Why Canada Must Defend Encryption: Protecting the privacy of communications in Canada

Executive Summary

Apple has recently announced plans to scan customers’ mobile devices for pictures uploaded to its iCloud servers as well as texts shared through its messaging app for child sexual exploitation materials, raising significant questions and concerns regarding surveillance and reigniting the debate on encryption. Western law enforcement and intelligence agencies have long warned about their seeming inability to gain access to the content of individuals’ private electronic communications due to the widespread use and implementation of encryption technologies in consumer electronics, posing risks to public safety and national security.

In particular, these arguments are often linked to threats, including terrorism, domestic violent extremism and, more recently, child sexual exploitation. Police and intelligence agencies believe it will become increasingly difficult to curtail such crimes when unbreakable encryption continues to be widely implemented in everyday electronics. As a result, such agencies are increasingly making calls to tech companies to devise new ways that allow them access to private communications by weakening their encryption systems; and Australia and the UK have gone as far as passing legislation to compel company cooperation in this regard.

On the one hand, such calls by police and intelligence agencies in the West are growing; while, on the other hand, a wide range of public, private and civil society stakeholders — including researchers, experts and even senior government officials within the policing-intelligence apparatus — have staunchly opposed such proposals. Rather, they argue that additional legal powers aimed at circumventing encryption will produce wide-ranging consequences by leaving networks and the people that rely on them more vulnerable to cyberattacks while producing lasting harms including to human rights and civil liberties globally.

While Canada has occasionally voiced mild support for strong forms of encryption, there’s an indication that this public position is changing.1 In its most recent move, the federal government issued a joint statement in October 2020 with its with Five Eyes intelligence counterparts criticizing encryption systems and calling on technology companies to find ‘technically feasible solutions’ that ‘enable law enforcement to [access] content in a readable and usable format’. The joint statement identifies end-to-end encryption — popularly used by messaging apps like WhatsApp and Apple’s iMessage — as posing particular challenges to public safety and national security. 

In our analysis, legislative efforts to weaken encryption cannot be sufficiently targeted to achieve the desired policy outcomes without creating disproportionate and wide-ranging risks for Canadian society at large, including for human rights, civil liberties and national security. This conclusion is in line with the broad technical consensus that proposed government measures in this area are fundamentally unworkable in practice. 

This policy brief builds on the excellent research on encryption produced by experts in Canada and extends this knowledge by presenting an alternative policy framework to help guide Canada’s policy on encryption. It is developed based on the analysis of the current encryption-policing-security landscape, revealing that, law enforcement and intelligence agencies have the legal and technical capabilities to achieve their objectives without additional powers aimed at breaking encryption; and that tech companies, specifically social media, can be required to apply additional efforts to curtail illegal activities:

1. There is a plethora of non-encrypted data available to police and security agencies to lawfully gather and analyze for investigative and intelligence gathering purposes, including for example metadata and open source data (e.g., social media and other online data). Such approaches need to be guided by best practices, given their criticisms and broader worry surrounding their use.
2. At a higher level, the government can require social media companies to apply greater efforts in identifying and removing illegal materials on open platforms, disrupting the cross-flow of illegal activities between open platforms and encrypted platforms. 
3. Regulatory measures can require social media companies to introduce changes to software design, preventing or slowing the spread of illegal activity by creating friction, such as rules and restrictions on encrypted private messages between children and adults. 
4. Social media companies can be required to provide regular and transparent reports providing data detailing their response in curtailing illegal activities, including metrics on takedowns to help identify specific issues and formulate tailored responses to specific illegal activities. 

Such measures are less invasive and more secure than what Western governments, including Canada, are requesting, such as legally mandating that tech companies introduce methods intended for allowing state actors access to encrypted data — often referred to by the metaphor ‘backdoor’. There is a high degree of certainty that such methods will not only be exploited by lawful authorities, but by other malicious actors posing risks and implications for all users and wider society — fears shared by many over Apple’s recent decision.

This policy brief joins others, including cryptographers, academics, researchers, and privacy experts, in calling on the Government of Canada to preserve strong encryption by preventing legislation that systemically weakens it by requiring tech companies to intentionally introduce known vulnerabilities for government surveillance purposes. 

It analyzes Canadian and other Western policy responses raised by the perceived challenges of encryption; and is aimed at providing insight for Canadian policymakers on the options available as they review and update their policies on encryption. It also provides results of a national survey on Canadians’ views on encryption, conducted in May 2020, revealing a relative lack of public awareness on encryption. Thus, this brief also serves to raise awareness on the broad-ranging social, political and economic benefits of strong and robust encryption among ordinary Canadians. It will be equally beneficial for academics, researchers, advocates and legal professionals, to gain a better understanding on how their online communications, specifically on social media, may be impacted by policy changes.