Why you should care about the govt's encryption crackdown

There’s an argument that tends to rear its head every time there’s a debate about privacy in the digital age: if I’m not doing anything wrong, what do I have to hide?

It was promoted by advocates of the national data retention regime before it came into law, and it’s resurfacing now that the government wants to force technology companies to help it get access to encrypted communications.

The problem is, encryption and online security is about so much more than privacy. It’s fundamental to the way we operate on the internet. Confidentiality and an individual’s right to privacy is important, but so is keeping malicious actors out of your banking transactions, your online accounts, your personal devices.

It’s what ensures no-one can tap into your online purchases and nab your credit card details or sensitive personal information.

This is no hypothetical situation: just this week the chief of a security company was declared bankrupt and subsequently removed from his job, without even knowing it.

Even the leader of the crusade against encryption, Prime Minister Malcolm Turnbull, has HTTPS deployed on his own website.

“The focus on encryption at the moment seems to be all around it being used for terrorism, neglecting the fact that there are many really important aspects of encryption we’re using every single day,” security expert Troy Hunt says.

“Encryption wasn’t built so terrorists could use it. I don’t think people appreciate just how much of a fundamental component encryption is.”

This debate is raging because the government wants to impose an obligation on encrypted communications providers to assist law enforcement in accessing decrypted messages.

Terrorists are using these channels to communicate, the government says, leaving citizens at risk because law enforcement can’t monitor their messages and prevent attacks.

It hasn’t published its proposed legislation yet, so we only have vague and at time at-odds public statements about the government’s intentions.

But Turnbull and co have made it pretty clear that where the government can’t get what it wants by politely asking the likes of Facebook, Apple, and Google to help it access messages, it will bring down the heavy arm of the law.

There’s a strong indication the Australian government will follow the UK and NZ models, where tech companies are required to ensure they have the technical capability to decrypt communications, should law enforcement come knocking with a warrant.

However there’s no indication the government will specify exactly how this should be done: Turnbull on Friday said tech companies had built the platforms and now needed to help governments ensure they aren't exploited.

The problem this creates is: end-to-end encrypted communications providers aren’t able to crack these codes. That’s the entire point of their business model. The keys that are needed to decrypt messages sit with the user of the service to ensure full security.

It’s why many have criticised the UK - and now Australia - for giving companies no option but to build backdoors in their systems.

Can it be done?

Encrypted messages are scrambled and and translated through a set of keys, one public and one private, that need to be used in combination to decrypt the message.

The private key is stored on an individual’s own device, and neither that key or the plaintext message is ever available to the operator of the service.

Technology companies could potentially restrict the range of keys an encrypted messaging app can generate, according to Monash University software engineering lecturer Robert Merkel.

The longer the key is, the harder it is to crack - a 56-bit key, for example has 72 quadrillion possible combinations.

Restricting the length of this key would make it much faster to scan through the range of potential combinations, find the right one, and access the message, Merkel says.

The US government did this briefly in the 90s, a decision that ended up being responsible for the damaging FREAK attack discovered in 2015.

And if we’ve learnt anything else recently, it’s that secret government backdoors don’t stay secret for long, meaning it’s not just going to be the good guys exploiting these weaknesses.

Other public comments by various members of government suggest it is considering targeting the sender and receiver ends of the communication; introducing a lawful interception capability for endpoint devices so messages can be grabbed before they're encrypted.

But Hunt argues that weakening a company’s encryption would simply drive both criminals and legitimate users to other platforms the government can’t get into.

Take open source encryption technologies like PGP: it's extremely simple to encrypt a message locally on your own machine and send it to someone for them to decrypt without using any commercial services.

“I doubt they’ll get value out of forcing big providers to compromise privacy when there are so many other options they have no jurisdiction over,” he says.

“No”

Many of the companies likely to be caught up in this encryption crackdown - Apple, Facebook, Google, and Signal operator Open Whisper Systems - aren’t located in Australia.

This makes it somewhat difficult for the government to make them comply; they could simply decline a request for assistance.

LIV-accredited specialist in administrative law Katie Miller expects the impending draft legislation will include some form of fine or penalty for non-compliance.

“The thing with compulsive powers is it’s always open for someone to say ‘no’, but there are consequences for doing so,” Miller said.

“Governments traditionally have had a lot of trouble with this where there’s a jurisdictional question; how do you fine an overseas company and enforce it? You’d probably need the co-operation of the country of origin.

“You could also set out rules of operation for that service in your country, and say ‘if you don’t follow these rules we’ll just ban you’.”

There’s also the legal test of what “reasonable” and “assistance” mean.

Miller says the ‘reasonable’ term allows the court to take into consideration the context surrounding a particular case.

“It’s likely that everyone will agree reasonableness will be limited in terms of time and money. If the only way to break encryption is to run supercomputers for decades at the cost of millions of dollars, the court is fairly unlikely to find that reasonable,” she said.

“Where the dispute will be is: is it reasonable for a company to develop a patch or update to create a weakness or backdoor?”

It’s difficult - based on the limited information the government has provided on its plans, whilst considering the stance firms have previously taken - to see this ending up anywhere else but the courts.

Facebook has already said weakening encrypted systems for Australian law enforcement would mean weakening it for everyone, including attackers.

Miller suggests it would be a matter of “who blinks first” should an overseas tech company deny a request for help.

“I think the Australian government would end up in a similar position as the FBI was [in the San Bernadino case with Apple], and they would need to take the company to court,” she said.

“[However] Apple could also apply for an injunction restricting the government from taking a certain action on the matter.

“This is where the legislation is likely to have some challenges in practice.”

What constitutes an “obligation to assist” will similarly need to be defined.

“If a company assists to the best of their ability but they can’t decrypt because their systems haven’t been built for that, is that assisting?” Miller said.

“It sounds as if the government wants a capability the companies don’t currently have and will need to create. A court would look at all circumstances: the cost of providing assistance, the effect on the company, etc.

“If I was one of those companies I would be arguing that if you’d built your service to be secure and you were being required to break encryption, that would have a big impact on the viability of the service.”

It’s unclear at the moment whether there have been test cases with the same laws in the UK and NZ. Miller says that’s because of secrecy provisions, which she expects will be mirrored in Australia.

Balancing the good and the bad

There's no denying end-to-end encryption is a problem for law enforcement. The question is whether the government's proposal is an appropriate and proportional response to the problem.

"The message of 'there are bad things happening online and people are trying to do us harm, we need to combat this' is fine and what we should be doing. And the technology companies absolutely need to be part of the narrative," Hunt says.

"The issue here is that governments and large technology companies both need to have a seat at the table. Simply saying you're going to compel technology companies to weaken encryption is not going to work."

"Governments need to ensure they are creating legislation that reflects the values of the community they represent. They also need to be careful about creating situations where otherwise law-abiding citizens disagree so strongly with law that they breach it," Miller said.

"When people couldn't get access to media in a timely fashion on the platforms they wanted, they just went out and pirated it. Creating these situations is a very dangerous position to be in."