Schneier slams Australia's encryption laws and CyberCon speaker bans

Governments breaking encryption is bad, and 'will get worse once breaking encryption means people can die', says one of the world's leading security experts.

"Australia has some pretty draconian laws about forcing tech companies to break security," says cryptographer and computer security professional Bruce Schneier.

Free PDF

Australia’s encryption laws: An insider’s guide

Australia now has world-first encryption laws. This guide explains what the laws can do, what they cannot do, and how Australia ended up here.

Read More

He's referring to the controversial Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018, which came into force in December.

"I actually don't like that, because stuff that you do flows downhill to the US. So stop doing that," he told the Australian Cybersecurity Conference, or CyberCon, in Melbourne on Wednesday.

Schneier's argument against breaking encrypted communications is simple.

"You have to make a choice. Either everyone gets to spy, or no one gets to spy. You can't have 'We get to spy, you don't.' That's not the way the tech works," he said.

"As this tech becomes more critical to life, we simply have to believe, accept, that securing it is more important than leaving it insecure so you can eavesdrop on the bad guys."

Schneier cited the so-called CIA triad model of cybersecurity: Confidentiality, integrity, and availability.

Most data breaches have been about confidentiality failures. But as more and more critical systems rely on connectivity and the Internet of Things, data integrity and availability become critical to safety.

Publishing your medical records may cause embarrassment or discrimination, for example, but if data on your blood type is altered it could kill you.

How we got here: Australia now has encryption-busting laws as Labor capitulates

A car is now a networked system of a hundred computers with wheels and a propulsion system. If that network isn't available, or is transmitting false data, a fatal crash could result.

"We need to maintain security as computers infiltrate the rest of the world," Schneier said.

"We are now living in a world where governments -- your government and my government -- are desperately trying to break encryption. This is bad, and this will get worse once breaking encryption means people can die," he said.

"The way to think of it is as one world, one network, and one answer."

Schneier placed the government urge to weaken encryption onto an historical context dating back to the 1950s and the founding of the US National Security Agency (NSA). It had two missions.

"One of them was to defend US military communications from eavesdropping, and the other was to eavesdrop on foreign military communications," Schneier said.

"The reason that worked is that our stuff and their stuff were different. Everything about them was different. And that's no longer true," he said.

"Today, everyone uses the same stuff. Everyone uses TCP/IP and Cisco routers and PDF files and iPhones, and either you build them to be secure for everybody, or you build them to be secure for nobody."

There's a real debate here, Schneier said, but it's not about security versus privacy. It's about security versus security.

One side is the security of everybody who carries a smart device, he said, "which is every world leader, and nuclear power plant operator, and CEO, and judge, and police officer".

On the other side is "the security that you get if you can listen to bad guys who are carrying one of these".

"You kind of get to pick one. You can pick one or the other, but you can't pretend to pick both."

Schneier also slammed CyberCon for dumping two speakers just days before the conference started. They were Thomas Drake, a whistleblower formerly with the NSA, and Dr Suelette Dreyfus from the the Department of Computing and Information Systems at the University of Melbourne.

See also: Boomers and Coalition voters least worried by metadata and encryption laws

CyberCon is organised by the Australian Information Security Association (AISA) and the government's Australian Cyber Security Centre (ACSC), and Schneier's finger is pointed directly at the ACSC.

"[Drake] was going to talk about basically surveillance, the kind of talk I would give. Government and corporate surveillance, and how everybody's spying on all of us. I mean, nothing we don't know," Schneier said.

"[Dreyfus] was going to give a talk on work she did for the EU on building whistleblower platforms to reduce corruption in third world countries. Kind of mundane," he said.

"My guess is that someone at the ACSC saw the word 'whistleblower', and because that's kind of sensitive here, sort of freaked."

"I would say you're morally obligated to go read the two talks," Schneier said.

"Actually if you do want to read them, censorcon.net is where you'll find the slides and the abstracts."

The audience applauded.

Related Coverage

US, UK, and Australia jointly request for Facebook to stop end-to-end encryption plans

Trio call for Facebook to allow law enforcement to obtain lawful access to content in a readable and usable format.

Honesty needed to break 'impasse' over cops versus encrypted data

The Encryption Working Group has proposed a sensible way to advance the debate on encryption policy, including a reality-based decision-making framework. Australia's approach has been nothing like this.

Australia inches closer to compelling access to US data under CLOUD Act

If finalised, the agreement will mean service providers in the United States can respond directly to electronic data requests issued by Australian enforcement agencies for data critical for the 'prevention, detection, investigation, and prosecution of serious crime'.

Latest technology could miss Australia due to encryption laws: Telstra

The telco also wants immunity provisions if its suppliers' equipment runs slower due to cops fiddling with it.