Categories
Building Trust Encryption

G7 Leaders: Protect Strong Encryption for a Secure World

Encryption protects us every day. It helps secure web browsing, online banking, and critical public services like electricity, elections, hospitals, transportation, and more.

If the G7 countries are truly committed to building a safer and equal world, then it is crucial to recognize the important role that end-to-end encryption plays in securing the Internet, their economies and their citizens.

The Internet Society and more than 30 organizations have signed an open letter calling on the G7 leaders to do just that – prioritize digital security – and not to require, coerce, or persuade device manufacturers, application, and service providers to:

  • modify their products or services or delay patching a bug or security vulnerability to provide exceptional access to encrypted content;
  • turn off “encryption-on-by-default”;
  • cease offering end-to-end encrypted services; or
  • otherwise undermine the security of encrypted services.

Digital security is the foundation of our connected economies and societies. And digital security is underpinned by strong encryption! It ensures that data – whether that of law enforcement, banks, or everyday citizens – can only be accessed by its intended recipient. Any attempt to insert “exceptional” or “lawful” access to encrypted content provides a way for others, including criminals, to gain access. This weakens online communications and the security of us all.

We all can make a difference to promote a secure Internet!

If your organization are also committed to building a safer world, then join us in supporting this call! Send us a message at g7letter@isoc.org.

Categories
Building Trust Encryption

WhatsApp: How a Bug Relates to the G7

On 13 May, more than a billion users saw the messaging application WhatsApp being updated. At the same time reports appeared that a vulnerability had been used in attacks that targeted an unknown but select number of users and was orchestrated by an advanced cyber actor.

Facebook, the owner of WhatsApp, reported it fixed a vulnerability – a buffer overflow, a fairly well known type of vulnerability – that was, according to media (see references  below), used in the spyware product Pegasus from the NSO Group, an Israeli company that sells spyware to governments and intelligence agencies all around the world.

Two observations:

  • Despite best efforts, bugs in software exist – if critical bugs in global communication systems are found they can have a global impact. There are two additional observations that come with that:
    • WhatsApp is a valuable target, if bugs exist they will be found and exploited.
    • A process that allows for bugs to be reported, promptly fixed, and automatically rolled out are crucial elements to maintain (or restore) trust in this sort of software. There are sectors of the industry (anybody listening in IoT land?) that can learn from how this is handled by Facebook.
  • The use of spyware like this cannot be contained, a Financial Times article suggests that clearly: The NSO software has been used against lawyers engaged in a lawsuit against the NSO Group and against various civil rights groups.

Using software bugs to get access to the encrypted devices and communication of users is also one of the approaches that also arises in the context of lawful access by law enforcement. However, hoarding vulnerabilities puts us all at risk. When bugs like this are found they can either be reported to fix the software, used to create an exploit, or sold. Knowledge of an exploitable bug can be sold to multiple parties. Whilst arguably speculative, one cannot be certain that the NSO Group was the only entity with knowledge of the vulnerability.

This example clearly makes the case that exploits of unintentional bugs are undermining the security of over a billion WhatsApp users, and that they pose a risk to national security and personal safety. One can only imagine what the effect of the introduction of intentional vulnerabilities could be, which is what recent lawful access methodologies proposed so far are doing.

As the Digital Ministers of the G7 countries prepare to meet tomorrow, this serves a real world example of one of the reasons why the Internet Society calls for strong and secure communication, and takes exception to lawful access methodologies that weaken security, not only of the encryption technology itself but also of the devices and applications that offer it.

It is a critical time to stand for strong and secure communications.  If you are on social media, use the #G7 hashtag and join us by asking world leaders to support strong and secure encryption for all.

References

There are two Financial Times articles that did early reporting on this: https://www.ft.com/content/7f2f39b2-733e-11e9-bf5c-6eeb837566c5 and https://www.ft.com/content/4da1117e-756c-11e9-be7d-6d846537acab (paywalled) and various other outlets picked up the news too.

Encryption is under threat around the world. It’s up to each of us to take action.

