Attorney-General George Brandis, and the Minister for Immigration and Border Protection, Peter Dutton are heading to Ottawa to meet with Australia’s Five-Eyes counterparts. According to a statement made by Senator Brandis “…the use by terrorists of cyberspace is an issue of critical concern to intelligence and law enforcement agencies. Australia will lead the discussion of ways to address this issue; in particular the involvement of industry in thwarting the encryption of terrorist messaging”. But, as usual, how they might do this is a mystery.
Over the last two decades a number of important technological and political changes have coalesced. In 1999, strong encryption was effectively legalised after bring previously defined as a weapon in the United States. Skype entered the market in 2003 and began to change how we communicate. Instant messaging has become a popular communications system.
In parallel, governments around he world have privatised and corporatised public infrastructure so ownership of communications networks is now in private hands.
All of this means governments have lost one of the things they most crave: control.
Once you transmit information across infrastructure over which you have limited control using encrypted systems it becomes almost impossible to intercept and read communications. This is a problem law enforcement faces.
Senator Brandis calls this Australia’s “priority issue”, saying, “These discussions will focus on the need to cooperate with service providers to ensure reasonable assistance is provided to law enforcement and security agencies”.
I am at a loss as to how Australia, or any of the Five Eyes countries (Canada, New Zealand, the United Kingdom, and the United States are the others) can do this without weakening the privacy of individuals. We already know Australia’s government has no compunction in doing this – the mandatory retention of telecommunications metadata is evidence of this. But the the providers of encrypted communications services, who don’t hold on to decryption keys, can only hand over encrypted data.
When I spoke with Peter Gutmann, one of the architects of PGP, a couple of years ago, he pointed out that many major hacks involved the theft of encrypted data. In those cases, the bad guys didn’t bother breaking the encryption – even when it was weak and easily broken. They simply exploited end-point and user vulnerabilities. This seems to have been the primary method used by US intelligence agencies based on what we see from recent Wikileaks releases of the Vault 7 leaks.
And we can all see what happens when government agencies stockpile vulnerabilties. They get out and we are all put at risk.
Intelligence and law enforcement agencies always want more information. I’ve spoken to many people in these fields and I’ve never heard one say less data would be good. At the moment, what is really lacking is a capability to use the data they have. And perhaps if the Five Eyes focussed on using what they had rather than mis-using more data they might have more success at detecting and thwarting potential threats.