Talk like there’s Encryption

On February 21, the Commonwealth Minister for Home Affairs, Peter Dutton delivered an address to the National Press Club of Australia in Canberra which broached the subject of making it easier for law enforcement and national security agencies gaining access to encrypted data.

In this speech, Dutton reiterated that the incumbent government is determined to introduce legislation forcing tech companies to co-operate on helping decrypt communications and stored data currently held within secure environments.

First mooted several years ago as a measure to assist law enforcement and national security agencies to counter terrorism, paedophilia and organised criminal activity, Dutton’s plan to circumvent “ubiquitous encryption” is a step too far.

Eroding privacy

Metadata retention was the first step down this dangerous path of reduced privacy – “just the details on the outside of the envelope, that’s all we want.” Now the government wants to steam open the envelope and have access to the letter inside too - It is the final step in a sustained erosion of privacy for the average individual and organisation that just wants surety about the confidentiality of the personal data they deal with daily.

We know that individuals within law enforcement agencies have already illegitimately gained access to the metadata that is now routinely collected by government, so it is (sadly) inevitable that the same sort of rogue activity will be undertaken with decryption capability.

There is no doubt that the "bad guys" are increasingly using encrypted communications channels such as encrypted messaging apps and VPNs to hide their ongoing communications - known as “data in flight”. These same enemies of state are also using "data at rest" encryption on their hard drives/online file storage to prevent law enforcement officials from gaining access to stored data that may incriminate them.

All the government would achieve by forcing companies to crack the encryption of users is to destroy encryption as a useful tool for legitimate users while the people they are targeting just move on ahead of them to the next tool.

Dutton said that they are not asking for the encryption keys or for a back door into encryption applications. Instead, they just want a legal mechanism by which they can make encrypted data as easy to obtain as wire-taps were on unencrypted telephone calls back in the day.

Commoditised encryption services

Publicly accessible data encryption technologies are largely commoditised these days. Smartphone systems and free tools such as WhatsApp, Wickr and Telegram and offer the ability to hide the content of messages and files from prying eyes. 

These technologies use either a shared secret "key" to encrypt and decrypt the data or a public/private "key pair" that reduces the risk of a key being compromised (because it allows encryption using a "public" key but only decryption by the owner of the matching "private" key).

On top of this, to make intrusion even harder, good encryption processes also use a mathematical process called "salting" which is the addition of (random) extra characters to a key to make it even harder to find by brute force or other attack methods.

These days, most people carry a computer in their pocket (their smart phone) which is easily capable of applying very strong encryption to a message that would require years of computer times with a super-computer to decrypt without the appropriate keys.

So how can they do it?

There are only a small number of ways to make it feasible for law enforcement and national security agencies to access encrypted data.

Option 1. Reduce the "strength" of the encryption - using shorter keys, or weaker (read: easier to crack) algorithms.

This basically means "change the laws of mathematics". Strong encryption algorithms are already in the public domain and implemented by a wide range of systems. Do you use ecommerce? Then you're almost certainly already using SSL-based encryption of HTTP (web) traffic.

For this to be feasible, the government would need to outlaw the use of existing strong encryption, amongst other things, this would cripple Internet banking, ecommerce, teleworking via VPN – any online activity which makes legitimate use of encryption technology (given that Google is pushing very strongly for all web browsing to be HTTPS secured, this could be a problem). They would then have to prevent future deployment of all new strong encryption algorithms (and do so with global co-operation, or risk Australia becoming an Internet and economic backwater).

Of course, you then have the issue that "bad guys" don’t care about the law. They will just ignore any such regulation anyway and continue to use the products that the government is complaining about.

Option 2. Obtain the keys.

Irrespective of whether it's symmetrical or asymmetrical encryption, the whole idea of encryption is that given a strong enough algorithm and/or sufficiently long key (plus salting in good deployments), decryption by other methods should require such significant computing power and/or time that it's not worth doing. 

A key tenant of online security is the fact that “a secret only needs to stay protected until it is no longer a secret” - for example, if a terrorist was planning an attack, the plans only need to remain secret until the attack takes place – after that, the details of the attack are pretty much out in the open.