Categories
Building Trust Encryption

Leaders of the G7: A Safer World Means Strong, Secure Communication

In the recent G7 outcome document “Combating the use of the Internet for Terrorism and Violent Extremist Purposes“, Ministers of the Interior made commitments on content filtering and “lawful access solutions” for encrypted content, which, if implemented, would greatly weaken the security of the Internet, G7 economies and their citizens.

While there is an urgent need to prevent terrorists and violent extremists from exploiting Internet platforms, facing down terrorist threats and cybercrime requires strong, secure communications. Not the opposite.

We find the commitments in the document cause for alarm.

Rather than encouraging Internet companies to weaken their security, global leaders should be discussing how to increase the use of encryption, make it easier to use, and harder to thwart.

Here’s why:

Encryption: What it is and why it is key to your security

As online threats of cybercrime, mass surveillance, data breaches have grown so has the use of encryption – to protect the confidentiality and the integrity of data that we all depend on.

Every responsible citizen wants to stop terrorism, and “lawful access” sounds like a reasonable way to access potentially crucial intel. The idea is that, under the appropriate legal authorization, legitimate law enforcement agencies would be able to intercept encrypted communications between terrorists and other malefactors.

The trouble with this thinking is that protected communications are themselves a matter of security. Protected communications, sent through secure systems with strong encryption, are part of making us safe. They help prevent tampering with critical services, such as electricity and transport, keeping the heat on in winter, the grocery shelves stocked, and your bank account safe.

If such communications could be subverted, it stands to reason that terrorists could also interfere with law enforcement communication, with civil authorities’ ability to communicate with each other, with banking transactions, and more.

It is not possible to maintain points of entry to encrypted messages in such a way that only legitimate law enforcement authorities can use them. Weaknesses in computer systems are discovered by attackers all the time. There is simply no way to prevent weaknesses from becoming known to those who want to attack society.

And, knowing that existing encryption services would no longer be secure, terrorists would simply find alternative encryption options, or devise their own – defeating the whole purpose.

By committing to ask Internet companies to “establish lawful access solutions” for encrypted content (whether at home or abroad), G7 Ministers of Interior are making a grave error that puts one of our most important digital security tools at risk.

To comply, companies might turn off end-to-end encryption, deactivate “encryption on by default” or take away users’ sole ability to decrypt their smartphones. Each of these features has vastly improved the security and privacy of citizens’ communications and data. Or, they may not feel compelled to upgrade their security or to invest in greater security for their customers.

All of which undercuts citizens’ security from terrorists and criminals.

Digital security depends not only on the strength of encryption but also the security of other systems used to provide those encrypted services. If companies provide the means to break into encrypted communications, no one, not even governments, can trust that no one is listening in or that the information has not been changed.

Any promises that encryption would not be affected by ‘lawful access’ simply cannot be kept. Technology that is weakened is just that. Weak.

Content Filtering: Fraught with Challenges and Risks

The G7’s commitments on filtering terrorist and extremist content present additional concerns.

Filtering is fraught with challenges and risks and, in any case, only a handful of online services would have the resources and capacity to build or license such technology. This is a benchmark that only the largest platforms would be able to meet. Further, filtering has different implications for different services at different layers of the Internet. There is always the risk of over-blocking, such as public interest content (e.g. news reports).

Today, no company has the ability to produce a filter that is always reliable. Some very large companies have filters that are very good, but all of them still miss some content that should be filtered and filter some content that should not be. To make a filter that would actually do what we want, we would need artificial intelligence so good that it was indistinguishable from the wisest and most careful humans in history. Humanity has not invented that artificial intelligence yet. For instance, the filters would need to be able to tell the difference between a piece of terrorist propaganda and a legitimate news report about that propaganda. Even before the Internet, there were often disagreements about what represented “legitimate” news reporting, with powerful authorities often attempting to classify embarrassing news stories as illegitimate. There is little reason to believe that using the Internet makes those controversies go away.

Furthermore, messaging services may feel compelled to remove end-to-end encryption from their services so they can proactively filter content, or they may even use this G7 outcome as an excuse to gain fuller access to their users’ data for advertising or other commercial purposes. They might even delay deploying stronger security solutions that might make content filtering more difficult or expensive. All of this impacts your security.

