(Sydney, August 7, 2017) The Australian government should not force technology companies to weaken the security of their products or to subvert encryption, Human Rights Watch said last week in a letter to Prime Minister Malcolm Turnbull. That strategy would undermine cybersecurity for all users and would not stop determined criminals from using encryption.
On July 14, 2017, Turnbull announced new legislation to require device manufacturers and internet companies to provide appropriate assistance to intelligence and law enforcement agencies to access encrypted communications. Turnbull, along with Attorney General George Brandis and the acting commissioner of the Australian Federal Police, Michael Phelan, stated that encryption was thwarting the governments ability to monitor and investigate serious crime.
Governments are obliged to investigate and prosecute serious crimes, but any policy response should not do more harm than good, and needs to be effective, said Elaine Pearson, Australia director at Human Rights Watch. Unfortunately, Prime Minister Turnbulls proposal may fail on both counts and could undermine cybersecurity and human rights worldwide.
Governments have many ways to sharpen investigatory capability without undercutting the security of ordinary users, Human Rights Watch said. They could invest in modernizing investigation techniques and increasing resources and training in tools already at their disposal, consistent with human rights requirements. Any limitations encryption poses to police capabilities are greatly offset by the explosion of new kinds of investigatory material enabled by the digital world, including location information and vast stores of metadata that are not encrypted.
The Australian government previously proposed a coordinated approach to encryption at a June 26 meeting of the Five Eyes intelligence partnership, which also includes the United States, United Kingdom, Canada, and New Zealand, and the July 5 G20 summit. The prime minister provided few new details about the proposed legislation in the news conference to announce the legislation. When asked what kind of assistance companies would be required to provide, Turnbull said that he did not seek a back door into encrypted services, but nonetheless expected companies to ensure access to all data in unencrypted form.
However, for end-to-end encrypted applications like WhatsApp or iMessage or data stored on iPhones, companies cannot turn over unscrambled data nor the encryption keys, even with a court order, because they do not retain the keys. Only the sender and recipient can unscramble the information. The only way for companies to access unencrypted data is to introduce a deliberate vulnerability into their design that is, a back door or remove end-to-end encryption altogether.
The overwhelming consensus of information security experts and even some high-ranking former intelligence officials is that no technical solution would allow law enforcement agencies to decrypt communications without creating vulnerabilities that would expose all users to harm. Once back doors are introduced, malicious hackers and cybercriminals will seek them out, sell them on private grey markets, or exploit them for abuse or profit. Europol has also warned that solutions that intentionally weaken technical protection mechanisms to support law enforcement will intrinsically weaken the protection against criminals as well.
Companies are incorporating strong encryption into products in response to a range of threats from cybercriminals, data thieves, and malicious hackers. Encryption is a critical tool in their fight to secure users from these threats. Any requirement to weaken encryption flies in the face of global efforts to shore up cybersecurity, Human Rights Watch said.
Limiting strong encryption in Australia, or even across Australias closest allies like the Five Eyes alliance, is also unlikely to prevent bad actors from using it. A recent global survey of encryption confirms that determined criminals could easily shift to many available foreign alternatives that would not be subject to Australian law. Those most harmed by anti-encryption legislation are the millions of ordinary users with no connection to wrongdoing whose cybersecurity would be compromised. The harm may be even more serious for journalists and activists who regularly use encrypted applications to protect sources and victims from reprisals.
Turnbull stated that the bill would be modeled after the UKs 2016 Investigatory Powers Act (IP Act). The UK legislation allows authorities to serve technical capability notices on a broad range of internet companies. These notices will require firms to provide and maintain the capability to disclose, where reasonably practicable, the content of communications or secondary data in an intelligible form and to remove electronic protection applied by or on behalf of the operator. These notices can be used to facilitate not only targeted surveillance, but also mass surveillance, collection of metadata, and government hacking.
The precise scope of what these notices may require remains unclear, especially for operators who do not retain encryption keys. The draft implementing regulations do not clarify whether these companies will be required to alter the design of their products or build a back door into encryption. Contradictory statements from UK officials have not clarified the matter, nor shed light on how this approach would avoid undermining cybersecurity or prevent bad actors from using non-UK alternatives.
Just as troubling, the UK Investigatory Powers Act can also require some tech companies to notify authorities of new products or services before they are introduced so that authorities can assess whether new technical capabilities may be required. This potentially provides the government the ability to influence product design to facilitate surveillance, including whether and how encryption can be used.
