In the recent G7 outcome document “Combating the use of the Internet for Terrorism and Violent Extremist Purposes“, Ministers of the Interior made commitments on content filtering and “lawful access solutions” for encrypted content, which, if implemented, would greatly weaken the security of the Internet, G7 economies and their citizens.
While there is an urgent need to prevent terrorists and violent extremists from exploiting Internet platforms, facing down terrorist threats and cybercrime requires strong, secure communications. Not the opposite.
We find the commitments in the document cause for alarm.
Rather than encouraging Internet companies to weaken their security, global leaders should be discussing how to increase the use of encryption, make it easier to use, and harder to thwart.
Here’s why:
Encryption: What it is and why it is key to your security
As online threats of cybercrime, mass surveillance, data breaches have grown so has the use of encryption – to protect the confidentiality and the integrity of data that we all depend on.
Every responsible citizen wants to stop terrorism, and “lawful access” sounds like a reasonable way to access potentially crucial intel. The idea is that, under the appropriate legal authorization, legitimate law enforcement agencies would be able to intercept encrypted communications between terrorists and other malefactors.
The trouble with this thinking is that protected communications are themselves a matter of security. Protected communications, sent through secure systems with strong encryption, are part of making us safe. They help prevent tampering with critical services, such as electricity and transport, keeping the heat on in winter, the grocery shelves stocked, and your bank account safe.
If such communications could be subverted, it stands to reason that terrorists could also interfere with law enforcement communication, with civil authorities’ ability to communicate with each other, with banking transactions, and more.
It is not possible to maintain points of entry to encrypted messages in such a way that only legitimate law enforcement authorities can use them. Weaknesses in computer systems are discovered by attackers all the time. There is simply no way to prevent weaknesses from becoming known to those who want to attack society.
And, knowing that existing encryption services would no longer be secure, terrorists would simply find alternative encryption options, or devise their own – defeating the whole purpose.
By committing to ask Internet companies to “establish lawful access solutions” for encrypted content (whether at home or abroad), G7 Ministers of Interior are making a grave error that puts one of our most important digital security tools at risk.
To comply, companies might turn off end-to-end encryption, deactivate “encryption on by default” or take away users’ sole ability to decrypt their smartphones. Each of these features has vastly improved the security and privacy of citizens’ communications and data. Or, they may not feel compelled to upgrade their security or to invest in greater security for their customers.
All of which undercuts citizens’ security from terrorists and criminals.
Digital security depends not only on the strength of encryption but also the security of other systems used to provide those encrypted services. If companies provide the means to break into encrypted communications, no one, not even governments, can trust that no one is listening in or that the information has not been changed.
Any promises that encryption would not be affected by ‘lawful access’ simply cannot be kept. Technology that is weakened is just that. Weak.
Content Filtering: Fraught with Challenges and Risks
The G7’s commitments on filtering terrorist and extremist content present additional concerns.
Filtering is fraught with challenges and risks and, in any case, only a handful of online services would have the resources and capacity to build or license such technology. This is a benchmark that only the largest platforms would be able to meet. Further, filtering has different implications for different services at different layers of the Internet. There is always the risk of over-blocking, such as public interest content (e.g. news reports).
Today, no company has the ability to produce a filter that is always reliable. Some very large companies have filters that are very good, but all of them still miss some content that should be filtered and filter some content that should not be. To make a filter that would actually do what we want, we would need artificial intelligence so good that it was indistinguishable from the wisest and most careful humans in history. Humanity has not invented that artificial intelligence yet. For instance, the filters would need to be able to tell the difference between a piece of terrorist propaganda and a legitimate news report about that propaganda. Even before the Internet, there were often disagreements about what represented “legitimate” news reporting, with powerful authorities often attempting to classify embarrassing news stories as illegitimate. There is little reason to believe that using the Internet makes those controversies go away.
Furthermore, messaging services may feel compelled to remove end-to-end encryption from their services so they can proactively filter content, or they may even use this G7 outcome as an excuse to gain fuller access to their users’ data for advertising or other commercial purposes. They might even delay deploying stronger security solutions that might make content filtering more difficult or expensive. All of this impacts your security.
The G7 Leaders’ Summit is August 2019. We have until then to make a difference.
The Internet is often portrayed as a barrier to law enforcement and national security efforts to defend society against terror. But, the Internet provides a remarkably resilient and reliable communications infrastructure when other kinds of infrastructure fail. It is an essential tool for emergency response when disaster (whether human or natural) strikes. And, strong and secure communications make everyone safer by preventing more sophisticated attackers from preying on citizens and businesses whose main focus is not communications security.
The G7 Outcome Document misses an important opportunity to remind everyone why the Internet is one of our most important tools in combatting terror in the first place. The best disinfectant is sunlight, and the Internet provides the means to do that.
Instead of trying to defend society from the Internet, a technology that benefits all humanity, and to close off its potential in an attempt to stop terrorists, governments should use the Internet to build community strength and resilience, to empower citizens to protect their communications, and to promote solidarity. We should not let terrorists sway how we use the Internet.
Time is running out. The 45th G7 Leaders’ Summit is taking place 25-27 August in Biarritz, France. Please act now.