(Sydney, August 7, 2017) The Australian government should not force technology companies to weaken the security of their products or to subvert encryption, Human Rights Watch said last week in a letter to Prime Minister Malcolm Turnbull. That strategy would undermine cybersecurity for all users and would not stop determined criminals from using encryption.
On July 14, 2017, Turnbull announced new legislation to require device manufacturers and internet companies to provide appropriate assistance to intelligence and law enforcement agencies to access encrypted communications. Turnbull, along with Attorney General George Brandis and the acting commissioner of the Australian Federal Police, Michael Phelan, stated that encryption was thwarting the governments ability to monitor and investigate serious crime.
Governments are obliged to investigate and prosecute serious crimes, but any policy response should not do more harm than good, and needs to be effective, said Elaine Pearson, Australia director at Human Rights Watch. Unfortunately, Prime Minister Turnbulls proposal may fail on both counts and could undermine cybersecurity and human rights worldwide.
Governments have many ways to sharpen investigatory capability without undercutting the security of ordinary users, Human Rights Watch said. They could invest in modernizing investigation techniques and increasing resources and training in tools already at their disposal, consistent with human rights requirements. Any limitations encryption poses to police capabilities are greatly offset by the explosion of new kinds of investigatory material enabled by the digital world, including location information and vast stores of metadata that are not encrypted.
The Australian government previously proposed a coordinated approach to encryption at a June 26 meeting of the Five Eyes intelligence partnership, which also includes the United States, United Kingdom, Canada, and New Zealand, and the July 5 G20 summit. The prime minister provided few new details about the proposed legislation in the news conference to announce the legislation. When asked what kind of assistance companies would be required to provide, Turnbull said that he did not seek a back door into encrypted services, but nonetheless expected companies to ensure access to all data in unencrypted form.
However, for end-to-end encrypted applications like WhatsApp or iMessage or data stored on iPhones, companies cannot turn over unscrambled data nor the encryption keys, even with a court order, because they do not retain the keys. Only the sender and recipient can unscramble the information. The only way for companies to access unencrypted data is to introduce a deliberate vulnerability into their design that is, a back door or remove end-to-end encryption altogether.
The overwhelming consensus of information security experts and even some high-ranking former intelligence officials is that no technical solution would allow law enforcement agencies to decrypt communications without creating vulnerabilities that would expose all users to harm. Once back doors are introduced, malicious hackers and cybercriminals will seek them out, sell them on private grey markets, or exploit them for abuse or profit. Europol has also warned that solutions that intentionally weaken technical protection mechanisms to support law enforcement will intrinsically weaken the protection against criminals as well.
Companies are incorporating strong encryption into products in response to a range of threats from cybercriminals, data thieves, and malicious hackers. Encryption is a critical tool in their fight to secure users from these threats. Any requirement to weaken encryption flies in the face of global efforts to shore up cybersecurity, Human Rights Watch said.
Limiting strong encryption in Australia, or even across Australias closest allies like the Five Eyes alliance, is also unlikely to prevent bad actors from using it. A recent global survey of encryption confirms that determined criminals could easily shift to many available foreign alternatives that would not be subject to Australian law. Those most harmed by anti-encryption legislation are the millions of ordinary users with no connection to wrongdoing whose cybersecurity would be compromised. The harm may be even more serious for journalists and activists who regularly use encrypted applications to protect sources and victims from reprisals.
Turnbull stated that the bill would be modeled after the UKs 2016 Investigatory Powers Act (IP Act). The UK legislation allows authorities to serve technical capability notices on a broad range of internet companies. These notices will require firms to provide and maintain the capability to disclose, where reasonably practicable, the content of communications or secondary data in an intelligible form and to remove electronic protection applied by or on behalf of the operator. These notices can be used to facilitate not only targeted surveillance, but also mass surveillance, collection of metadata, and government hacking.
The precise scope of what these notices may require remains unclear, especially for operators who do not retain encryption keys. The draft implementing regulations do not clarify whether these companies will be required to alter the design of their products or build a back door into encryption. Contradictory statements from UK officials have not clarified the matter, nor shed light on how this approach would avoid undermining cybersecurity or prevent bad actors from using non-UK alternatives.
