Ask the Expert - Anti-encryption Legislation
In our regular 'Ask the Expert' section, we ask Dali Kafaar, Scientific Director, Optus Macquarie Cyber Security Hub and Professor, Department of Computing to unpack the controversial encryption-cracking bill that was passed by the Federal Parliament in December last year.
What is the legislation?
In December, Australia's parliament passed tough anti-encryption legislation. It aims to compel tech companies, such as Facebook and Google, to provide Australian law enforcement agencies access to encrypted communications, which could potentially be used by terrorists and organised crime syndicates. The intention is to protect Australia by giving new powers to police and intelligence agencies to require companies to help them decrypt communications on online platforms using encrypted messaging, for instance WhatsApp.
What's all the fuss about?
The legislation has bi-partisan political support, but the tech industry has fiercely opposed it. This new law has, according to some observers, gone further than similar legislation in the UK by potentially allowing the government to compel a company to build 'backdoors' into their systems and devices to help authorities with investigations.
What are the key problems for industry?
Originally, the intention of these controls extended only to the telecommunciations industry, but now it involves the wider technology industry. Part of the resistance (from industry and privacy advocates) is it is not just the telecommunciations industry impacted, it is global technology providers. The potential to be compelled to enable access to data if you hold encryption keys, is a problem for some. They may not have the technical ability to do this. This may also create some serious security holes.
What is particularly problematic about backdoors?
A compulsory order requiring a tech company to explicitly build a capability to do something about the access to the data - build a backdoor - has created the most debate and controversy. The idea is that the tech company, service provider, has to do something in the network about the way it stores data, or in the way it builds apps.
Technically, this is not as easy as it sounds. Sometimes it is even not possible to build backdoors. For instance, in messaging services, the two end points of the communication channel have the encryption keys and establish a channel to communicate securely. No one, in theory, can decrypt the message. That is a property of end to end encryption.
Building a backdoor in most of the cases here would mean implementing a form of attack that would break the encryption channel, if companies want to retain the level of security of the apps installed at the user level.
Again we should really understand that this law has been proposed under the big hat of national security and counter terrorism. But it is not an easy thing to enforce companies to do something they may not understand, technically.
There is perhaps a mismatch between demand and capability. In addition, sometimes the demand would represent a violation of some of the security requirements that tech companies have been trying to design and implement over the years to preserve their customers data. Creating a backdoor, from a security perspective, is creating a hole that can be exploited in many different ways. Creating a backdoor is creating a potential vulnerability that can be exploited by cyber criminals globally.
Trust
First, we need to understand all the good things this legislation can do. There are benefits - security, privacy - and they have to be carefully balanced in the way we would enforce a law like this.
Everything relates back to the notion of trust. If we are happy with something like guaranteeing national security, we need a discussion on who in the future will use it and implement the law. Who will be trusted to build backdoors? Are we going to trust technical departments of tech companies to build their own, are we going for something to be developed by government? IT is complex. The law is to some extent overlooking that complexity.
|