Take one look at the upcoming legislative agenda of the Turnbull government and you’d be excused for assuming that our antipodean democracy was a police state under threat from many faceless foreign nations. Supposed espionage threats and foreign interference claims are being used to ram through laws that will have a huge impact on civil society, as well as changes to security regulations that will allow police to demand identification at airports without due cause, and intimidation tactics directed at citizens who dare to criticise government services.
One impending piece of legislation, slated to be introduced in the coming weeks, will directly affect the ways in which we all use technology to communicate, operate businesses and engage in our daily lives. At a recent meeting of the Five Eyes (the name for the joint surveillance operations of Canada, United Kingdom, New Zealand, United States of America and Australia) our government gleefully proclaimed that they planned to introduce legislation that would allow them to intercept encrypted communications.
Many modern technologies rely on strong end-to-end encryption to secure communications directly between users. Encryption is a foundational tool for the proper functioning of the digital society and economy, and is used in a wide range of settings, including banking, public service delivery, and communications. The only way to allow law enforcement officials to access the content of encrypted communications is to break end-to-end encryption for everyone by introducing weaknesses that allow third parties to snoop on communications between users. To create a technological opportunity for anyone to access encrypted messages, be it a police officer, a judge or a politician, is a very dangerous exercise that would destroy the very architecture that makes encryption work in the first place. Once these weaknesses are introduced, we all become much more vulnerable to commercial surveillance, data leaks, criminal eavesdropping, national security threats, and overreach by government officials.
Australians should be confident that the services we use haven’t been weakened or compromised by government mandate or pressure. As a society, we accept that people can meet and discuss things in private, that people can draw the curtains on their bedroom windows so the government can’t see in. We also presume that when we share private information with businesses and organisations, that the technology facilitating these transactions is strong.
This is a case of political bluster attempting to win out over logic. It’s a truly farcical environment when we witness the Prime Minister, himself known to be astute about the workings of the tech industry, claiming “the laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia”. Despite Turnbull’s best efforts, it is highly doubtful that his self-imposed omnipotence will allow for such an overruling of the basic principles of technological mathematics.
It’s also likely a futile exercise. Efforts to weaken encryption within the US have been met with similar criticism, with a panel of 100 cybersecurity experts polled by The Washington Post showing strong objection to any attempt to provide law enforcement with backdoor access to encryption protocols. One expert, Matt Blaze, a cryptographer and computer science professor at the University of Pennsylvania said “weakening encryption might make the FBI’s job easier in some cases … but that would be a very shortsighted policy that would create far more crime than it would solve”.
Any attempt will likely drive criminals and terrorists toward tools and technologies that are beyond the reach of any mandated access mechanism, leaving those who are less technically sophisticated or financially privileged to bear the insecurity caused by the mandate. Any attempt to undermine encryption will ultimately hurt security, with potential knock-on effects that we cannot anticipate today.
There are many questions surrounding the intersection of crime and technology, and as with any complex social issue, these cannot be addressed in a silo. They require careful consideration and investment, including in education and training for law enforcement and research into rights-respecting mechanisms.
To use the spectre of terrorism in such a way that it unduly impacts on the rights of all citizens to exercise their right to privacy and freedom of speech is a massive overreach. There are limits on government’s powers, and encryption is an integral part of this right to privacy in digital society.
The government should not erode the security of our devices or applications, pressure companies to keep and allow government access to our data, or mandate implementation of vulnerabilities or backdoors into products. Weakening encryption weakens the entire internet and increases risk for everyone on it.
I have to agree wholeheartedly, however the battle is already lost. Same with the ABC thing.. too late even to mourn.
Relax Tim. The law, if it happens, will be treated (with contempt) as it is with dope. Major players are not going to monkey with standard encryption. Various comments on the topic exist elsewhere. Two (or more) parties can set up their own encryption and there isn’t a damed thing that anyone can do about it; Turnbull least of all!
Secondly, encrypted data typically has a finite life and only has to be confidential for that length of time. To a large extent its non-topic.