Just as troubling, the UK Investigatory Powers Act can also require some tech companies to notify authorities of new products or services before they are introduced so that authorities can assess whether new technical capabilities may be required. This potentially provides the government the ability to influence product design to facilitate surveillance, including whether and how encryption can be used.
The UK Investigatory Powers Act is no model for any government that cares about protecting the security of online communications, Pearson said. If other governments follow this example, no one could trust the security of the mobile phones and applications we use every day.
The UK parliament still needs to approve the implementing regulations before government officials can issue the new technical capability notices. However, once regulations are in place, the public may know very little about how they are used, since notices will be served and negotiated with companies secretly.
These overreaching provisions are among the reasons why whistleblower Edward Snowden described the IP Act as legalizing the most extreme surveillance in the history of Western democracy.
Australias approach to encryption will most likely be emulated by other countries in the region, Pearson said. If Turnbull wants to show true leadership, Australia should become a model for how countries can investigate effectively in a world with strong encryption, not endorse policies that would undermine cybersecurity and human rights.
Here is the original post:
Australia: Shelve Proposed Law to Weaken Encryption – Human Rights Watch (press release)
- Encryption: Avoiding the Pitfalls That Can Lead to Breaches - January 14th, 2019
- Encryption | Information Technology Services - December 31st, 2018
- Encryption - Investopedia - December 16th, 2018
- How to Protect Data at Rest with Amazon EC2 Instance Store ... - December 9th, 2018
- Next Generation Encryption - blogs.cisco.com - December 4th, 2018
- 3 Different Data Encryption Methods - DataShield blog - November 22nd, 2018
- Security and encryption | Documentation | Turtl - November 18th, 2018
- Encryption | General Data Protection Regulation (GDPR) - November 16th, 2018
- Using Encryption and Authentication Correctly (for PHP ... - November 13th, 2018
- Encryption | SANS Security Awareness - November 9th, 2018
- Types of Encryption | Office of Information Technology - November 5th, 2018
- Use Your own Encryption Keys with S3s Server-Side ... - October 29th, 2018
- What is Tokenization vs Encryption - Benefits & Uses Cases ... - October 12th, 2018
- Device Encryption | it.ucsf.edu - October 12th, 2018
- 5 Common Encryption Algorithms and the Unbreakables of the Future - September 15th, 2018
- Top 5 best encryption software tools of 2018 | TechRadar - August 26th, 2018
- New EBS Encryption for Additional Data Protection | AWS ... - August 22nd, 2018
- Best Encryption Software 2018 - Encrypt Files on Windows PCs - August 20th, 2018
- Download BestCrypt Volume Encryption 3.78.05 / 4.01.09 Beta - July 26th, 2018
- End-to-end encryption - Wikipedia - July 24th, 2018
- Download Symantec Encryption Desktop 10.4.0 Build 1100 - July 15th, 2018
- HTTPS - Wikipedia - July 10th, 2018
- AES encryption - June 20th, 2018
- Encrypt email messages - Outlook - June 20th, 2018
- Download Sophos Free Encryption 188.8.131.52 - softpedia.com - June 19th, 2018
- Does Skype use encryption? | Skype Support - June 16th, 2018
- Encryption- Computer & Information Security - Information ... - May 25th, 2018
- Enable BitLocker on USB Flash Drives to Protect Data - May 25th, 2018
- Transparent Data Encryption (TDE) - msdn.microsoft.com - April 12th, 2018
- Encryption Software Market - Global Forecast to 2022 - March 24th, 2018
- What AES Encryption Is And How It's Used To Secure File Transfers - March 24th, 2018
- Encryption vs. Cryptography - What is the Difference? - March 24th, 2018
- Energy-efficient encryption for the internet of things | MIT News - February 16th, 2018
- The Best Encryption Software - TopTenReviews - February 16th, 2018