The G7 Leaders’ Summit is August 2019. We have until then to make a difference.

The Internet is often portrayed as a barrier to law enforcement and national security efforts to defend society against terror. But, the Internet provides a remarkably resilient and reliable communications infrastructure when other kinds of infrastructure fail. It is an essential tool for emergency response when disaster (whether human or natural) strikes. And, strong and secure communications make everyone safer by preventing more sophisticated attackers from preying on citizens and businesses whose main focus is not communications security.

The G7 Outcome Document misses an important opportunity to remind everyone why the Internet is one of our most important tools in combatting terror in the first place. The best disinfectant is sunlight, and the Internet provides the means to do that.

Instead of trying to defend society from the Internet, a technology that benefits all humanity, and to close off its potential in an attempt to stop terrorists, governments should use the Internet to build community strength and resilience, to empower citizens to protect their communications, and to promote solidarity. We should not let terrorists sway how we use the Internet.

Time is running out. The 45th G7 Leaders’ Summit is taking place 25-27 August in Biarritz, France. Please act now.

Categories
Improving Technical Security Internet Governance Internet of Things (IoT)

G7 Leaders, the World is looking at you to make the right decisions

As Canadian Prime Minister Justin Trudeau gets ready to host the G7 Summit this week, renewed tensions around trade remind us how vulnerable the global economy is, and how working together is more important than ever to solve these complex issues.

And today, the world is looking to G7 leaders to make the right decisions.

The connected future is here. While the Internet has yet to reach its full potential (half of the world’s population remains offline), there’s little doubt that it’s already changing the landscape of trade, jobs, and the digital economy. According to data from McKinsey, the Internet accounts on average for 3.4 % GDP across the large economies that make up 70 % of global GDP. The global network offers a unique space where data, goods and services can flow and fuel the next wave of global growth, where anyone can take part and benefit from new economic opportunities.

One of the values of this connected world is our ability to interconnect — the way we live our lives, the way we socialize, and we interact with the world. Everything from clothes to toys and toothbrushes are coming online as well. The International Data Corporation (IDC) estimates the value of the Internet of Things (IoT) to the Canadian economy at $21 billion annually, a tremendous disruptor in the innovation economy, with up to 25 billion devices connected globally by 2025.

While this sounds pretty exciting, there is a critical flaw: the vast majority of these devices aren’t designed with people’s security and privacy as priority number one.

And that creates an issue of trust in the very connected future that we’re heading towards.

Securing the Internet of Things

Consumers of Internet-connected devices rightly expect that their information will be protected, and that they will be safe and secure. But, securing the Internet of Things is complicated. Governments can’t do it alone, nor should we expect them to. It necessitates a collaborative approach – one that brings a diverse group of stakeholders and perspectives, including consumers, to the table when policies and norms are developed.

There are some promising examples of this happening around the world. Governments are increasingly recognizing the complexity of the challenge and engaging in collaborative processes to secure the Internet of Things.

What Leaders of the G7 Can Do

For example, in the U.S., the National Telecommunications and Information Administration (NTIA) facilitated a multistakeholder process to address upgradability and patching of IoT devices. In Japan, under the IoT Acceleration Consortium, government, academia, industry and other stakeholders are working together to address a variety of challenges and risks related to IoT security. In Canada, the Internet Society is working with the Government of Canada, the Canadian Internet Registration Authority, CANARIE, and
CIPPIC in a multistakeholder process on consumer empowerment and network resilience related to IoT.

As representatives of seven of the world’s most advanced economies, G7 countries must take a leadership role in advocating for a connected future that ensures everyone, everywhere can take advantage of the Internet of opportunity. This means that privacy and security must not be an after-thought for Internet-connected devices; they should be embedded in their design.
This is why a collaborative approach is so important.

By ensuring all relevant voices are present at the table – civil society, the security and technical communities, government, and the private sector – the outcome will be stronger.

And, it’s been our experience that stakeholders will be much more likely to support and implement those outcomes.


