Australia's encryption thwart thought is fraught

It's not an attack on mathematics. Attorney-General Brandis' attack on terrorist encryption is an attack on the very fabric of secure mobile communications.
Written by Stilgherrian , Contributor

Australia's favourite Attorney-General, Senator George Brandis QC, has been in Ottawa discussing how we and our Five Eyes intelligence partners can 'thwart' terrorists' encrypted communications. What has he achieved?

Brandis told ABC Radio on Wednesday morning that defeating encryption was a "very important part of the proceedings" at the meetings between the US, UK, Canada, New Zealand, and Australia, because encryption is "impeding lawful access to the content of communications".

"So what we decided to do in particular was to engage with ISPs and device makers to secure from them the greatest possible level of cooperation. I also discussed with my American counterpart, Attorney-General Sessions, the development of cross-border access without having to go through the rather prolonged procedure of mutual legal assistance," Brandis said.

Leaving aside the question of whether lawful access rules should be re-examined, improving the pace at which law enforcement agencies can respond is a sensible goal. But what of the technical aspects?

As ABC Radio asked: "What are you actually asking them to do? Because tech companies say you can only break into these messages if you've planted a flaw or a bug into the software before it's sold. Is that what you want the device makers to do?"

Not specifically, said Brandis, and it's not as simple as that. And indeed, he's previously said he's not interested in backdoors.

"What we need is to develop, and what we'll be asking the device makers and the ISPs to agree to, is a series of protocols as to the circumstances in which they will be able to provide voluntary assistance to law enforcement," Brandis said.

"There is also of course the capacity which exists now in the UK and in New Zealand, under their legislation, for coercive powers, but we don't want to resort to that," he added. Brandis wants a set of "voluntary solutions".

When pressured about what that might mean, Brandis said that is a discussion that is yet to happen, and he didn't want to get ahead of himself, or narrow or confine its scope.

"First of all, I've made it clear that we're not going to ask the tech companies to backdoor their systems. Secondly [for example] section 253 of the British Investigative Powers Act does impose an obligation, subject to reasonableness and proportionality, upon providers to do whatever they reasonably can be expected to do to enable law enforcement to inspect messages that are the subject of encryption, or inspect devices," Brandis said.

And as for the idea of banning end-to-end encrypted messaging apps like Signal and WhatsApp entirely, Brandis said "it was not discussed, and wasn't thought of, and it would be infeasible."

So here's where we're up to.

Brandis says end-to-end encryption is a problem for law enforcement, which it is. He's not going for a backdoor, and says that's not feasible, which it isn't. So has he started a war on mathematics? Has he foolishly tried to tackle maths with the law?

After all, Brandis isn't known for his technical acumen, particularly after that Walkley Award-winning interview where he struggled to explain metadata.

No. Forget the maths. Join some different dots.

First, Brandis plans to talk to device manufacturers. Even now, telco switches must have a lawful interception (LI) capability, so that conversations can be intercepted -- or wiretapped, as Americans say. I'm guessing he simply means extending that requirement to endpoint devices, where messages could be intercepted before they're encrypted.

Second, Brandis wants to talk to ISPs. That's probably not to decrypt messages as they pass through, because that's kinda hard. It's probably to help the telcos identify the device in use, so that its lawful interception capability can be turned on.

That's all technically possible, achievable with legal pressure, and fits nicely within the national and international legal frameworks already in place.

But it's not a win, at least not for us citizens.

Current LI capabilities work through telco switches, so in theory they can only be turned on from within the telcos themselves. Yeah, shoosh you.

But mobile devices can be anywhere on the planet. The Brandis Plan, if it's what I think it is, would mean devices could potentially have their LI capability turned on from any telco on the planet and routed ... somewhere.


Because research as recently as late 2016 has shown that international mobile data networks are a security nightmare.

The only protections from LI capabilities going rogue would be mobile network switching security, and the processes within device makers' supply chains, and telcos, to prevent information leaking to bad people. There's no attack surface in there at all, right?


The Brandis Plan may well be able to achieve his goals, but at what cost?

Editorial standards