Science

Privacy watchdogs urge caution with encryption laws

Privacy watchdogs from across Canada warn the government to "proceed cautiously" before passing encryption legislation — a move that would have the potential to undermine the security of everything from financial transactions to online communication.

Experts have long warned that efforts to weaken or defeat encryption for police put all users at risk

Law enforcement agencies have been lobbying for a solution to what they see as a growing investigative problem: the inability to access encrypted information. (Getty Images)

Privacy watchdogs from across Canada warned the government on Tuesday to "proceed cautiously" before passing encryption legislation — a move that would have the potential to undermine the security of everything from financial transactions to online communication.

The warning comes at a time when government and law enforcement agencies have been seeking the ability to access encrypted information, the lack of which they see as a growing investigative problem.

However, both privacy and cryptography experts have long warned that efforts to weaken or defeat encryption for police puts the security of all users at risk.

The government is currently soliciting feedback and holding public consultations on this and other national security issues, as part of its pledge to to repeal the "problematic elements" of Bill C-51.

In a submission to Public Safety Canada, Canada's Privacy Commissioner Daniel Therrien and his colleagues warned against introducing any legislation aimed squarely at encryption, as well as other proposed powers that police do not currently have.

"The government should only propose and Parliament should only approve new state powers if they are demonstrated to be necessary and proportionate — not merely convenient," Therrien said in a prepared statement to reporters Tuesday morning in Ottawa. The statement was also posted to the commissioner's website.

Existing tools should be examined

A recurring theme of the group's submission is that police have not provided adequate evidence for why they should require additional powers — such as expanded data retention requirements, or lower thresholds for acquiring basic subscriber information — nor explained why existing tools are insufficient.

Therrien, along with the country's other provincial and territorial commissioners, are advocating for a closer examination of existing tools, and recommending that some rules should even be tightened.

"This is not the time to further expand state powers and reduce individual rights," Therrien said in his statement.

"This is the time to enhance both legal standards and oversight to ensure we do not repeat past mistakes and achieve real balance between security and respect for basic individual rights."

Legal measures sought

One particularly divisive issue is the matter of encryption — cryptographic protections that prevent attackers and police alike from eavesdropping on messages as they travel across the internet, or from accessing files on a password-protected device.

"There is currently no legal procedure designed to require a person or an organization to decrypt their material," according to Public Safety Canada's "National Security Green Paper," which was released in September to "prompt discussion and debate about Canada's national security framework."

Both law enforcement and government agencies have increasingly characterized encryption as an impediment to investigations, a problem they refer to as "going dark." Canada's police chiefs, for example, recently called on the government to introduce legal measures that deal with encryption, and the US Senate introduced a draft bill addressing encryption earlier this year.

Yet Therrien argues that powers that came into force with Bill C-31 last year already allow police to seek "assistance" in decrypting information, without compromising the underlying technology behind encryption.

"The crux of the problem springs from the fact there is no known way to give systemic access to government without simultaneously creating an important risk to the security of this data for the population at large," the submission reads. "Laws should not ignore this technological fact."

The country's privacy watchdogs suggest "technical solutions which might support discrete, lawfully authorized access to specific encrypted devices, as opposed to imposing general legislative requirements." 

Push for transparency

Encryption isn't the only issue dealt with in the Privacy watchdogs' submission.

Metadata is a perennial concern, and the submissions suggests more stringent legislation under which metadata can be collected and shared with police, as well as international partner agencies.

The commissioners also call on the government to strengthen requirements that private companies and government agencies "be open about the number, frequency and type of lawful access requests they respond to," in regularly issued transparency reports.

They also propose an expanded oversight committee that includes independent expert reviewers, and would oversee all agencies that have a role in national security, calling the government's current proposal "insufficient."

ABOUT THE AUTHOR

Matthew Braga

Senior Technology Reporter

Matthew Braga is the senior technology reporter for CBC News, where he covers stories about how data is collected, used, and shared. You can contact him via email at [email protected]. For particularly sensitive messages or documents, consider using Secure Drop, an anonymous, confidential system for sharing encrypted information with CBC News.