To discuss this topic, please join or watch our side event on June 6 – Innovation, security and the Internet of Things – and also listen to this audio interview I recently gave related to the G7:


Image credit: Crew on Unsplash

Categories
Improving Technical Security Internet Governance

Reflections On The G7 ICT Ministers Meeting

On April 30, 2016, ICT Ministers of the “G7 group” concluded their deliberations in the beautiful city of Takamatsu, Kagawa prefecture in Japan. After months of preparatory work and two full days of discussions, the ICT Ministers of the USA, UK, France, Italy, Japan, Canada and Germany plus the European Union issued a joint declaration that:

  • recognizes our digitally connected world,
  • commits to mutual goals and, once again,
  • reaffirms the multistakeholder model for the governance issues facing the deployment, development and evolution of the global Internet.

The meeting itself and the accompanying documents are important for two main reasons. First, this has been the first ICT Ministerial meeting the G7 group has held in almost 20 years. Second, the organization of this meeting was led and carried by the government of Japan.

I spent a week in Japan talking to dedicated and engaged stakeholders and participating in the ICT Multistakeholder conference. As I wrote last week, there is great work being done in Japan. What is more important is that this work is happening under a very clear understanding that no single stakeholder alone can resolve the complex Internet-related issues. The government of Japan is a champion of the multistakeholder governance model and is promoting it successfully.

In the declaration, the ICT Ministers acknowledge and welcome both the Outcome Document of the High Level Meeting of the United Nations General Assembly on the overall review of the implementation of the outcome of the World Summit on the Information Society (WSIS) as well as the Internet Governance Principles of the NETmundial Multistakeholder Statement. Both of these international documents accept the normative application of the multistakeholder model for Internet governance.

The fact that these documents are cited in the declaration confirms the view I shared with the Ministers and other participants in Takamatsu that the “debate [over whether the multistakeholder model is the appropriate one for the Internet] is settled and that it is now more useful to focus on the particular outcomes we want to achieve for a particular problem when making decisions in the Internet age.

Amongst the other noteworthy conclusions in the declaration, the Ministers:

  • pledge to promote Internet openness and protect the free flow of information;
  • agree to promote privacy and data protection, including the Internet Society’s recommendation for proactive approaches such as “privacy by design”; and,
  • commit to promote a collaborative approach in addressing issues of cybersecurity.

Moreover, the declaration outlines the importance of promoting “the development of [interoperable] ICT standards including reference architecture models that will continue to be industry-led primarily, voluntary and consensus-driven, based on principles of transparency, openness, impartiality, market needs and coherence including those developed within standard development organizations”.

Finally, the G7 Ministers also released a document that I find of great importance. Attached as an Annex to the Joint Declaration, the document outlines “Opportunities for Collaboration” and seeks to “strengthen international cooperation and collaboration [in order] to achieve the actions in the G7 ICT Ministers’ Joint Declaration.

This is a great step towards a more integrated and collaborative approach to address the complex and challenging issues of Internet governance. It is a very welcoming invitation by the governments to all stakeholders to work together on concrete issues.

As we move towards the OECD Ministerial meeting next month, I am heartened by the efforts of the G7 governments towards recognizing, encouraging and sustaining the multistakeholder model – and their willingness to deepen and enhance it.

I applaud the inclusion of interested stakeholders in the discussion in Takamatsu and, in particular, thank the government of Japan for its leadership in connecting a digital world.

Categories
Improving Technical Security Internet Governance

Watch Live on Friday, 29 April – Kathy Brown At G7 ICT Multi-Stakeholder Conference

On Friday, April 29, you can watch leaders of the technical community, business and civil society address the G7 ICT Ministers at:

The Multi-Stakeholders Conference begins at 9:00 am Japan Standard Time (UTC+9), which is:

  • midnight UTC
  • 2:00 am Central European Time
  • 8:00 pm, Thursday, April 28, Eastern Daylight Time

Internet Society President and CEO Kathy Brown will speak as part of a panel starting at 10:45 am JST. The panel topic is “Sharing common thoughts about Internet governance and cybersecurity“. The other panelists are senior executives from Hitachi, NTT and BT Security. Kathy has published her thoughts about what she will say in the session.

The full agenda for the Multi-Stakeholder Conference is available on the G7 event site.