This requires that the government obtains the keys (either primary keys or some sort of "skeleton" key) for all encrypted communications. It then must be trusted to not lose them, to not let someone who shouldn't have them get hold of them, or to not misuse them. History shows a poor track record in the halls of legislature for any of these.

Of course, the "bad guys" will simply move to processes/applications where the government cannot obtain the keys. Does the government really think that the bad guys will only use "government-approved" encryption? Once again completely defeating the point of what the government claims it is trying to achieve.

Option 3. Plant "back doors" into the applications that provide encryption services - either keep a copy of the unencrypted data before it's sent, or send a second copy of it, taken before encryption, to a remote location.

This requires the government convincing application vendors to get on-board. Keep in mind that these organisations trade based on their customers trusting them not to do anything like this. No decent vendor (who already bases its business on the fact that encryption is a positive thing for their law-abiding customers) will do this willingly or without telling their users that they are doing it. That will simply lead to people who know better moving to different encryption applications that the government has not approved.

Simply put, the only way to provide what Dutton (and Brandis and Turnbull before him) is to provide those keys and/or back doors that he claims that the government does not want.

Nothing to worry about?

When espousing the merits of enforced authoritarian decryption, most people like to take the line that “if you’ve got nothing to hide, you have nothing to worry about”. This is a naïve reaction and it is dangerous.

Everyone has a right to privacy. Whether they choose to take up this right is an individual choice and not a mandated decision made by the government of the day. 

Even if the government never misused the data, there's simply no way to provide assurance that, once the encryption processes are broken, other nefarious parties won't gain access to it and use it for their own purposes - if the tools are there to be used the tools are there to be stolen.

We are sailing way too close to “Big Brother” territory with proposals such as this and at the end of the day, it will be misused in the same way in the same way it was in Orwell’s dystopia.

Even if the initial intent is innocent, the incentive to know more and start to use that additional knowledge for their own benefit will be too much for the political class and government agencies to resist.

With appropriate oversight from our judicial system, government agencies can already gain access to metadata stored under Australia's mandatory metadata retention laws. However, we've already seen examples of this data being accessed inappropriately in the first 12 months since mandatory retention was foisted on telecommunications services providers. 

While we haven’t yet seen reports of this metadata being "hacked", that doesn't mean it hasn't already happened (and gone either unnoticed or unreported), or that it won't happen in the future, particularly as the value of that metadata increases from a commercial point of view.

A free-for-all on your data

Also, at issue here is the fact that it is not just Australian government agencies who would have access to data if encryption is broken. The companies who implement the "broken" encryption will have it, as will anyone who manages to breach protocols around access to it (potentially including corporate and even nation-state espionage).

Essentially, the government is asking for the power to read messages and files that individuals have chosen to communicate or store securely. This is not just an erosion of privacy - it also introduces unintended consequences such as the negation of security around eCommerce and the erosion of security provided by corporate VPNs often used to allow workers to "telecommute" without compromising corporate network security.

Which drives us back to the government's capability to protect the data obtained through back doors, and to only use it for legitimate purposes - hardly a good position. Not to mention the fact that nefarious hackers or greedy corporates could well gain access to these “back doors” with the intention of taking advantage of them for financial gain. None of this is a good result for your average law-abiding citizen.

Meanwhile, those with ill intention will just move to applications that don't have the back doors, or don’t allow the government to collect and store encryption keys. As we're already aware, they're hardly paragons of virtue and government cooperation.

Ask the experts

The essential point here is that it would help if Governments consulted with technology experts before coming out with hare-brained ideas designed to achieve political ends.

What they are proposing here is completely unworkable. Not only has the horse bolted on encrypted communications from the perspective of "bad guys" using it to hide what they're doing but it has also found a new equine master that has trained it, run, and won a few races, sired a few yearlings, become an old nag, and been sent to the glue factory.

There is no doubt that criminals, terrorists, paedophiles, or other bad guys are taking advantage of encrypted data to reach their evil ends. However, there is no silver bullet to end the problem, which is not one of technology - so restricting the availability of technology to law-abiding citizens is not a solution.

The government would be so much better off just adequately funding police and security agencies so that they could spend more time on traditional or new wave policing and investigation techniques in their pursuit of those who wish to defraud us, do us harm or threaten our national security.

Article written by Robert Hudson, President of IT Professionals Association.