Australia's war on encryption potentially 'reckless': Former US cyber advisor

Demands for more access to private data and control over personal communications devices 'sounds a lot like China', says Obama's director for Cybersecurity Policy.

malcolm-turnbull-prime-minister-austrlia-george-brandis-small.png
Image: Asha McLean/ZDNet

Australia's Prime Minister Malcolm Turnbull and America's Deputy Attorney-General Rod Rosenstein both think that tech companies should "do something" about end-to-end encryption. Both have said so publicly, rejecting claims that it'd be difficult, if not impossible.

"The laws of Australia prevail in Australia, I can assure you of that," Turnbull famously said to ZDNet on July 14. "The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia."

For his part, Rosenstein has called for something he calls "responsible encryption".

"Responsible encryption can involve effective, secure encryption that allows access only with judicial authorization. Such encryption already exists. Examples include the central management of security keys and operating system updates; the scanning of content, like your emails, for advertising purposes; the simulcast of messages to multiple destinations at once; and key recovery when a user forgets the password to decrypt a laptop," Rosenstein told the US Naval Academy on October 10.

"I simply maintain that companies should retain the capability to provide the government unencrypted copies of communications and data stored on devices, when a court orders them to do so," he said in a similar speech to the North American International Cyber Summit on October 30.

Politicians continue to believe, in the face of continued cogent arguments, that magic technology can reliably protect messages from eavesdroppers, yet still give easy access to law enforcement agencies whenever they demand it.

Why?

Are these otherwise intelligent people simply failing to understand the arguments against their proposals? Are they failing to understand that the laws of mathematics are immutable?

"At best it's that. At worst it's reckless policy," Ben Flatgard told ZDNet. Turnbull's comment on the laws of mathematics was "a pretty amazing suggestion", he said.

Flatgard was the director for Cybersecurity Policy on the US National Security Council during the Obama administration. He's currently the 2017 Alliance 21 Fellow at the United States Studies Centre at the University of Sydney.

"We've been discussing this as long as encryption's been used in commercial applications," Flatgard said, and he's right.

The core problem was, is, and always will be how to ensure that messages can only be decrypted when lawfully approved. That's not a technology problem, that's a policy and process problem.

An encryption algorithm will decrypt a message when it's presented with the appropriate key. It can't know whether the key was obtained legitimately or not. Any process that tries to attach an authentication code to the key suffers the same problem. Was that code attached legitimately? And so on, out to infinity.

That's why I think Turnbull's public comments are not a war on maths, but a battle against the organisational structures and processes that keep communications secure -- and that's nothing new.

In 1993, the US attempted to solve the problem with the Clipper Chip in every device, splitting the government-held per-device keys in two, with each half held by different agencies. It was abandoned in 1996.

"This was eventually done away with because it was too difficult to manage some of these concerns," Flatgard said.

There is actually a problem to be solved here, of course.

"The threat of a loss of intelligence is significant," Flatgard said, but "the 'going dark' problem is one that's admired more than it's actually acted upon, and you hear a lot of chest-beating".

You don't solve that problem by demanding free access to everything.

In the wake of the 2015 terrorism incident in San Bernardino, for example, then FBI director James Comey spent more than $1.3 million to get into an iPhone belonging to one of the shooters, for information of questionable intelligence value. That's on top of the cost of the agency's legal battle against Apple.

Flatgard finds that "troubling".

"Even if you get what you want, you don't get what you actually need. You don't know what you want well enough, and how to ask for it," he said.

Politicians and law enforcement agencies, in both the US and Australia, are escalating the anti-encryption rhetoric. Sometimes, as in the San Bernardino case, they're backing it up with serious legal and budgetary muscle in a "scary way".

"You see some of this in Australia as well... the suggestion of using, like, extra-judicial and extra-legal measures to obtain the information. I think that should give everyone pause for concern, when politicians suggest that we're going to demand someone give us X, Y, or Z. If there's a court order to do so, that's a different thing," Flatgard said.

"It also fails to appreciate the technology constraints behind it, right. So giving access to an iPhone isn't the same as giving access to data that's potentially encrypted at the app level or in other ways, [or] it's not stored on-prem[ises] but is managed by someone else in an encrypted way."

It also fails to appreciate that most encrypted messaging apps are built on open-source software.

"Being able to regulate the software marketplace seems incredibly difficult," Flatgard said. People that are trying to do bad things aren't idiots, and will roll their own messaging apps.

Indeed, just a week after Turnbull's speech, a browser-based messaging app appeared at brandis.io. It's named, of course, after Australia's favourite attorney-general, Senator George Brandis QC.

What this leads to, said Flatgard, is that as the conversation progresses, the solution space shrinks. "[It's] us basically saying, 'Well then you have to use approved domestic software, [and] data has to be localised'.

"At the end of the day, that sounds a lot like how China, for instance, regulates the use of some of these technologies."

Quite.

Related Coverage

US deputy attorney general just called for 'responsible encryption.' Don't fall for it.

You only need to look at the past year of data breaches, leaks, and exposures to see that some of the most precious national security and technological secrets in the US aren't safe.

Thou shalt be secure: RSA says you can't force private sector to break encryption

RSA's VP and GM of Global Public Sector Practice Mike Brown believes there's a better way to thwart terrorism than breaking end-to-end encryption, as recently proposed by the Australian government.

WhatsApp, Facebook to face EU data protection taskforce

WhatsApp and its parent company Facebook have been invited to meet a data protection taskforce after alleged non-compliance with European data laws.

US AG rips Silicon Valley tech firms, says encryption makes crime easier to hide (TechRepublic)

The US Deputy Attorney General Rod Rosenstein recently gave a speech criticizing Silicon Valley tech companies for not working with the US government on encryption.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All