In preparation for the session, we encourage you to read:

During the event you can also follow our tweets on @ISOCPolicy .

Categories
Improving Technical Security Internet Governance

On The Way To The G7 ICT Ministers’ Meeting In Japan: Multistakeholder approaches needed to address Internet security

This week in Japan I have been invited to address the Multi-Stakeholder Conference that will officially open the G7 ICT Ministerial summit in Takamatsu. The focus of the ICT Ministerial will be on four distinct areas:

(1) Innovation and economic growth;
(2) Unrestricted flow of information, and ensuring the safety and security in cyberspace;
(3) Contributing to the resolution of global issues, including digital connectivity;
(4) International understanding and international cooperation in the future.

In December 2015, we were encouraged to see the nations of the world endorsing the WSIS agreement made 10 years ago in Tunis. The updated WSIS+10 outcome document is unequivocal that the Internet should be “governed” through bottom-up, collaborative processes that include all those with a stake in the outcome.

This continued commitment is another milestone in Internet governance that we must build upon and deepen. We believe, strongly that issues of Internet safety and security cannot be addressed by one stakeholder alone – be it the industry or the government. Indeed, we voiced a concern in New York that it would be a mistake to think “that cooperation ONLY among governments is sufficient to solve issues that require the expertise and commitment of all of us”.

This week in Japan, I heard concerns that some governments and commentators continue to assert that matters of security are exclusively within the purview of governments.

The Internet Society believes that this is not and should not be the case. Indeed, because of the transnational and distributed nature of the Internet, security issues are best addressed by collaborative and coordinated efforts of all those with a stake in a trusted Internet, including businesses, civil society groups and governments. We refer to this as Collaborative Security.

The Internet exists because of the creative energy and ideas from individuals across the world, working together to figure out how to connect networks, how to send information across those networks, and how to enable billions of users to benefit from a digitally connected world. We need to apply this same energy to issues of security. Just as networking technology is complex, so is Internet safety and security.

There is no single technical solution or regulation or international agreement or business practice that is magically going to bring about a trusted Internet. The reality is that we must harness the necessary expertise to come together to solve hard problems.

In recent years, there have been countless political debates about whether this collaborative approach to problem solving, often called the Multistakeholder Model, is valid, particularly for complex matters of public policy.

We believe that this debate is settled and that it is now more useful to focus on the particular outcomes we want to achieve for a particular problem when making decisions in the Internet age.

In our view, Internet public policies, regardless of the issue, should:

  • maintain the global, interconnected nature of the Internet,
  • enable permissionless innovation and free expression,
  • strengthen the security, stability and resiliency of the Internet; and,
  • allow the Internet to flourish as a platform for limitless opportunity and innovation around the world.

To craft sound Internet policies and make decisions that address the challenges of today while upholding the core elements of the Internet requires that we bring all the relevant expertise to the table.

With an issue as complex and sensitive as security, it is even more crucial that we do so.

At the G7 meeting this week, I will emphasize this point. The G7 ICT Ministers are among the most influential in the world. It is incumbent upon them to set an ICT policy agenda that rises above the typical politics and that draws upon all the expertise available to get to solutions. And, I am most encouraged by the G7 Foreign Ministers’ Joint Communique earlier this week. In that Communique, the Foreign Ministers wrote:

“We reaffirm our commitment to a multi-stakeholder approach to Internet governance, which includes full and active participation by governments, private sector, civil society, the technical community, and international organizations, among others”.

Collaboration is key. The Internet is the outcome of the cooperative efforts of different actors. This is true for the Internet’s technical issues as is true for its more complex governance issues. The multistakeholder governance framework is widely accepted as the optimal way to make policy decisions that are accountable, sustainable and, above all, effective.

Today, the Internet Society released a paper that discusses in further detail why the multistakeholder approach works and must be embraced to ensure the continuing economic, social and human rights benefits of a global, open and secure Internet.

On Friday, I will join others from the Internet community to illustrate that the only way forward is through continued multistakeholder collaboration and coordination.

—–

Note: The Multi-Stakeholder Conference will be streamed live on YouTube starting at 09:00 Japan Standard Time (UTC+9).