s security concerns are taken at face value, their proposals don’t address what privacy critics fear most.

Is a Better Balance Possible?

The Council of Ministers has laid out what seems like a reasonable balance between privacy and security. Here’s an excerpt: “technical solutions for gaining access to encrypted data must comply with the principles of legality, transparency, necessity, and proportionality.”

However, the willingness to strike this balance doesn’t mean anything if they lack the technical expertise to uphold these principles. For example, how can they demonstrate to encryption experts that the openings governments will use won’t be exploited by hackers?

It’s difficult to have a broad, non-technical discussion of such a complicated and wide-ranging topic, but that’s just the problem: the devil is in the details, and the details have been unaddressed.  It’s reasonable to suspect these principles won’t be adhered, either on purpose or by accident, especially given how many high-profile breaches there have already been.

Real Encryption Doesn’t Deal in Half-Measures

Attaching the word “encryption” to a device doesn’t make it fully secure. Unless every potential vulnerability is accounted for, the device can be penetrated.

The market’s leading encrypted mobile security provider ensures their tools are hermetically sealed against any possible intrusion. Having this level of protection means your communications will remain private, no matter how legislation may change.

Undermining everybody’s secure encryption so law enforcement agencies can sidestep encryption the few times it’s necessary leaves everyone susceptible to malicious hackers.  

Given how data is collected by governments worldwide, people are wise to take the security of their communications into their own hands. Governments pay lip service to the absolute right to privacy, but every statement they make about upholding this right has a “but” in it that undermines their seriousness.

If governments only respect a partial right to encryption, the encryption may as well not exist.

Is Australia a Harbinger of What’s to Come?

The Australian government has already passed the Assistance and Access Bill 2018, which grants law enforcement bodies the right to seize user information, and even to access communications protected by end-to-end encryption. Companies will need to grant police access to a back door because not even they can see the communications themselves.

The law could still be amended, and privacy rights advocates are watching to see how companies will respond to the legislation once agencies begin to use this power. Will international companies claim they aren’t subject to Australian law? If they’re forced to comply, will they pack up and leave the country?

This climate of uncertainty is enough to undermine stable operating conditions businesses require, and there are signs that the damage has already begun. The tech giant Atlassian claims it’s presenting concerns they and smaller companies without their resources have that these laws effectively create embedded weaknesses in their products.

Think about it from the customer’s perspective: why would you commission a tech company from Australia subject to weak encryption laws when you could simply choose a tech company from a different country where no such laws exist?

Damage has already been done. For example, the UK’s biggest ever cyber attack was made possible by a Windows exploit located by America’s NSA. In other words, if the government gets even one toe in the door, the door will always be open.

Governments around the world pledge to respect privacy, and they may very well have the intentions in mind. But as case after case shows, their duty to safeguard the population often outweighs upholding privacy rights. If this doesn’t lead to outright spying, it may inadvertently give hackers the opening they need. Using a communication device that can’t be cracked is the only way to guarantee your privacy in a world where even the strongest legal protections are weak and subject to further erosion. Please see our customer support & resources for technical answers about how the best encryption works.