Is There A Solution To The Government's Encryption Problem?

The Australian government is at its dithering best (worst?) when it comes a number of things to do with the digital economy. While the NBN is struggling to deliver really fast services, they did a pretty good job with the national cybersecurity strategy. Which is why their flailing attempts at articulating their views on messaging services that use encryption is so infuriating.

Here’s the government’s problem. For most of the last century, law enforcement had a relatively easy time of it listening in to our phone calls. All they needed was a warrant and a tap on the shoulder of the telco (that they conveniently owned) and they could listen in on whatever they wanted.

Then this pesky thing called progress happened. We got the internet and strong encryption became legal. Jump forward a couple of decades and we can use apps like Signal, WhatsApp or iMessage to commune with whomever we want without any chance of people snooping unless they hack your endpoint devices - something intelligence agencies are pretty good at.

There have been the occasional murmurs from the office of the Attorney General George Brandis, who seems determined to steal former Communications Minister Richard Alston’s trophy as the worlds greatest luddite, that tech companies should build back doors into their systems, as if those would only stay in the “safe hands” of government.

Encryption is an important technology - something the Prime Minister said in parliament today. With messaging service providers not retaining decryption keys, they have no way of giving access to our messages unless they make their platforms less secure.

So, I’m asking the hive mind of Lifehacker readers - is there a way around this conundrum that gives law enforcement a way of accessing encrypted messages that are being used by criminals that doesn’t compromise the right to privacy enjoyed (at least for now) of every Australian citizen?

WATCH MORE: Tech News
Also on Lifehacker

Comments

    No, there is no way around it.

    You either make the platform weaker by building in back doors or you don't.

    No. Even if they force WhatsApp, Apple, Facebook, Google, Blackberry, Whoever else to build in backdoors, there will always be services or other ways to communicate in a secret encrypted way. The only thing this does is make legitimate communications less secure.

    Instead of looking at what people are saying, perhaps they should take a good hard look at WHY they're saying it.

    You either have privacy or you don't, there is no real in-between, asking telco's and app builders o provide back doors is just plain laughable. If we get any closer to the USA's model though, things will get real Orwellian real fast.

    There is no way around it and the language being used around it is confusing people and making them fearful. Encryption is a good thing. If we can't encrypt then say goodbye to internet banking and all the commerce that depends on it. Once traffic is encrypted you can't tell the difference between e-commerce and email. Next thing governments will demand decryption to e-commerce so they can be sure it isn't some new type of encrypted messaging.

    Using the court system and obtaining a warrant against the owner of the phone seems a valid solution.

    Nope. its the price of doing business in the modern age.

    They could make the tech and bandwidth so expensive and difficult to get that nobody will use it and the voters would demolish them as would commerce.

    The recent NSA toolkit release and the FBI's San Bernadino iPhone hack show that a sufficiently motivated government can access devices/apps anyway.

    If anything we need better security and encryption so that only those with the resources/funding of government can achieve this. In other words, deliberately price out everyone else.

    Deliberately building in weak points completely undermines the above and actually weakens the advantage that governments have over other actors.

    The solution is simple, the government has to own the only telecommunications company in the country... they could call it a Telecom and it would own all the hardware in the country, as long as they dont float it on the stock exchange and allow foreign companies into Australia.

    This is not the day when that wiring a physical device on a hardline is spying, this is creating software doors in systems that you can't guarantee control.

    With software encryption and clouds, even if they had could create this magical unbreakable back door to everything... the terrorists would just make their own version. Its dumb they think its all on facebook and email... this is dark web stuff.

    The NSA and CIA have lost more weapons of electronic surveliance to the general population and hackers in the last 20 years its scarey. Wannacry was a US spy agency exploit they had leaked, their "contractors" steal code and then lose it on a regular basis, and you want a single password lying around that can break anyones privacy... you own government cant even properly de-identify a phone list private MP accounts properly.

    Our prime minister was a telecommunications minister that had to give Brandis a tutorial on encrypted messaging apps so he wouldnt look like a moron when explaining Metadata. Why is he acting dumb right now!!!

    Yes, terrorists don't deserve privacy... there is a system called warrants and probable cause, it already exists along with meta-data, that should be enough to get started.

    But if you want to stop terrorism, look at the root cause, lone gunman and suicidal attackers... this isn't an issue of surveillance or religion, this is about investing in proper mental health care and early detection that these people get help, rather than falling victim to drugs / crimes and being brain washed into a cycle of bias and hatred that fuels hate.

    ASIO and the Police knew everything about Mahon and Khayre, they were in the system, they were on payroll and bail when they committed their crimes... they were mentally unstable and violent and the police refused to survey them (cost/time/man-power/legal power) or the court just cut them loose. Fix the legal system, fix the law enforcement resources before giving them the problem of Big Data cause at the moment they dont even have the resources to check everyone on their list let alone everyone else you imagine is a terrorist.

      typo... *parole (not payroll)

    Taking a punt at a solution... what if there was a way to offer a single use, duration-limited, single sender decryption key? Something like this:

    * All messages sent over a secure messaging system are stored, encrypted, with a different set of keys each day.
    * For each conversation, an additional, algorithmically slow, decryption key is generated.
    * If the additional key is applied, it decrypts all messages for one sender, for one day, but then irreversibly renders all the other additional decryption keys impotent.

    By court order or other national security decree, the key can be handed over and a targeted decryption applied, keeping all other conversations safe. Attempts to apply the key to compromised copies of the message log are rendered ineffective due to the time required to apply the decryption. The key is useless for the next day's conversations, and a new agreement must be made to hand over the next day's key. If the keys are compromised, then only one sender each day looses their security. If the keys and the message logs are compromised, then it's still algorithmically impractical to decrypt more than a few hundred sender's messages per day.

    It's got some lose ends that need tidying, but given the current impasse between government's (and concerned citizen's) demands for protection from bad parties, and citizen's demands for privacy, there might be significant motivation to flesh out such a solution.

Join the discussion!