Over the last few weeks we’ve seen the government increase the rhetoric around the need to access encrypted messages sent using services such as Telegram, WhatsApp, iMessage and others. The government’s view is bad guys are sending messages to coordinate attacks and law enforcement can’t eavesdrop, with a warrant, to these conversations in order the thwart the bad guys. On the other side, there’s the continued erosion of our right to privacy. CCTV on our streets, metadata retention rules and other measures mean we are monitored more than ever before. But does the government need to have a way to “break” encryption?
A couple of years ago I interviewed Peter Gutmann. Gutmann is a computer scientist from New Zealand who was one of the major players in the development of PGP. When I spoke to him, he ran through a bunch of significant hacks that had made the news over the last few years.
In all the cases Gutmann presented, data was accessed despite the use of encryption. In fact, he said even when the encryption was weak or poorly implemented, it was still easier to steal the data other ways rather than break the encryption.
At some point, data is decrypted when it is being used. The government already has surveillance laws that allow them to place listening devices into telephones. If the government wants to access the unencrypted communications used by bad guys, couldn’t they can use a social engineering attack or something similar to place some software on the threat actor’s device that’s captures the communications while they are unencrypted?
I was talking about this topic on Melbourne radio yesterday and the vast majority of talkback callers were opposed to the government further expanding their access to private communications.
It’s probably doesn’t help the government’s case when the Prime Minister says dumb things like “Well, the laws of australia prevail in Australia. I can assure you that, the laws of mathematics are very commendable, but the only law that applies is the law of Australia”.
The government may as well set laws about gravity works and tell us the laws of physics aren’t applicable here.
The encryption used by messaging services is not “special”. They are algorithms applied to many other apps and services. Weakening encryption will have widespread and, I suspect, widely unanticipated consequences.
Successive Australian governments have played the FUD card over and over again. And law enforcement has never been backward in coming forward when it comes to asking for more power.
There have been some terrible crimes on Australian soil that could be classed as terrorism; the Lindt Cafe siege, the recent incident in Brighton and others. One of the things that stands out in many cases is that law enforcement had all the information they needed to suspect something was going to happen but couldn’t put the pieces together. I’ve not heard a compelling argument made that they have the capability to use even more data.
Scope creep is also a significant issue. When the metadata retention laws were introduced, the Attorney General said they were all about catching child sex offenders, terrorisism and international drug trade. Yet, the number of agencies with warrantless access to the data numbers more than 70 with many non-law enforcement agencies on the list.
And finally, while the very vast majority of law enforcement officials are ethical and act within the bounds of the law, there have been numerous cases of police officers and others accessing data without authority.
If the government wants to access messaging data, then they ought to apply their efforts to working around the encryption instead of weakening it for everyone. Rather than creating a blanket law that erodes our privacy, put the focus on going after only the bad guys.
I’m not certain of the exact source of this quote, often attributed to Benjamin Franklin, but it keeps coming back to me.
“He who sacrifices freedom for security deserves neither”.
It seems to apply more than it did almost 300 years ago when it was first uttered.
Comments