Author's Opinion

The views in this column are those of the author and do not necessarily reflect the views of iTWire.

Have your say and comment below.

Monday, 10 September 2018 07:20

Here we go again: encryption bill will make us all unsafe

By
Here we go again: encryption bill will make us all unsafe Pixabay

Monday is the last day on which Australians can submit their statements of support or opposition to the proposed Assistance and Access bill which seeks to force people or organisations to allow access to encrypted communications.

This consultation is an eyewash, so that the government can give the appearance of acting in a democratic manner as it is expected to. To put up a draft bill as complex as this and then expect reasoned responses — which will actually be considered — is impossible within such a short timeframe. The draft bill was announced on 14 August.

This is a political move as nobody who knows anything about how encryption works would ever think that such a law would achieve anything – apart from making the online world unsafe for everyone. You can't have bad crypto for crooks and good crypto for the honest bloke down the road. Broken crypto will affect all.

There are massive logistical problems in enforcing this bill, something about which the Australian mainstream media, in the main a bunch of cheerleaders for the government, have kept quiet. The ones who can look at financial gains, as always, are the lawyers.

Anyone who knows even a little about encryption would understand that you cannot create a means of access to a device or devices and only expect that the so-called "good guys" will be able to gain access. Recent experience has shown us that government agencies, even those with practically unlimited budgets, have a very poor record of keeping such means of access safe.

A case in point is the vulnerabilities that the NSA, America's premier spy agency, develops and keeps secret in order to use them to exploit the machines and devices of the so-called "baddies". (Yes, this is sounding like one of the 1970s Westerns).

A massive load of exploits were stolen from the NSA by a group calling itself the Shadow Brokers and exposed on the Web in April 2017. According to security experts, they are well crafted and, being mainly for Windows, the desktop platform still used by more than 90% of office workers, pose a serious threat to businesses.

The effects were seen in May 2017 when ransomware known as WannaCry hit the world. The Dutch shipping conglomerate Maersk is still struggling with the aftermath. And Britain's National Health Service was badly affected too, with patients being put at risk. And that is the tip of the iceberg.

This is one instance where the guardians could not control the crown jewels. There are dozens of such instances which happen day in and day out and which never make media headlines. It is amazing that people with any common sense would push for an expansion of exactly what the NSA does, without thinking the matter through. But then, these are politicians whose main aim is to ratchet up the atmosphere of fear — "the bogeyman is coming to get you and only we can protect you" — and profit from it.

So all the talk from the government side has been about paedophiles and terrorists. No mention of the fact that we are too far down the road to unscramble the omelette of encryption.

The major providers of platforms that offer so-called end-to-end encryption are not Australian companies; they are mostly US firms. Will they really bow before Australian law? The government — and indeed politicians from the so-called Five Eyes countries (the US, the UK, Canada, Australia and New Zealand) — have issued what can be only called warnings about having to fall in line, or else.

Last year, well-known American blogger Cory Doctorow wrote an illuminating post about this push to break encryption. Some of the points he made are mentioned below.

Threats are all very good. But what about practical considerations? Is the Australian Government going to monitor all software that is made abroad and prevent it from coming into the country? Will Australians be banned from downloading software — legitimate software — from repositories like GitHub? There is plenty of malware and exploits hosted on that repository.

What about devices that are purchased abroad? Will those be taken off Australian travellers at customs? If the politicians' desires are to be fulfilled, that would have to be done, else devices that cannot be broken into may enter the country.

Given that practically every digital device is made in China, would Canberra expect Beijing to co-operate – just after the two biggest Chinese telecommunications equipment makers, Huawei Technologies and ZTE Corporation, have been banned from having a role in 5G networks Down Under?

What about open-source operating systems like Linux (which this writer has been using for the last 18 years) and the BSDs? Will those be banned because developers from every corner of the world are involved and they could easily slip some code in which would make the Australian Government's efforts fall flat?

No, this whole exercise is futile. Thinking that one can legislate for everything is a waste of time. Bruce Schneier, one of the better known encryption experts, put it this way in his new book, Click Here to Kill Everybody:

"There is simply no way to secure US networks while at the same time leaving foreign networks open to eavesdropping and attack. There's no way to secure our phones and computers from criminals and terrorists without also securing the phones and computers of those criminals and terrorists. On the generalised worldwide network that is the Internet, anything we do to secure its hardware and software secures it everywhere in the world. And everything we do to keep it insecure similarly affects the entire world.

"This leaves us with a choice: either we secure our stuff, and as a side effect also secure their stuff; or we keep their stuff vulnerable, and as a side effect keep our own stuff vulnerable. It's actually not a hard choice. An analogy might bring this point home. Imagine that every house could be opened with a master key, and this was known to the criminals. Fixing those locks would also mean that criminals' safe houses would be more secure, but it's pretty clear that this downside would be worth the trade-off of protecting everyone's house. With the Internet increasing the risks from insecurity dramatically, the choice is even more obvious. We must secure the information systems used by our elected officials, our critical infrastructure providers, and our businesses.

"Yes, increasing our security will make it harder for us to eavesdrop, and attack, our enemies in cyberspace. (It won't make it impossible for law enforcement to solve crimes; I'll get to that later in this chapter.) Regardless, it's worth it. If we are ever going to secure the Internet+, we need to prioritise defence over offence in all of its aspects. We've got more to lose through our Internet vulnerabilities than our adversaries do, and more to gain through Internet security. We need to recognise that the security benefits of a secure Internet greatly outweigh the security benefits of a vulnerable one."

But then that's an educated man talking. If only those who have conceived this grand plan, had a tenth of his intelligence.

BUSINESS WORKS BETTER WITH WINDOWS 1O. MAKE THE SHIFT

You cannot afford to miss this Dell Webinar.

With Windows 7 support ending 14th January 2020, its time to start looking at your options.

This can have significant impacts on your organisation but also presents organisations with an opportunity to fundamentally rethink the way users work.

The Details

When: Thursday, September 26, 2019
Presenter: Dell Technologies
Location: Your Computer

Timezones

QLD, VIC, NSW, ACT & TAS: 11:00 am
SA, NT: 10:30 am
WA: 9:00 am NZ: 1:00 pm

Register and find out all the details you need to know below.

REGISTER!

ADVERTISE ON ITWIRE NEWS SITE & NEWSLETTER

iTWire can help you promote your company, services, and products.

Get more LEADS & MORE SALES

Advertise on the iTWire News Site / Website

Advertise in the iTWire UPDATE / Newsletter

Promote your message via iTWire Sponsored Content/News

Guest Opinion for Home Page exposure

Contact Andrew on 0412 390 000 or email [email protected]

OR CLICK HERE!

Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

VENDOR NEWS & EVENTS

REVIEWS

Recent Comments