Normally on the data protection blog I talk about data protection as it applies to functions such as backup and recovery, CDP, snapshots, etc. Data storage protection, you might say.
But there are other forms of data protection too. It is, after all, quite a broad umbrella term that gets used in a lot of segments of the IT industry. Most recently we’ve seen data protection get a new definition, courtesy of the European Union – protection as a privacy function. But another form of data protection that goes back just as far as data storage protection refers to security: the process of keeping data (be it for an individual or a company) sufficiently secured that the wrong people can’t get their hands on it.
Last week, the Australian government, in its never-ending war with itself to up the ante on technological ineptness (not to mention fear-mongering) pushed through legislation somewhat innocuously referred to as a “telecommunication assistance and access” bill. More correctly, an anti-encryption bill.
Whereas countries like the United States have had law-enforcement agencies do their best to require companies to unlock seized devices, Australia has delved into setting a murky and dangerous precedent we would normally expect to only see in one-party-state countries.
Rather than try to force IT/telco companies to break encrypted communications, the laws just passed in Australia effectively require technology or telecommunications companies, when requested by the government, to install hidden software on devices that allow agencies to intercept the text or message before it’s encrypted. When such a request is made, it is illegal for the cooperating agency to inform the end user.
In it’s simplest term, the government has decreed that it can require a keylogger to be installed on any device or system operating in the country.
You might liken it to state-sponsored burglary.
In fact, it’s important to liken it to state-sponsored burglary. The problem with media, governments and tech people usually discussing encryption and government attempts to get around it is that the discussions invariably come down to:
- Bad people will get you if this isn’t done (citing the baddest of the bad)
- Technobabble that confuses lay-readers
In the Australian example, we’re told that we need this encryption-busting legislation because it will allow government agencies to crack terrorism and paedophile networks. (They use those examples because they’re the ones designed to get people most enraged, but they conveniently don’t discuss just how broad the aspect of a suspected felony can be to warrant this approach.)
Yet returning to the concepts of catching potential terrorists and child abusers, our governments and security agencies seemingly do this quite regularly without the ability to break encryption in the way they’re demanding. Paedophiles are routinely captured – sometimes through no other means than police pretending to be adolescent children in chat rooms – and we have a reasonably robust history of having planned terrorist attacks stopped and the people arrested well before anything happens. (‘Lone wolf’ attacks – individuals usually with a mental health issue working by themselves – would seem to to be unlikely to caught by such processes anyway.)
The government has been quick to assure everyone that the way the law is worded and works will ensure that people stay safe even with the bypassing of encryption. Following this logic, we might expect that Australians never speed on the road, never drink while driving, and in fact never commit offences.
Of course, that’s a stupid thing to say, but glib government promises that we’ll all stay perfectly safe because it will be illegal to misuse any back-doors required is the stupidest of logic. If that worked, it would be sufficient to make things like murder, terrorism, paedophilia, etc., illegal, and not even need a police force. (Before anyone claims I’m going for a reductio ad absurdum argument, they would first have to prove that government promises are less absurd than the above conclusions.)
In short, they’re telling technology companies they need to comply on assisting with bypassing encryption but not to deliberately create back-doors, just exploit back-doors they accidentally create. The same back-doors criminals exploit today.
The rules of the new bill are quite pernicious – not only do they prohibit technology companies from alerting you in any way that your device has had its security compromised, in theory they can compel individual employees of a technology company to assist with said modifications while prohibiting them from informing their employer what they’re doing.
One wonders what would happen in a situation where an employee is fired for writing “buggy code” or “insecure software” when they’ve been compelled to by the government. (While it should be difficult for someone to be fired for ‘obeying the law’, so to speak, when they can’t tell their employer why they wrote the buggy/insecure software, they can hardly defend themselves.)
One might jump to the conclusion that the simple solution is to use a self-determined encryption key, but this of course doesn’t save you from any situation where your pre-encrypted input to a device is being monitored and captured.
There’s nothing technically sound in the Australian government’s bill.
In the simplest sense, the bill attacks privacy. Government ministers in Australia are already hauling out the old gibberish line of, “If you have nothing to hide, you have nothing to fear”. This is an interesting take, given government ministers hide behind statutes that prevent the release of cabinet papers for 3 decades, and more recently, enjoy the privacy offered by encrypted messaging applications when conversing with one another – not just about state affairs, but about party affairs.
The bill is inimical to the privacy regulations that the European Union has recently established, which sets Australia and its five-eyes companions on a collision course on this front.
It would be foolish to let this be framed as a privacy argument. People who are convinced there’s a security benefit in giving up privacy will time and time again relinquish that privacy.
It’s not just about privacy. While privacy undoubtedly will frame much of the discussion around the bill, it deflects from the fundamental erosion of trust we can have in the security of our devices – be they smart phones or laptops/desktops. In a world where the government can mandate a keylogger be installed on your system without your knowledge, how can you know that no-one is reading the password you’re typing in for your bank account?
Yet it’s not just on our devices. It’s on the devices that our services are served from. The same vulnerabilities the government will seek to exploit to bypass encryption will theoretically exist on the servers used to hold all your banking information, all your medical information, all your superannuation information, everything that you need or cherish is potentially compromised in a law that demands the ability to step around encryption.
Whether or not someone can see your naked selfies or read the gossipy text messages you’re exchanging about Aunty Jane pales in comparison to the notion that this new “telecommunication assistance and access” law breaks the essential trust we expect when dealing with personal, sensitive or financial information, and potentially leaves all of our data unprotected.
Eloquently stated and argued Preston. I will share this on LinkedIn.
Blueskies, Paul