Encryption, crime-fighting, and the balancing act between community safety and individual privacy
Operation Ironside last week resulted in more than 800 suspected underworld criminals arrested after being tricked into using an encrypted messaging app in which police were able to monitor chats about serious crime, including murder.
The operation was run in conjunction with the Australian Federal Police, targeting global serious and organised crime. Drugs, weapons, luxury vehicles and cash were seized across more than a dozen countries in what’s been called a watershed moment for international policing. It’s again highlighted issues relating to encrypted communications within criminal networks.
This operation involved the distribution among criminal networks of a secure encrypted communication system known as An0m that was in reality controlled by law-enforcement agencies. However, while ultimately enormously successful in disrupting criminal networks, the use of An0m very likely accounted for only a small percentage of criminal communication in Australia – the AFP estimated this at around 5%.
Like much of the world, many of the conversations between Australians are conducted via text messaging. And increasingly, these messages are sent and received in encrypted form.
Well-known messaging apps such as WhatsApp, iMessage and Signal employ end-to-end encryption technology. This means that the digital material making up the messages, including text, images, audio and video are all encrypted on the sending device before they’re transmitted, and are only able to be decrypted by the final receiving device.
Under this model, it’s not feasible, at least with current computer technology, for an eavesdropper (or law enforcement agency) to decrypt any messages they intercept.
This enables completely private information exchange. For many reasons, this facility of modern life is highly desirable. It provides comfort that our interactions aren’t being spied upon, and allows us to securely exchange sensitive information. Indeed, beyond text messaging, end-to-end data encryption is crucial for the safety of many of the online transactions we now take for granted.
So, tools for pervasive encrypted communication, once thought of as the purview of security agencies and secretive intelligence operatives, sit in all our hands today. But as recent events highlight, there’s a darker consequence of this technology. Along with hiding our innocuous conversations with friends, our work discussion groups, not to mention the voices of freedom under oppression, end-to-end encryption does just as good a job at hiding criminal activity of the worst kind.
Although law-breaking is increasingly technology-driven, criminal networks do not need to be particularly sophisticated to obscure their communications with these widely available secure messaging apps.
This has resulted in the always-present tension between the privacy of individuals, and the safety of communities, being writ large. Coupled with the anonymisation of online activity afforded by the dark web, these technologies have placed enormous barriers in the way of policing and disrupting serious crime. After all, surveillance by law enforcement authorities under warrant is only fruitful if the data gathered is able to be read and understood.
The scale of online child sexual abuse
As one particularly damaging example of crime facilitated by the internet, and increasingly by encrypted communication, the distribution of child sexual abuse material has reached a horrendous scale.
Last year, the US-based National Center for Missing and Exploited Children received more than 21 million reports of it from electronic service providers, 94% of which were from Facebook. At the same time, in order to meet oft-stated commitments to user privacy, Facebook is racing to implement end-to-end encryption across its platform. But the company has since acknowledged that this change will make uncovering such material much more difficult.
Although the Facebook-owned WhatsApp has increased its reporting of child sexual abuse material through sophisticated analysis of metadata, it’s clear that the absence of an ability to analyse the content of images themselves hampers the technological countering of this crime. Similarly, terrorism, drug trafficking and illegal weapons trading are all beneficiaries of the capacity to effectively obscure communication.
Here lies the challenge.
As more and more of our communications are hardened by encryption, the debate will continue as to where the line between privacy and safety sits.
There’s a widespread expectation that users in many parts of the world want to engage in privacy-preserving communication, and hence there’s a high value in marketing such systems to gain competitive advantage.
How, then, do we best respond to the need for disruption of criminal activity and preservation of safety in communities in such an environment?
Legislative responses to the rise of end-to-end encryption and the challenges it poses to law enforcement agencies, so far, vary.
In Australia, perhaps the most powerful feature of controversial laws passed in 2018 is the capacity to issue enforceable “technical capability notices”.
These notices could require service providers to take actions to ensure the provider is able to help to enable laws to be enforced or national security safeguarded. These notices are so named as they may require providers to employ new technical capabilities beyond those they already implement.
Importantly, these notices are prohibited from requiring that providers implement “back doors” or other “systemic weaknesses” such as “building a decryption capability” or “requiring that providers make their encrypted systems less effective”. A range of other notices can be issued to providers to require them to provide assistance using their existing technologies via what’s known as an industry assistance framework.
As more and more of our communications are hardened by encryption, the debate will continue as to where the line between privacy and safety sits.
Governments will likely be grappling with this issue for some time, given simultaneous commitments to security of personal data and safety of their population.
Indeed, the Council of the European Union adopted a resolution in December entitled “Security through encryption and security despite encryption”, calling for a new regulatory framework and investigation of “technical solutions”. Also last year, an international statement calling for similar action was released by the US Department of Justice.
More widely, the topic of end-to-end encryption, including technical and legal responses, continues to be the subject of much dialogue between the tech industry, government, academia, and law enforcement.
Ultimately, the whole community must be genuinely involved in this debate so that a balanced position that is both workable and broadly acceptable is achieved.