30 August 2018

Five Eyes Encryption Statement

The Five Eyes meeting noted in the preceding post has resulted in a 'Statement of Principles on Access to Evidence and Encryption', of interest given the Australia Government's Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 (Cth) noted here.

The Statement reads
  Preamble 
The Governments of the United States, the United Kingdom, Canada, Australia and New Zealand are committed to personal rights and privacy, and support the role of encryption in protecting those rights. Encryption is vital to the digital economy and a secure cyberspace, and to the protection of personal, commercial and government information.
However, the increasing use and sophistication of certain encryption designs present challenges for nations in combatting serious crimes and threats to national and global security. Many of the same means of encryption that are being used to protect personal, commercial and government information are also being used by criminals, including child sex offenders, terrorists and organized crime groups to frustrate investigations and avoid detection and prosecution.
Privacy laws must prevent arbitrary or unlawful interference, but privacy is not absolute. It is an established principle that appropriate government authorities should be able to seek access to otherwise private information when a court or independent authority has authorized such access based on established legal standards. The same principles have long permitted government authorities to search homes, vehicles, and personal effects with valid legal authority.
The increasing gap between the ability of law enforcement to lawfully access data and their ability to acquire and use the content of that data is a pressing international concern that requires urgent, sustained attention and informed discussion on the complexity of the issues and interests at stake. Otherwise, court decisions about legitimate access to data are increasingly rendered meaningless, threatening to undermine the systems of justice established in our democratic nations.
Each of the Five Eyes jurisdictions will consider how best to implement the principles of this statement, including with the voluntary cooperation of industry partners. Any response, be it legislative or otherwise, will adhere to requirements for proper authorization and oversight, and to the traditional requirements that access to information is underpinned by warrant or other legal process. We recognize that, in giving effect to these principles, governments may have need to engage with a range of stakeholders, consistent with their domestic environment and legal frameworks. 
Principles 
The Attorneys General and Interior Ministers of the United States, the United Kingdom, Canada, Australia and New Zealand affirm the following principles in relation to encryption. 
1. Mutual Responsibility 
Diminished access to the content of lawfully obtained data is not just an issue for Governments alone, but a mutual responsibility for all stakeholders.
Providers of information and communications technology and services - carriers, device manufacturers or over-the-top service providers -– are subject to the law, which can include requirements to assist authorities to lawfully access data, including the content of communications. Safe and secure communities benefit citizens and the companies that operate within them.
We are always willing to work with technology providers in order to meet our public safety responsibilities and ensure the ability of citizens to protect their sensitive data. Law enforcement agencies in our countries need technology providers to assist with the execution of lawful orders. Currently there are some challenges arising from the increasing use and sophistication of encryption technology in relation to which further assistance is needed.
Governments should recognize that the nature of encryption is such that that there will be situations where access to information is not possible, although such situations should be rare. 
2. Rule of law and due process are paramount 
All governments should ensure that assistance requested from providers is underpinned by the rule of law and due process protections. The principle that access by authorities to the information of private citizens occurs only pursuant to the rule of law and due process is fundamental to maintaining the values of our democratic society in all circumstances – whether in their homes, personal effects, devices, or communications. Access to information, subject to this principle, is critical to the ability of governments to protect our citizens by investigating threats and prosecuting crimes. This lawful access should always be subject to oversight by independent authorities and/or subject to judicial review. 
3. Freedom of choice for lawful access solutions 
The Governments of the Five Eyes encourage information and communications technology service providers to voluntarily establish lawful access solutions to their products and services that they create or operate in our countries. Governments should not favor a particular technology; instead, providers may create customized solutions, tailored to their individual system architectures that are capable of meeting lawful access requirements. Such solutions can be a constructive approach to current challenges.
Should governments continue to encounter impediments to lawful access to information necessary to aid the protection of the citizens of our countries, we may pursue technological, enforcement, legislative or other measures to achieve lawful access solutions.
The Five Eyes also released a 'Five Country Ministerial Statement on Countering the Illicit Use of Online Spaces' -
