The war on encryption

2017-06-14

I want to speak briefly tonight on a subject that has been bugging me for a little while. It is something that I guess has been creeping up on us for a time, but even in the matter of the last couple of days it has broken open somewhat, including in the National Security Statement that the Prime Minister delivered in the House earlier today. That is the subject of encryption of private communications. It is something of a sleeper issue.

The technology of cryptography allows all of us in here to use devices with a certain amount of confidence that nobody else is listening in. The technology and the arguments over whether a state or other actors should be able to listen on your private communications goes back decades. Partly because it is such an arms race, I think that is why elements of the debate seem so incredibly familiar. If you go back to the period immediately after the Second World War, when cryptography was entirely the domain of the so-called military-industrial complex, crypto-tools were classified as munitions and their export was severely restricted. During the 1990s, particularly in the United States, there was tension between cryptographic tools as munitions—as mathematics with military applications, if you like—and commercial and social applications. That tug of war between military applications and commercial and social applications came to a head, and the social and commercial applications won.

In the 1990s, you had the United States government with these crypto-tools still classified as illegal exports and as munitions. Under the Clinton administration, infamously, there were attempts to force hardware manufacturers to install the so-called 'clipper' chips, effectively installing deliberate security vulnerabilities into consumer electronic devices. You saw web browsers such as Netscape, where the so-called international version had a very, very simple crypto key that could be broken within a couple of days by anybody with even a moderate amount of skill. The US government could not bear the thought that it was exporting browsers that would be able to communicate securely. Effectively, by the end of the 1990s, that argument and the impossibility of sustaining that kind of argument was really over. The technology by and large was declassified as a munition and the export regime was greatly, although not entirely, loosened up, and the applications, most strikingly for things like e-commerce, were then able to be much more widespread.

You cannot design communications protocols, particularly for governing financial transactions, much less social transactions, and expect them not to be attacked unless they are very well protected. For whatever reason, laws of mathematics, which are way outside my area of expertise, do provide the ability to communicate securely, to encrypt in a way that is next to impossible to break, even if you throw stunning amounts of computer power at it. A well-designed cryptography is in fact reasonably secure. We have a reasonable understanding of this from the fact that some of the protocols invented in the 1990s have still not been broken. So we do not have a technology problem here. We appear to have something of a political problem.

The proposal by Senator Brandis, which he started elaborating a little bit on over the last couple of days and which the Prime Minister referenced today, as I said, looks to the latest iteration of this debate in the United Kingdom—the so so-called Snooper's Charter. This was an initiative of Prime Minister Cameron before he shuffled off the political stage and was taken up with a bit of enthusiasm last year by Ms Theresa May. Again, in the aftermath of the horror at London Bridge and much more recently, Prime Minister May, literally just days out from an election and determined to do something, renewed the idea that the state needs to be able to listen into the private communications of basically anybody that it likes. Obviously, the next step down the track is that, because it is possible at least in a technical sense to communicate securely, providers are going to need to introduce vulnerabilities, flaws or weaknesses into the communications tools that we take for granted.

This is a repeated behaviour, and I would argue that one of the reasons that encrypted communications or even apps—things like Signal or WhatsApp: the ones that the Prime Minister was recommending while he was plotting to overthrow former Prime Minister Abbott—have become so ubiquitous in the last couple of years is that people around the world were horrified to discover that governments were taking advantage of people's communications in the clear. This is what I mean about it being something of an arms race. One of the reasons that crypto tools are becoming so ubiquitous and so popular is that people, me included, have had a gutful of governments assuming that they should be able to basically snoop on everything. This is an arms race that is being provoked in part by the kinds of proposals that Senator Brandis ignited with data retention. My suspicion—I have not seen the data, but maybe it is out there—based on feelings is that, in the aftermath of the data retention debacle, subscriptions to VPNs probably went up significantly. And in the aftermath of Prime Minister Turnbull's advice on how to basically work around his own data retention scheme, the use of those encrypted apps which people use on their phones, things like Signal and so on, probably went through the roof as well. It is an arms race that is provoked by the kind of behaviour that we saw with Senator Brandis and his mandatory data retention proposal.

The tragedy is that, in the wake of the kind of horror that unfolded in Manchester a few weeks ago or in Baghdad only a couple of days after that or in Kabul and in London most recently, there is a kind of political urgency amongst some politicians—and Prime Minister Abbott was an absolute master at this—to be seen to be doing something: introduce something, change some law, come down harder. Just do something. It does not even matter what it is. I feel that, at the moment, we are at risk of the government opening up this crypto can of worms that it clearly does not really understand the consequences of in its desire to be seen to be doing something. It is a desire that I understand. I get why that political reflex is there, but I feel as though we need to simply pause and be a little bit cautious before we bite off what Attorney-General Brandis appears to be attempting to do. We have a Prime Minister who pretends to know better and who actually prides himself—or did until recently—on his technical aptitude, a Liberal government that could not even begin to and an Attorney-General who has made something of a career out of technical illiteracy. He won a Walkley for David Speers by having not the faintest idea what he was talking about with data retention, and it is terrifying to see that same dynamic unfolding again, partly because these politicians have such indifference to questions around yet another extension of this dragnet surveillance regime that they are busily setting in place.

In recent days, Prime Minister Turnbull and Senator Brandis have been attempting—with, I would argue, a measure of desperation—to uninvent a proposal that was little more, really, than a slogan or a rather foolish plea to uninvent encryption and just pretend that these kinds of mathematics no longer exist. They are saying now that they are not asking for a back door into encrypted services; they just want to compel internet service providers and communications services to give them broad access to encrypted data, keys and devices. So we are not after a new back door; we just want to be able to walk in through the front door—or something. It is not actually clear what exactly it is that they want. Paul Farrell, who writes for The Guardian and has more expertise than most in these matters, put it this way:

That's not just a backdoor—that's more like a giant sinkhole that your backdoor fell into. It's a gaping, cavernous hole in the architecture of the internet and that's a big problem for a number of reasons.

That is somebody who is fairly technically literate taking a look at this proposal and trying to get a measure of what exactly it is that Senator George Brandis thinks he is going to be able to pull off. At the moment, as it stands, encryption technology protects citizens, companies, governments, diplomats, police officers, politicians, journalists, journalists' sources and ordinary people who just do not like the idea of the government being able to go through their stuff, and it protects us in multiple ways. It keeps banking and personal details safe, it allows governments to securely engage in transactions with suppliers and customers and it ensures that the business of government can be undertaken with lower risk of malicious attacks. So, if you deliberately force providers to introduce weaknesses into these tools, you are taking on an enormous risk that threatens everybody. It threatens the integrity of the banking system, which has enough problems -

Media Release Communications