Federal Government Again Gets It Wrong when Suggesting IT Policy Direction
Unfortunately, in the last week we have seen yet another example of this current Federal Government’s naivety regarding creating and implementing effective technology policies.
In response to the Manchester and London terrorist attacks, Prime Minister Malcolm Turnbull and Attorney General George Brandis have proposed that perhaps it was time laws were introduced whereby technology companies would bear responsibility for ensuring their systems were capable of deciphering encrypted communications.
Just making such a statement could easily be construed as political opportunism because clearly anyone with a basic understanding of how encryption works would see that such a proposal is completely unworkable.
So, let us start with a simple explanation of what encryption is, who uses it and how.
Encryption is the process of "encoding" data to hide its meaning/contents from discovery by someone else. Generally speaking, a mathematical process is run over the original data to produce a scrambled version. To read the data back from the coded version, you need the "key".
Some weaker forms of encryption are easily reversible (like simple letter substitution ciphers), but other types require very specific knowledge of the "key" to decrypt the message. Military grade encryption, for example, is very sophisticated and cannot be easily "cracked" or "broken" by unauthorised parties.
Encryption is used to secure communications over open or insecure networks such as the Internet. Internet banking or eCommerce (online shopping) where credit card details are supplied are classic examples. There are also VPN connections for people to "work from home" and connect to corporate networks securely or to connect dispersed offices to each other over the Internet
It can also be used to hide the contents of other types of communications. For example, email, instant messaging apps such as Facebook Messenger, WhatsApp, etc, also use encryption to ensure that only authorised people have access to communications.
At the high-end, Government and in particular, defence organisations use high-level encryption to encode messages to protect them from unauthorised parties. Alternatively, encryption can also be used to protect data that is stored on a device - the contents of a hard drive, or a mobile phone, to prevent unauthorised people from accessing the data.
The government is suggesting that certain device and application vendors (Apple for iPhones, various Android phone manufacturers, Facebook for Facebook Messenger and WhatsApp, etc, maybe even SSL certificate vendors – nobody really knows yet, the government has not yet explained this) provide them with an ability to intercept and read encrypted messages in "near real time".
With modern encryption processes, this is only possible if you have access to the key required to decrypt the message, as "cracking" the encryption is largely not possible otherwise due to the mathematical complexity of the algorithms used.
This means that despite the government's protests that it does not want "back doors", that's the only way to achieve what they want - and if they have back doors into the encryption, then two things will happen:
* The backdoor will be leaked/exposed. This basically means that the encryption process can no longer be trusted.
* People will stop using encryption processes they cannot trust.
In effect, this will have zero impact on the communication between "bad guys", because the competent ones will simply move to communications protocols that they either trust or manage the keys for themselves.
By some reports, less than half of all communications between "bad guys" is estimated to be encrypted today and these are likely already the competent ones. Such a knee-jerk reaction will, however, have a horrific impact on innocent use of encryption. Legitimate users will be forced to find other methods of encryption.
If SSL certificate vendors are forced to bake "back doors" into their certificates, the impact on eCommerce alone (currently a $32b business in Australia in 2017) will be immense.
This Government appears to have not learned anything from past technology initiatives that were implemented on the run. In typical fashion, there appears to have been no serious consultation with experts and disregard for (or no understanding of) the complexities involved.
It feels as though, once again, our government is setting policy from the hip without any input and advice from technically-competent advisory groups. ITPA would welcome the opportunity to provide government (at all levels) with access to expert advice on the practical implications of policy suggestions before they open themselves to public ridicule as they have in this instance.
It is not a simple thing for Government to regulate encryption. There are already easily-implemented, yet incredibly strong encryption algorithms available to the public which are thoroughly researched and to which there are (currently) no known flaws.
Advanced Mathematical theory has provided encryption processes that far exceed the ability for even the highest-powered computers to "crack" without access to the keys. In reality, the cat is out of the bag and there is not a lot they can do about it.
There are no silver bullets here. It is only through the implementation of stronger budget support for federal and state police forces to use traditional and new-wave investigation techniques to identify criminals that the law enforcement and national security agencies can make progress in curtailing terrorist and criminal activity.
Near-real-time interception and decryption of competently encrypted communications is simply something that the government cannot achieve without massive social and economic damage to society.
At ITPA, we fully support the battle against terrorism and crime. We also strongly believe that Government cannot continue to rely on infringing individual privacy and freedom rights to achieve security outcomes. Punishing the majority of the population for their innocent behaviour in the hope that they'll accidently catch out a tiny number of criminals who aren't smart or competent enough to ensure that the communications they use are secure is simply unsupportable.
Even if all "five-eyes" governments manage to get back doors injected into all existing secure encryption processes (which will never happen), there is no way they will prevent the next encryption process from being developed outside of their authority. Such a net generation technology would not only be used by criminals but also innocent enterprise and people who simply wish to ensure that their private data remains private.
Another thing we already know from experience is that no matter how well-intentioned government policy is around technology, it always seems to be abused. Previous ham-fisted over-reach into areas the government simply doesn't understand never ends well.
Think Internet filtering; Internet site blacklists were leaked within months of Internet filtering trials starting with some of Australia's large ISPs (and we know that list included innocent sites such as that of a Queensland dentist).
Think metadata retention; There are multiple reports of abuse by law enforcement personnel of metadata retained under the mandatory metadata retention scheme (and that's before you consider just how well it's been implemented by each individual ISP, and how long before a massive release of metadata occurs).
Think NBN; This has become a complete dog’s breakfast and is perhaps the biggest technology policy failure in the history of the world and a shining example of what happens when the government meddles in areas it simply doesn't understand.
Okay. To be fair, PM Turnbull did back-flip and say that he was not looking to regulating compulsory back-doors into encrypted data but that only serves to highlight the nonsensical nature of the original knee-jerk reaction.
At the end of the day, we at the ITPA plead vociferously with the Government to consult with the industry and the professionals who work within it before making frankly ridiculous statements about technology policy. We are here and happy to help.
Without doing so you just make yourselves (and, by association, all of us) look devoid of intelligence.
President, IT Professionals Association (ITPA)