15 Dec 2019

Private information at risk from laws allowing access encrypted data

8:06 am on 15 December 2019

A study has found laws which allow governments to access companies' encrypted data are putting private information at risk.

Complicated computer code. data. code. encryption

Law enforcement can ask companies to give them access to encrypted data under the Search and Surveillance Act, and that could be misused, an expert says. Photo: Unsplash / Markus Spiske

That's one of the findings from the University of Waikato and New Zealand Law Foundation's study, A matter of security, privacy and trust: A study of the principles and values of encryption in New Zealand.

Lead investigator, University of Waikato legal professor Dr Michael Dizon, said law enforcement could ask companies to give them access to encrypted data under the Search and Surveillance Act, and that could be misused.

"There is something in the law that allows governments to ask any service provider, including your bank, including Facebook, to render reasonable assistance for them to access, to let's say, a criminal's account but the problem there is, it's not very clear what reasonable assistance means, and that becomes a really big problem because they can overstep their bounds."

The study also cited a case in the US where the FBI sought a court order to gain access to a shooter's locked iPhone, after Apple refused to comply on the grounds it would endanger the privacy and security of all its users.

Dizon was concerned that governments could ask companies to create weaknesses in their security systems, such as encrypted internet banking, so they could access the information of terrorists or criminals.

"If you create a backdoor or a weakness in one system, it can be exploited, not just by the police but any other person that can access it so it can be abused by criminals, by malicious state actors - say somebody from another country that has nefarious motives - so the point is there, if there is a weakness, anyone can exploit it," Dizon said.

The researchers recommended that people suspected or charged with a crime should not be forced to disclose their passwords.

They also recommended that companies should only provide information to police or law enforcement authorities if it does not undermine the information security of its products, services and the privacy of its clients.

Get the RNZ app

for ad-free news and current affairs