Will Canada weaken encryption with backdoors?
Byron Holland: The ‘Five Eyes’ security alliance is pushing tech companies to build backdoors to encrypted sites, putting Canadian user data, privacy and security at risk
On Aug. 11, 2019, photo an iPhone displays a Facebook page in New Orleans. Facebook says it paid contractors to transcribe audio clips from users of its Messenger service. (AP/Jenny Kane)
Share
Byron Holland is the president and CEO of the Canadian Internet Registration Authority (CIRA), which manages the .CA domain on behalf of all Canadians.
Imagine you wake up one morning and discover that the federal government is requiring everyone to keep their back doors unlocked. First responders need access your house in an emergency, they say, and locked doors are a significant barrier to urgent care. For the good of the nation, public health concerns outweigh the risk to your privacy and security.
Sounds crazy, right? Unfortunately, a number of governments are considering a policy just like this for the internet, and there’s growing concern that the Canadian government could soon follow suit.
Every day millions of online transactions are protected by a technology called encryption. Encryption is a form of security just like the lock on your house. It prevents outsiders from snooping in on your information and content as it passes over the web. It secures everything from banking information to military communications to online dating apps. It also protects critical infrastructure like hydroelectric dams and the internet.
Right now, there is an ongoing debate over so-called “encryption backdoors,” special access points that governments can force or compel tech companies to build. Essentially, these are unlocked doors on the web that allow authorities to access encrypted communications without users’ consent.
In 1993, before consumer encryption technology was widely available, the Clinton administration announced the “Clipper Chip” a chip-based encryption technology that would secure voice and data communications. The National Security Agency offered tech companies looking to use military-grade encryption, in exchange for backdoor access to communications protected by the device.
Very quickly, security experts exposed Clipper Chip’s vulnerabilities and showed how attackers could exploit the backdoor to access encrypted communications. The technical flaw was an embarrassing blow to the project and it was dropped shortly thereafter.
Flash forward to Jul. 2019, and members of the “Five Eyes” security alliance (the U.S., U.K., New Zealand, Australia and Canada), are pushing tech companies to build backdoors into their products and services. The countries argue that backdoors are necessary for law enforcement to gain special access to encrypted data during investigations of, drug trafficking or organized crime, for example, where other investigative tactics might fall short.
However, if tech companies are forced to add back doors for law enforcement, it’s inevitable that bad actors will be right behind them. This would leave popular end-to-end encrypted communications apps such as WhatsApp, Signal, and Telegram vulnerable to exploitation. Backdoors could soon impact billions of users, as social media giant Facebook plans to expand encryption to its Facebook Messenger and Instagram messaging services, despite pushback from governments and overwhelming support from civil society.
This is significant, because right now every single unencrypted message is susceptible to privacy abuse, data breaches, malicious hacking or interception by powerful or malicious actors. Imagine what would happen if chat data you thought was secure was used by a criminal to access to your online banking? Or if your online dating messages were intercepted and used to threaten and extort yo? Beyond the content of your messages, backdoors can also be used to gain access to interfere with corporate and government communication systems and other infrastructure, which undermines public safety.
As we saw in the Clipper Chip case, there’s no good way to grant their wish: security experts agree it is impossible to give authorities back door access to encrypted communications without creating vulnerabilities for others to exploit. Unfortunately, the technology doesn’t let you have it both ways. Once you build a backdoor, the network automatically becomes less secure.
The Canadian Internet Registration Authority (CIRA), is responsible for running the .CA domain on behalf of Canadians. As an independent network operator, we understand the importance of strong encryption for Canada’s internet and digital economy. Here is what we see as some of the major issues introduced by backdoors.
First, strong encryption is essential to the secure operation of the .CA domain. It helps protect the sensitive, personal information of the owners of over 2.8-million .CA domain names. Encryption also enables a number of security protocols that prevent phishing attacks, domain hijacking, and other cyberattacks. In fact, our most recent data on cybersecurity shows that 71 per cent of Canadian organizations were victims of such attacks in the last year.
Strong encryption ensures that a key component of Canada’s internet, which are the servers that keep the .CA domain running, are protected against adversarial state-sponsored actors around the world.
Second, weakened encryption would have downstream effects for our primary user base: small- to medium-sized businesses across the country. These business owners rely on encrypted services to secure their online transactions. Without reasonable assurance that consumers’ financial information is protected from snooping eyes, they will lose trust in online commerce, and Canada’s digital economy will suffer.
At the heart of the encryption debate is the question of trust. It’s no secret that public confidence in the internet has taken a tumble. Nearly one-third of Canadians say they have been victim of a cyberattack according to our survey, and it seems that every day there is a new story about Canadians’ data being leaked. Right now, we need technologies that help build trust in, and strong encryption is one of the best tools we have for the job.
With the federal election just around the corner, we’re pleased to see that most of the major parties have chosen to make privacy and cybersecurity an election issue. Unfortunately, their platforms offer no window into their thinking on the future of encryption in Canada.
In 1998, Canada adopted its official “cryptography policy,” which rejected the backdoor approaches being pushed at that time. Since then the government has resisted new calls to weaken encryption, but pressure from allies is growing. Please think about where each party stands on cybersecurity and encryption, and what they plan to do to keep Canada’s users safe.