Government encryption-busting powers should be curbed, study says

ILAPP calls for additional safeguards

CSO > Security automation
Vertigo3D / Getty Images

A new study funded by the University of Waikato and the New Zealand Law Foundation’s Information Law and Policy Project (ILAPP) has called for additional safeguards to curb the powers of government to order users and companies to decrypt encrypted data and devices.

According to principal investigator Dr Michael Dizon, the problem with these powers is that there are no express standards and guidelines with respect to how they are carried out, especially in relation to human rights.

“Forcing suspects to disclose their passwords may infringe their right against self-incrimination. Requiring a company to create backdoors or vulnerabilities in encryption to allow the police access to a suspect’s data may jeopardise the privacy and security of all its other clients,” he said.

“The law does not explicitly say what reasonable and necessary assistance means. There is a potential then for misinterpretation, misapplication and possible misuse of these powers.”

The researchers recommend that the right or privilege against self-incrimination should be more strongly recognised in computer searches, and that persons suspected or charged with a crime should not be forced to disclose their passwords.

“While providers have a responsibility to assist the police in search or surveillance operations if it is within their existing technical capabilities, such assistance should not involve any act that would undermine the information security of their products and services or compromise the privacy of their clients as a whole.”

The report is entitled A matter of security, privacy and trust: A study of the principles and values of encryption in New Zealand.

It concludes the maintenance and building of trust should be a principal focus when developing or proposing laws and policies on encryption.

“A principles- and values-based approach can help provide guidance and direction to the development of encryption laws and policies in New Zealand,” the report says.

“It can serve as an overarching framework for assessing the validity, legitimacy or utility of existing or proposed laws, powers and measures concerning encryption. The key is to recognise and understand the fundamental principles and values of encryption that are at play and strive to resolve or reconcile conflicts by finding connections or correspondences between them, especially with regard to maintaining or building trust.”

The powers of government

Under the Search and Surveillance Act 2012, law enforcement officers have the power to search and seize encrypted data and computers. They can compel users and providers to give up passwords and encryption keys.

Companies can also be required to provide reasonable assistance to allow law enforcement officers to gain access to encrypted data, services and devices.

Under the Telecommunications (Interception Capability and Security) Act 2013, network operators and service providers have a duty to offer reasonable assistance to intercept and collect communications.

NZ Customs also has the power to demand passwords and order the decryption of smartphones and other electronic devices as part of customs and border searches.

Related:

Copyright © 2019 IDG Communications, Inc.

  
Shop Tech Products at Amazon