Encryption & Key Management , Governance & Risk Management , Next-Generation Technologies & Secure Development
Australia Pushes 'Five Eyes' for Tools to Counter Encryption
But Australia Doesn't Want Backdoors. So What Does It Want?Worried about the use of encryption by terrorists, Australia plans to lobby its key signal intelligence partners at a meeting in Canada for the creation of new legal powers that would allow access to scrambled communications.
See Also: How Active Directory Security Drives Operational Resilience
Attorney General George Brandis said on Sunday "that the use by terrorists of cyberspace is an issue of critical concern to intelligence and law enforcement agencies. Australia will lead the discussion of ways to address this issue - in particular the involvement of industry in thwarting the encryption of terrorist messaging."
Brandis and Immigration Minister Peter Dutton are representing Australia at a two-day meeting in Ottawa this week of the so-called "Five Eyes," the intelligence collective that also includes the U.S., Canada, U.K. and New Zealand.
Australia isn't alone in worrying about encryption. The U.S. and U.K. have expressed worries that the wider use of encryption by terrorists results in potentially increased risks to pubic safety.
'Legal Sanction'
Earlier this month, Brandis said that the government needed "legal sanction" to create stronger obligations for technology companies, such as Apple, Google and Facebook, to help in investigations involving encrypted communications, The Guardian reported on June 11.
Law enforcement agencies and governments fear that terrorists are increasingly using applications that employ encryption to mask their communications and lock their devices, making it more difficult to collect intelligence on possible attacks.
But technology companies argue that encryption protects consumers' personal information and companies' intellectual property from nation-states and data-stealing cybercriminals. Those companies have sought to create systems that leave the decryption keys in the hands of users, so the companies cannot supply that information to investigators.
It's also unclear how governments would plan to counter open-source encryption technologies, from the Tor anonymity system to PGP to the Tails operating system, which are not controlled by corporations.
"Technologists have long understood that regulatory measures stand little chance of rolling back the tide," writes Robert Graham in the CTC Sentinel, a publication of the Combating Terrorism Center at the West Point military academy. "Short of shutting down the internet, there is nothing that can be done to stop individuals, including terrorists, from creating and customizing their own encryption software."
No Backdoors
Brandis has denied that the Australian government wants technology companies to create "backdoors," the term for a clandestine method to access and decrypt data. But it would seem that backdoors would be the only way to satisfy Australia's goal.
Many security experts say it's virtually impossible to guarantee that backdoors won't fall into the wrong hands. That view has been lent more weight following staggering leaks of top-secret computer exploitation methods that experts believe came from the National Security Agency and Central Intelligence Agency in the U.S. (See WikiLeaks Dumps Alleged CIA Malware and Hacking Trove)
Technology companies have long fought government interest in backdoors, going back to the Clipper chip debate in the U.S. in the mid-1990s. More recently, in early 2016, Apple opposed a court order that sought to compel it to create a special version of its iOS mobile operating system for the FBI to aid in an investigation.
The FBI wanted access to the passcode-protected iPhone 5c that belonged to San Bernardino shooter Syed Rizwan Farook. Apple CEO Tim Cook argued creating software that defeated the iPhone's security controls would be the equivalent of creating cancer.
The FBI abandoned its legal effort after paying a third-party to help it break into the device, leaving the question of whether the courts could legally compel a company to do so unanswered (see FBI Unlocks iPhone; Lawsuit Against Apple Dropped).
Australia has disputed that it wants to mandate backdoors. Following Brandis' comments, the prime minister's special cybersecurity adviser, Alastair MacGibbon, told the ABC Radio that "I don't think we're talking about back doors" while suggesting a less controversial use of legal powers.
"What we're talking about is the fact that, from time to time, you may need to gain access to certain messages," MacGibbon told the broadcaster. "And it may be that even getting access to the message isn't necessary. You would be well-aware of the metadata discussion. It may be that just knowing that you and I are part of a network is enough."
But MacGibbon went on to say: "Society expects providers of services online to reduce the likelihood that a scammer or a terrorist are using that service because ... these technologies that bring us all together, that are designed to break down barriers, are being used by criminals and terrorists to harm us as well."
End-to-End Encryption
The legal powers are in place, certainly in Five Eyes countries, to request metadata. And technology companies generally aren't fighting valid court orders for that kind of information.
Messaging application developers have sought, however, to make the communications unreadable to those who've somehow gained access to the data traffic. The effort largely started after leaks from former NSA contractor Edward Snowden in 2013 showed how the U.S. appeared to be running signals intelligence dragnets, which critics contended amounted to a surveillance state without due process.
As a result, applications such as Apple's iMessage, Facebook's WhatsApp, Wickr and Signal use end-to-end encryption, where the private decryption keys are held solely on devices. That doesn't mean law enforcement is necessarily locked out; it just doesn't make it as easy to decrypt the communications. So far, it's not believed any nation can break encrypted content through sheer computing power.
Instead, law enforcement must persuade a suspect to turn over his passcode or identify someone else who had access to the same messages. Another avenue is to use a software vulnerability or exploit to unlock a device, which is how the FBI accessed the San Bernardino shooter's iPhone.
Brandis termed Australia's proposal as a way to ensure service providers provide "reasonable assistance" to law enforcement and security agencies. But as the Apple case showed, the technology community will not take intentionally weakening security lightly even if a government believes it's "reasonable."