I fully blame the complicit Labor opposition for all these laws. I think that is the actual problem. When last in government Conroy tried to start the ball rolling downhill, with Scott Ludlam seemingly the only one who stood up to him.
Surely it’s common sense that if a backdoor is open anyone with the skill to walk through can, regardless of where their intentions lie on the good/evil spectrum. I don’t understand how Turnbull thinks making it easier to hack into people’s data enhances safety.
Andrea, the two main types of encryption are Diffie-Hellman (D-H) and rsa (named after the authors). RSA is about 40 years old but quite reasonable in terms of what it does. With a bit of tweaking it is possible to create a back door. However, the “real world” uses D-H. Knowing just how D-H (or rsa) work – many descriptions exist on the net – does not provide any advantage to the would-be cracker.
Let’s assume that Uncle Malcolm insisted that everyone use rsa. Well that would not suit Telstra (to identify one organisaton of some significance) that uses scp (secure copy) to move its data about [e.g. coast to coast] in the early hours of the morning because scp employs D-H. Ditto for the major banks. So, do you see, Uncle Malcolm has painted himself into a corner. Its a non issue Andrea.
I don’t believe that cryptographic back doors are what is under discussion. The arguments are all around end-running the encryption of the communications channel by having government malware installed on consumer devices (under a warrant of course): screen readers and key loggers will do the job, more or less, as the user must eventually read the message somehow. This requires the complicity of Apple/Facebook/Google/etc, which is what they’ve been asking for (as has the English home office).
So what happens if legislated? My guess is that Apple vacates the Australian market as a lesson to the rest of the world. No guesses about what the others would do, if they could do anything: most Androids are practically controlled by their respective manufacturers, who don’t do software updates anyway, rather than Google.
The point is, though, that all of the mobile devices are locked-down systems that are at least theoretically amenable to this sort of “legal attack”. Making it useful would probably also require making the use of un-managed terminal equipment (rooted Androids, or PCs running Linux) illegal, as the “hack under warrant” pathway isn’t present.
“The arguments are all around end-running the encryption of the communications channel by having government malware installed on consumer devices”
Well let’s assume that you are correct – and you may well be correct. This approach makes it both easier and more difficult (paradoxically).
> So what happens if legislated? My guess is that Apple vacates the Australian market
Fair guess
” most Androids are practically controlled by their respective manufacturers, who don’t do software updates anyway”
Some do : Samsung, Sony and Alcatel – to name three.
> rather than Google.
Which is also acquiring a fair volume of malware of its own accord.
> [making] rooted Androids, or PCs running Linux) illegal
Which, more or less, is related to the point that I made earlier. A good deal of the upper corporate world runs Linux (for authentication, network management, proxy serving or caching – etc – or BSD (Apple if one prefers) as a distant second – to do the same job. Only basic enterprises run virus-ridden Windoz – which, becomes more Linux-like after each reincarnation!
There is no way in hell that the major (corporate) players are going to tolerate a snoop (of D-H) or let a near perfect WAN/LAN backbone (i.e. Linux) go to “hell in a handbag” To this extend Uncle Malcolm does not know (which is somewhat surprising on this occasion) what he is dribbling about. The enterprise would be like policing private dope-smoking – which is to say : impossible.
So – concluding – yes much easier to install scanning software at the Application Layer (recall the OSI model) BUT there are other applications that do the same job. E.g.
in the PRC there are three or four facebooks and as many major messaging services (e.g. WeChat – which any number of people use world wide – and is snooped by the PRC). Secondly, even attempting to “outlaw” an OS is just plain idiotic.
How are they going to enforce this on OTA updates from Apple and Google? All we’d have to do is get the update via a VPN in a non 5eyes country, or get a friend to compile it without the backdoor, in the case of Android, or go-to Copperhead, an Android compatible os.
The proposal, along with a law requiring ISPs to collect meta-data would provide for traceable packets (using D-H or whatever). However, the major players are not going to permit this idiocy to occur. See my note to Andrea.
As you convey, policing the policy would be a nightmare. The Greens might get some votes just by promising to rescind the legislation. In the meantime, one only needs an informed magistrate to let everyone off with a $1 fine.