• United States



by Craig Ford

FiveEyes are giving themselves a backdoor into your systems

Oct 15, 20186 mins
Application SecurityBackup and RecoveryBusiness Continuity

The Five Eyes is an alliance comprising of Australia, Canada, New Zealand, the United Kingdom and the United States of America. The alliance was formed to share intelligence especially signals intelligence between countries via the UKUSA agreement. Although as the name would indicate it was originally created in 1946 (originally called BRUSA). During the late 40’s and 50’s many countries under the UK, rule started to exercise greater control over their own dominions leading them to start to represent themselves – Canada (1948), Australia and New Zealand (1956) in the intelligence sharing pact.

These countries are involved in other intelligence sharing agreements via organisations such as NATO but much more information is openly shared via the five eyes agreement than any other. In a meeting at the end of August, the countries discussed a range of proposals to combat terrorism and crime, with an emphasis on the internet. They believe they should encourage technology providers to establish lawful access capabilities to their solutions to help intelligence and law enforcement organisation protect our countries. This access is mainly aimed at encrypted communication services like WhatsApp, Wickr, iMessage and even Snapchat just to mention a few.

The five eyes made a statement at the end of the event and a slice of this is “Should governments continue to encounter impediments to lawful access to information necessary to aid the protection of the citizens of our countries, we may pursue technological, enforcement, legislative or other measures to achieve lawful access solutions,”.

Soon after Australia proposed new decryption laws that would allow just that – Australia’s Assistance and Access Bill 2018. This bill was introduced to parliament on the 20th September 2018 and was referred to the Parliamentary Joint Committee on Intelligence and Security for inquiry and report. The Committee has commenced its review and is accepting submissions till 12 October 2018. For more information please visit the Committee’s website. The Bill as introduced into Parliament and the Explanatory Memorandum can be viewed on the Australian Parliament House website.

Now I understand why the government and the FiveEyes as a whole would want this type of law introduced, as a security professional trying to investigate incidents and knowing a lot of the techniques that forensic investigators would utilise to try and gain access to suspects data and communications to either prove or rebuke claims against someone, Encryption can be a massive roadblock. Not being able to see communications between suspects or view stored content can great hinder investigations, with technology advancements continuing to evolve this will become a growing problem for law enforcement but is this type of backdoor access they want to be added into services to allow them to view encrypted content on request a good idea?

Let’s look two big concerns I have with this initially:

  • Creating a backdoor in secure applications will undoubtedly provide unauthorised access to malicious actors – that is inevitable.
  • Who will honestly and ethically manage the access to ensure that it is handled correctly and we as citizens are protected from unlawful abuse of powers? Who will restrict what organisations can even request access and to what systems does the law allow this access too?

So, let’s run through this, software companies will create the access required by law and a couple of weeks or months later a malicious actor has gained access to the back door and stolen sensitive data which it will sell to highest bidder. This malicious actor could have several different targets, and this will just their job simpler, why spend months trying to find a hole in an application or security systems if someone is just going to hand you one that will be much more efficient and likely simpler to gain access too. No matter how well these backdoors are protected it will only be a matter of time before someone gains unauthorised access via this new golden ticket into previously secure systems (Obviously they are secure if legislating backdoor access is the only way for law enforcement to get access).

I think this is the likely result of any backdoor being created in applications, no matter if it is a result of this law being passed or not, this is not the way to achieve the result they are after. I feel that they need to find a different solution that does not create a huge risk like leaving the back door open to our messaging apps or secure data storage.

So what if I am completely wrong and no one (not even North Korea or China) find a way through the new wide open back door, how can we as a society manage access to these powers without hindering the ability for law enforcement being able to get access to the data they need fast enough so they can keep us safe from growing threats but to also minimise the use of this type of information being accessed for purposes not so honourable?

Will the new laws if passed (I think it is inevitable but I will go with “if” anyway) make Australian an easy way for our partners in the FiveEyes to gain access to information in which their own countries don’t currently allow access to and will this type of law hinder future investments in new tech start-ups due to the concern consumers will have for their privacy? I feel some of our larger partners will certainly try to leverage or pressure their Australian counterparts to provide such an access which will come back to the previous statement, who will hold the preverbal keys to the kingdom (or backdoor in this case)?

I honestly don’t have an answer for this and really don’t know how our government is going to approach this, but I truly hope they have considered every aspect and protections are put in place that will ensure that minimal abuse of these powers is capable.

I guess only time will show how this is going to play out and if the preverbal kingdom burns down then we just bring the marshmallows and enjoy the show (while trying to resist the urge to say we told you so)…

I will now await the onslaught of comments saying that if we don’t have anything to hide then why do we have an issue with these laws but this is my opinion and I want to be clear, this isn’t about privacy for me at all it’s about the possible abuse of power and opening up a huge security hole in a previously reasonably secure systems to provide access to people that these laws are meant to help protect us from.

So with that being said, tell me what you think and let’s start a constructive conversation about this…