Minister for Justice Jim O’Callaghan announced plans in a speech recently to introduce a Bill that would require end-to-end encrypted messaging services, such as WhatsApp and Signal, to give gardaí access to private texts and chats.
End-to-end encryption is a process of scrambling data that prevents any third party, including the service provider, from reading messages sent between a sender and a recipient. Users are increasingly demanding end-to-end encryption, using it to control the privacy and confidentiality of the information that they share. Journalists use encryption to protect their sources, patients use it to communicate with their doctors, and policymakers use it to protect classified government information from attackers.
The Irish Council of Civil Liberties (ICCL) recognises that Ireland’s interception laws are outdated and that end-to-end encryption presents a challenge for An Garda Síochána. We understand that the guards will ask for tools that would make their work easier.
We also understand that it is the Government’s job to take law enforcement’s request and weigh it against the possible associated risks. This means striking a balance between: the protection of people’s fundamental rights, including privacy and data protection; preventing the creation of vulnerabilities that threaten national security; and the gardaí having effective tools to investigate crime and vindicate the rights of victims.
READ MORE
But any moves at a national or European level to force companies to either break end-to-end encryption or put scanning technology directly on everyone’s devices – so that police can access messages before they are encrypted – would profoundly undermine the security of all service users and create systemic vulnerabilities that will be exploited. It’s also unlikely that companies will agree to provide such access.
In his speech, Mr O’Callaghan said: “We need to recall that the countervailing balance to the right to the individual right to privacy is frequently the collective right to security. Collective rights need to be acknowledged and on occasion should supersede individual rights.”
Indeed. The issue at stake here is not a simple trade-off between individual freedoms, such as privacy and expression, and State security. Rather, it is about ensuring the collective security of all users of a platform, balanced proportionately against the legitimate interests of the State. On that basis, these proposals cannot be considered proportionate to the aims they claim to pursue.
This debate is not unique to Ireland. Other jurisdictions such as the UK have put encryption squarely in their crosshairs and are now facing the diplomatic consequences as their allies pressure them to change course. Meanwhile, the debate rages on within the European Union, with security authorities in Sweden and the Netherlands stressing that circumventing encryption creates too great of a national security risk, arguing that hostile nations would exploit new technologies to attack European users.
[ Emmet Ryan: Why the EU’s plan to access our phones and data is daftOpens in new window ]
In today’s digital world, where encryption is the foundation of digital trust, it is not just an essential tool that we use to safeguard our private texts, emails, voice calls and social media. It also protects and secures the processing of our data when it comes to sensitive activities such as personal banking, online shopping, accessing health data and carrying out our employment. In essence, it is essential for our collective cybersecurity.
Forcing companies to create access pathways within the technical standards upon which encryption relies would put all online activities at risk, as those pathways amount to security vulnerabilities that could be exploited by others.
There’s a fanciful belief, among some lawmakers, that we can undermine encrypted communications in a secure way: open a little door for just the “good” guys to scurry in, take a peek at what one person is communicating to another, and scurry back out again, without undermining the security of the service for all users.
But cybersecurity experts, technologists and computer scientists across the world have been clear: forcing companies to build backdoor access only for law enforcement is deeply misguided. There is a wide scientific consensus that it is technically impossible to give law enforcement exceptional access to communications that are end-to-end encrypted without creating vulnerabilities that malicious actors and repressive governments could exploit, as demonstrated in the recent Salt Typhoon cyberattack.
As the European Court of Human Rights held last year, weakening encryption by creating backdoors would make it “technically possible to perform routine, general and indiscriminate surveillance of personal electronic communications. Backdoors may also be exploited by criminal networks and would seriously compromise the security of all users’ electronic communications”.
Even Europol and the European Union Agency for Cybersecurity agree. They previously conceded that mandatory backdoors or weakening encryption would “increase the attack surface for malicious abuse, which, consequently, would have much wider implications for society”. They also questioned the efficacy of such measures: “Moreover, criminals can easily circumvent such weakened mechanisms and make use of the existing knowledge on cryptography to develop (or buy) their own solutions without backdoors”.
As Ireland’s own former special adviser on cybersecurity to Europol, Brian Honan, has previously stated: we either have strong encryption to secure our systems that criminals will abuse, or weak encryption to secure our systems that criminals will abuse.
There are also serious questions of practicality. In jurisdictions where proposals similar to the Minister’s have been introduced, providers of encrypted messaging services have threatened to leave – and, as mentioned, in the UK, the government may back down.
Signal has threatened to leave the UK, France and Sweden. WhatsApp has made similar warnings in the UK.
Earlier this year, the UK government ordered Apple to build a “backdoor” in its encrypted cloud service. In response, Apple disabled its specific advanced data protection (ADP) service instead of complying with the order and is now challenging the order at the UK’s investigatory powers tribunal. WhatsApp has said it will join Apple’s challenge. Last month, reports suggest the UK government may be preparing to back down from its demand.
Rather than undermining encryption and, with it, the trust and safety of millions of users, there should be investment in lawful, targeted, proportionate, effective and technically feasible approaches to digital investigation.
We urge the Minister to engage in transparent consultation with cybersecurity experts, civil society and technologists before proposing any legislation that could irreversibly damage digital privacy and cybersecurity.
Olga Cronin is surveillance and human rights senior policy officer for the Irish Council for Civil Liberties