 We, the Homeland Security, Public Safety, and Immigration Ministers of Australia, Canada, New Zealand, the United Kingdom, and the United States, stand united in our commitment to protect our citizens from child predators, terrorists, violent extremists and other illicit actors. We are as determined to counter these threats online as we are to counter them in the physical world. We note with disappointment that senior digital industry leaders did not accept our invitation to engage on critical issues regarding the illicit use of online spaces at the 2018 Five Country Ministerial meeting. Nevertheless, we reiterate our determination to work together constructively to ensure our response is commensurate to the gravity of the threat. Our citizens expect online spaces to be safe, and are gravely concerned about illegal and illicit online content, particularly the online sexual exploitation of children. We stand united in affirming that the rule of law can and must prevail online. 
We are committed to an open, safe and secure internet; one that provides global connectivity, better access to services, and new ways to conduct business and share news and information. But we recognise that the anonymous, instantaneous and networked nature of the online environment has magnified the threats we face, and has opened up new vectors for harm. We are determined to ensure that the technologies that have been developed to enhance prosperity and freedom are not exploited by those who seek to promote terrorism and violent extremism; prey upon and exploit our children; or spread disinformation and discord to undermine our democratic institutions. 
The evolution of digital technology has created new opportunities for widespread transmission of child exploitation material, and for perpetrating the most abhorrent kinds of child sexual exploitation, such as live-streaming of abuse. And it is not only in the recesses of the dark web that such material is accessible. Much is hosted on the most common top‑level domains. Moreover, the growing sophistication of mobile technology has enabled offenders to target children, including through apps that can be used to recruit and coerce children to engage in sexual activity. The low financial cost, and the anonymised nature of this criminal enterprise, is contributing to a growth in the sexual exploitation of children. We must escalate government and industry efforts to stop this. 
We also affirm the need to build upon efforts to counter the use of the internet by terrorists and violent extremists who continue to exploit online spaces to share materials designed to radicalise and mobilise individuals to violence. These materials are used for recruitment, facilitation, training and financing purposes, often with devastating consequences. Governments and industry have made some progress in tackling this issue. However, the task is far from complete. Terrorists and violent extremists remain able to disseminate propaganda promoting violence, and to use online platforms to radicalise and recruit. And, despite concerted efforts, a great deal of terrorist and violent extremist content remains accessible online to anyone inclined to seek it out. We therefore call upon industry to go further in proactively and innovatively addressing the illicit use of their platforms and applications at pace. In this context we welcome and support the Global Internet Forum to Counter Terrorism (GIFCT). But we urge industry leaders to champion more rapid responses, both under the auspices of the GIFCT and beyond. Digital industry must take responsibility to reduce the availability of online terrorist and violent extremist content across all platforms and applications, and to do so comprehensively. Recognizing the G7 Interior Ministers' statement on terrorism and violent extremism, we echo and amplify their call to action, and we affirm that efforts must extend to all types of illegal and illicit online content. 
We are also increasingly seeing the use of online spaces to spread disinformation, sow division, and undermine our democratic institutions. The proliferation of interference activities and disinformation undermines the trust of citizens in online communications and information, delegitimizing the benefits and opportunities that communications and social media platforms create. We call upon industry to meet public expectations regarding online safety by:
  • Developing and implementing capabilities to prevent illegal and illicit content from ever being uploaded, and to execute urgent and immediate takedown where there is a failure to prevent upload. 
  • Deploying human and automated capabilities to seek out and remove legacy content. 
  • Acting on previous commitments to invest in automated capabilities and techniques (including photo DNA tools) to detect, remove and prevent re‑upload of illegal and illicit content, as well as content that violates a company's terms of service. 
  • Prioritising the protection of the user by building user safety into the design of all online platforms and services, including new technologies before they are deployed. 
  • Building upon successful hash sharing efforts to further assist in proactive removal of illicit content. 
  • Setting ambitious industry standards, and increasing assistance to smaller companies in developing and deploying illicit content counter-measures. 
  • Building and enhancing capabilities to counter foreign interference and disinformation. 
  • Preventing live streaming of child sexual abuse on all platforms.
We recognise that governments also have a major role to play in addressing the spread of illicit content online. We commit to build the capacity of non-'five eyes' countries to protect and defend the most vulnerable. We undertake to enhance information flows from government to industry, and work towards overcoming barriers to cross-sectoral collaboration. We agree to ensure our enforcement capabilities, including technical data such as hashes, can be shared with industry to support the development of scalable, Artificial Intelligence-driven solutions. Through the same innovation and cross-sectoral collaboration that has underpinned so many technological advances, the challenge of countering illicit online content is not insurmountable. 
To focus our collective efforts, we agree to establish a senior officials group charged with monitoring industry progress on the above actions on a quarterly basis and reporting back to us. We welcome digital industry Chief Executive Officers to future meetings of the Five Country Ministerial to update us on their efforts directly.