Today the Australian government announced a proposal to force tech companies to provide government agencies with the contents of encrypted communications.
I don’t think any draft of proposed legislation exists yet — my understanding is that a bill will be introduced later in the year — but the most recent announcement today and the press conferences by Turnbull and Brandis essentially follow on from the G20 statement last week, which has a paragraph including such ideas.
Since there are no specifics, it’s hard to comment beyond generalities. But in general the whole proposal seems to me to be, to the extent it is not technically impossible or entirely misconceived, a threat to the privacy and safety of everyone.
The best thing to come out of the Turnbull’s press conference was that he said
The laws of mathematics are very commendable but the only laws that apply in Australia is the law of Australia.
I am very glad to see that Turnbull thinks mathematics is commendable. In this case, he should, for instance, take seriously the results of applying the laws of mathematics in climate models, which show just how dire the planetary climate situation is. He would be better advised to spend his precious days as Prime Minister bringing the laws of Australia into line with the laws of mathematics as applied to climate, than to try to fight the mathematics behind encryption by legislation.
I am afraid that, however commendable Turnbull thinks they are, the laws of mathematics simply cannot be avoided, whatever he thinks of them, and they cannot be legislated away. That’s the way the universe works.
You cannot legislate that messages sent by properly implemented end-to-end encryption be decrypted any more than you can legislate that pi is 3. Central results in cryptography show that properly implemented encryption schemes make decryption practically impossible. (This is putting aside potential futuristic technologies like quantum computers.)
So, in practice what this means is that the government wants to force tech companies to not implement end-to-end encryption properly, but to make some modification, whether by using a weakened implementation or malware or a backdoor of some sort, so that the government can access it. Such proposals by law enforcement and intelligence have a long and ignominious history going back to at least the 1990s and the Clipper Chip. Technical dificulties aside, the important point which has come out of all that history is that there is no way to make encryption subject to government-mandated decryption without making it vulnerable to other attacks as well. If encryption is weak enough that a conversation can be decrypted by someone other than the parties to the conversation, then it is weak enough to be decrypted by many others, hackers, other governments, and so on. If it is implemented through government-mandated malware, then anyone who gains access to that malware has similar power — and we have seen precisely this happen, for instance, with NSA malware and WannaCrypt attacks.
The government’s approach with the present proposal appears to be to transfer responsibility to tech companies. Rather than legislate government backdoors, they seem to want to legislate that the tech companies must do what they can to assist. They want to use the legal language of rendering “proportionate” and “reasonable” assistance. But breaking end-to-end encryption, or implementing backdoors, is not at all proportionate or reasonable. If a company makes such a change, then they no longer implement end-to-end encryption and the promises of privacy provided to their users are null and void. There is no proportionate way to break an algorithm which mathematically provides secure encryption. It is either secure, or it is not.
In recent years there has been a mass takeup of encrypted messaging by people around the world. End-to-end encryption has been implemented by many major technology companies. This is largely sparked by revelations of mass warrantless surveillance by the NSA, not only of individuals, but also of those very tech companies. People are right to be wary of their privacy.
The Australian authorities, I’m afraid, do not inspire a great deal of confidence. They have already been given draconian powers. Quite aside from other draconian laws which, for instance, criminalise government leaks and whistleblowing from within refugee detention centres, metadata laws have come into effect. These metadata laws allow many government agencies, without any court warrant, to access the metadata of almost any Australian’s online activity. These agencies have been invested with great power, and yet even the mild protections for journalists have been violated, as we found out in April, when the Australian Federal Police admitted that a journalist’s data had been accessed. No charges were laid and no action was taken, so far as I’m aware, beyond the Federal Police holding a press conference. Given the approach the AFP takes to journalists — a class of people with special legal protections — one wonders what approach they take to ordinary citizens. How will they then treat whistleblowers, activists, and government critics?
Police and intelligence already have enormous powers of surveillance and monitoring. Terrorism, child pornography and sex trafficking are important issues, but these proposals are not the way to deal with them.