EXPERT REACTION: Australia's proposed encryption laws

Security by design is essential and we are not very good at it in the first place. Weakening any security control by design is, therefore, a bad idea. Cyber criminals are vigilantly seeking vulnerabilities in our devices, social media services, and all forms of telecommunications we rely upon and use daily. If we leave an intentional backdoor, they will find it. Once it is discovered it is usually not easy to fix.

However, there is no easy solution to the situation. Because, if intelligence agencies and law enforcement services need timely access to encrypted communications or devices used by criminals, they would need the keys to unlock it. So we are faced with the challenge of balancing between our privacy, and the security and wellbeing of our family, friends and community. 

Cryptography and security protocols are fundamental for many digital processes from e-commerce, banking, payments, to supply chains, control of critical infrastructures and others. Thus, it mainly protects our data, prevents crime and enables digitization of our economies in the first place. Building any kind of third-party access into our systems undermines this security. Even worse, it might push criminals into other less visible and actually secure communication channels. I guess, we need to learn to live with secure cryptography, rather than weaken it and risk privacy and security just to strengthen security in a different area.

While those who provide technology products to their customers have a commitment to ensure that personal data is protected from unauthorised access they also have an obligation towards the wider community such that they do not interfere with its protection by hindering law enforcement and the security services. The challenge is for manufacturers to meet the needs of both groups rather than adopt the best stance from a marketing/cost perspective.

The proposed legislation leaves the technical decisions to the manufacturers and service providers for how they implement strong encryption for data protection while allowing  'special case' access. The onus is therefore on them to develop a viable solution rather than to fall back on claims that it is “too difficult” or that it will open up everyone’s data to ‘snooping’ by the security services, presumably on the assumption that they don’t have anything better to do.

The contention that “encryption is simply math” also confuses the situation. Encryption is just the mechanism used to obscure the data. A simplistic solution on phone devices would be to store the data twice, once with the ‘user key’ and once with the ‘manufacturer key’ so the strength of the encryption itself would not be affected and the risk of having two ‘keys’ could be mitigated by the use of a very complex manufacturer key requiring physical access to the device. Obviously there would be push-back on the additional storage required and reduced battery life but the point is that from a purely technical standpoint it could be done relatively easily.

In a tug-of-war between government and private enterprise, we witness the brute force attack of unravelling proprietary encryption algorithms in the name of national security. What politicians and law enforcement agencies have not realised is that by creating rules that allegedly minimise the risk of cyberterrorism via encrypted messaging, that they are encroaching on organisational security, and on every individual citizen's right to privacy.

This is not a solution to the problem of just-in-time policing and border force security but an override on the freedoms of everyday Australians and Australian companies, or even those doing business in Australia. Privacy is a human right, and one way that right can be maintained in today's digital transactions is through encryption.

The complexity here is in the fact that private corporations like Apple, Google, Facebook, Amazon and Microsoft are amassing so much personal data that citizen data rights are being equally eroded by corporations themselves who share the data with third parties. We need to take a step back as Australians and ask ourselves why these private corporations are fighting this government bill together? One answer has to do with products and services that offer encryption in their operating systems and platforms as a competitive advantage, but another might be that private corporations want to maintain their power on governments.

It was not that long ago that I was invited to a Prime Minister & Cabinet scenario setting exercise for 2030 where it was agreed that online communities powered by private companies were driving disruptive changes that were potentially threatening to government stability. We need encryption, no doubt about it, but we also need to acknowledge the strangle-hold these giant corporations have on everyday people using their "free services".

This clip is very relevant to the discussion above.