- File-Based Encryption | Android Open Source Project - February 7th, 2018
- Beyond Encryption | Secure Enterprise email using existing ... - February 1st, 2018
- Azure Search enterprise security: Data encryption and user ... - January 26th, 2018
- Skype finally getting end-to-end encryption | Ars Technica - January 13th, 2018
- FBI chief says phone encryption is a 'major public safety issue' - January 13th, 2018
- Encryption and Export Administration Regulations (EAR) - December 27th, 2017
- Key (cryptography) - Wikipedia - December 21st, 2017
- security - Fundamental difference between Hashing and ... - December 15th, 2017
- What Is Encryption? | Surveillance Self-Defense - December 4th, 2017
- Comodo Disk Encryption Download - softpedia.com - December 1st, 2017
- Encryption - Simple English Wikipedia, the free encyclopedia - November 24th, 2017
- BitLocker Drive Encryption Overview - technet.microsoft.com - November 23rd, 2017
- The Encrypting File System - technet.microsoft.com - November 18th, 2017
- FBI cant break the encryption on Texas shooters smartphone - November 13th, 2017
- DOJ: Strong encryption that we dont have access to is ... - November 13th, 2017
- DOJ Fires Up New War With Apple Over Encryption - November 12th, 2017
- Security Awareness - Encryption | Office of Information ... - October 15th, 2017
- Data Encryption and Decryption (Windows) - October 14th, 2017
- Trumps DOJ tries to rebrand weakened encryption as responsible ... - October 11th, 2017
- How to encrypt (almost) anything | PCWorld - September 22nd, 2017
- Private Internet Access | VPN Encryption - September 21st, 2017
- Encryption Substitutes | Privacy | Encryption - September 21st, 2017
- Data Encryption: Hardware & Software Security: Online ... - September 21st, 2017
- How To Enable BitLocker Drive Encryption In Windows 10? - September 21st, 2017
- PGP Encryption Tool - iGolder - September 21st, 2017
- encryption - How to encrypt String in Java - Stack Overflow - September 21st, 2017
- Encryption Software Market, Size, Trends and Forecast 2020 - September 21st, 2017
- Encryption Definition - Tech Terms - September 20th, 2017
- Why You Should Be Encrypting Your Devices and How to Easily Do It - Gizmodo - September 6th, 2017
- Black Hats, White Hats, and Hard Hats The Need for Encryption in Mining and Resources - Australian Mining - September 6th, 2017
- How can enterprises secure encrypted traffic from cloud applications? - TechTarget - September 6th, 2017
- Encryption Explained - Arizona Daily Wildcat - September 6th, 2017
- News in brief: Call to link encryption to ID; Facebook maps everyone ... - Naked Security - September 2nd, 2017
- 'Independent' gov law reviewer wants users preemptively identified before they're 'allowed' to use encryption - The Register - September 2nd, 2017
- High-Dimensional Quantum Encryption Performed in Real-World ... - Futurism - September 2nd, 2017
- It's Time to Replace Your Encryption-Key Spreadsheet - Data Center Knowledge - September 2nd, 2017
- Legislation to limit smartphone encryption 'may be necessary,' deputy AG Rosenstein says - Washington Times - August 31st, 2017
- Cloud Encryption Market by Component, Service Model, Organization Size, Vertical And Region - Global Forecast to ... - Markets Insider - August 31st, 2017
- Cipher Suites: Ciphers, Algorithms and Negotiating Security Settings - Hashed Out by The SSL Store (registration) (blog) - August 31st, 2017
- Encryption in Office 365 - Office 365 - August 29th, 2017
- Need-to-Know Only: Use Encryption to Make Data Meaningless to ... - Security Intelligence (blog) - August 29th, 2017
- Four strategies to prevent data encryption from hijacking your network - Digital News Asia - August 29th, 2017
- Amber Rudd is wrong - real people do want end-to-end encryption - ITProPortal - August 29th, 2017
- Why encryption is for everyone - IFEX - August 29th, 2017
- 4D quantum encryption successful in first real-world test - New Atlas - New Atlas - August 29th, 2017
- For the First Time Ever, Quantum Communication is Demonstrated in Real-World City Conditions - Futurism - August 26th, 2017