King Idiot?

Australia would be the “King Idiot” of the internet according to ZDNet and other reports such as boingboing. The honorific title would be reportedly deserved, because the Australian Prime Minister, Mr Turnbull, has made a controversial statement on the laws of mathematics in a context referring to encrypted communications used for evil.

“The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia.” (Turnbull)

A middle-power nation thinking it can tell US-based multinationals which parts of mathematics they can and cannot use — we deserve to be sent to time out. (ZDNet)

The Australian Government has indeed been openly pushing an agenda of influence with its Five Eyes intelligence allies and the technology industry, towards subjecting digital communications to effective legal tapping as it is commonly done with analog communications.

The Electronic Frontier Foundation, which I am a very fond supporter of, also reported on the subject and raised a warning that “the future could be a new international agreement banning strong encryption” with further countries pushing for such an agenda.

The bad press on Australia is a real pity. I believe the Australian Government is well intended, but it is failing to efficiently communicate on the subject. As a result, the debate is somehow misplaced.

I am personally with both privacy and counter-terrorism for public safety. Australia, France, the UK and many other countries are at real risk of further serious security incidents, which orchestration may indeed be facilitated through private communication apps.

Private communication apps can be used by terrorists and poorly intended characters as they are also used by a larger population of peaceful and law abiding citizens, including politicians such as Turnbull himself according to some reports. I use them too.

The problem

It would seem that law enforcement and intelligence agencies are failing to source information critical to public safety when it is exchanged over private communications apps by identified suspects. Such apps often provide an end-to-end encryption of messages – and the mathematics of encryption simply work. As a result, the risk on public safety is higher.

The solution

Several options can be considered.  The below list is certainly not exhaustive.

Option 1 – Do nothing

Accept the issue and bear a greater risk on public safety. I would however feel better knowing that identified suspects could be legally and efficiently monitored, even when they use private communications apps. In that sense, I support the intent of politicians such as Turnbull, Macron and May to do something about it.

Option 2 – Ban strong encryption or legally force vendors to implement   backdoors

If viable, this option would dramatically weaken the internet security for all. It could severely impact innovation and economic prosperity.  Encryption algorithms can also simply not be erased from literature or people’s minds. I believe this option is totally unviable.

Never mind that the [encryption weakening] law 1) would not achieve the desired results because all the smart “terrorists and drug traffickers and pedophile rings” will simply use a third-party encryption app, and 2) would make everyone else in Australia less secure. (Schneier)

Option 3 – Build a key escrow

Have all strong encryption systems retain a copy of keys necessary to decrypt information with a trusted third party who would turn over keys to law enforcement upon proper legal authorisation (see Clipper Chip). A proposal idea from 1990’s, not implemented over a range of risks including cost, governance, jurisdiction and a huge risk on escrow compromise. Excellent read covering the subject here.

I suspect it would also be unavoidable for “rogue” non-escrow-compliant apps to be developed and used – defeating the purpose.

Option 4 – Shift the goalpost to the endpoint

Compromise the endpoint (e.g. mobile phone) and intercept messages before they are encrypted by the sender or after they are decrypted by the recipient. This would require compromising the endpoint hardware or software somehow through undisclosed vulnerabilities.

This option does not target encryption, but it still presents a big risk where the techniques used by Government entities to compromise endpoints could also be exploited by others when they find about it (e.g. Vault7, WannaCrypt, etc.).

Option 5 – To be defined…

Further options may exist and deserve some consideration for the greater good of public safety. The problem may present an opportunity for an innovative solution. A good challenge!

Good reads on the subject

No encryption was harmed in the making of this intercept

Australia Considering New Law Weakening Encryption

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s