The UK Investigatory Powers Act is no model for any government that cares about protecting the security of online communications, Pearson said. If other governments follow this example, no one could trust the security of the mobile phones and applications we use every day.
The UK parliament still needs to approve the implementing regulations before government officials can issue the new technical capability notices. However, once regulations are in place, the public may know very little about how they are used, since notices will be served and negotiated with companies secretly.
These overreaching provisions are among the reasons why whistleblower Edward Snowden described the IP Act as legalizing the most extreme surveillance in the history of Western democracy.
Australias approach to encryption will most likely be emulated by other countries in the region, Pearson said. If Turnbull wants to show true leadership, Australia should become a model for how countries can investigate effectively in a world with strong encryption, not endorse policies that would undermine cybersecurity and human rights.
Here is the original post:
Australia: Shelve Proposed Law to Weaken Encryption – Human Rights Watch (press release)
- Transparent Data Encryption (TDE) - msdn.microsoft.com - April 12th, 2018
- Encryption Software Market - Global Forecast to 2022 - March 24th, 2018
- What AES Encryption Is And How It's Used To Secure File Transfers - March 24th, 2018
- Encryption vs. Cryptography - What is the Difference? - March 24th, 2018
- Energy-efficient encryption for the internet of things | MIT News - February 16th, 2018
- The Best Encryption Software - TopTenReviews - February 16th, 2018
- File-Based Encryption | Android Open Source Project - February 7th, 2018
- Beyond Encryption | Secure Enterprise email using existing ... - February 1st, 2018
- Azure Search enterprise security: Data encryption and user ... - January 26th, 2018
- Skype finally getting end-to-end encryption | Ars Technica - January 13th, 2018
- FBI chief says phone encryption is a 'major public safety issue' - January 13th, 2018
- Encryption and Export Administration Regulations (EAR) - December 27th, 2017
- Key (cryptography) - Wikipedia - December 21st, 2017
- security - Fundamental difference between Hashing and ... - December 15th, 2017
- What Is Encryption? | Surveillance Self-Defense - December 4th, 2017
- Comodo Disk Encryption Download - softpedia.com - December 1st, 2017
- Encryption - Simple English Wikipedia, the free encyclopedia - November 24th, 2017
- BitLocker Drive Encryption Overview - technet.microsoft.com - November 23rd, 2017
- The Encrypting File System - technet.microsoft.com - November 18th, 2017
- FBI cant break the encryption on Texas shooters smartphone - November 13th, 2017
- DOJ: Strong encryption that we dont have access to is ... - November 13th, 2017
- DOJ Fires Up New War With Apple Over Encryption - November 12th, 2017
- Security Awareness - Encryption | Office of Information ... - October 15th, 2017
- Data Encryption and Decryption (Windows) - October 14th, 2017
- Trumps DOJ tries to rebrand weakened encryption as responsible ... - October 11th, 2017
- How to encrypt (almost) anything | PCWorld - September 22nd, 2017
- Private Internet Access | VPN Encryption - September 21st, 2017
- Encryption Substitutes | Privacy | Encryption - September 21st, 2017
- Data Encryption: Hardware & Software Security: Online ... - September 21st, 2017
- How To Enable BitLocker Drive Encryption In Windows 10? - September 21st, 2017
- PGP Encryption Tool - iGolder - September 21st, 2017
- encryption - How to encrypt String in Java - Stack Overflow - September 21st, 2017
- Encryption Software Market, Size, Trends and Forecast 2020 - September 21st, 2017
- Encryption Definition - Tech Terms - September 20th, 2017
- Why You Should Be Encrypting Your Devices and How to Easily Do It - Gizmodo - September 6th, 2017
- Black Hats, White Hats, and Hard Hats The Need for Encryption in Mining and Resources - Australian Mining - September 6th, 2017
- How can enterprises secure encrypted traffic from cloud applications? - TechTarget - September 6th, 2017
- Encryption Explained - Arizona Daily Wildcat - September 6th, 2017
- News in brief: Call to link encryption to ID; Facebook maps everyone ... - Naked Security - September 2nd, 2017
- 'Independent' gov law reviewer wants users preemptively identified before they're 'allowed' to use encryption - The Register - September 2nd, 2017
- High-Dimensional Quantum Encryption Performed in Real-World ... - Futurism - September 2nd, 2017
- It's Time to Replace Your Encryption-Key Spreadsheet - Data Center Knowledge - September 2nd, 2017
- Legislation to limit smartphone encryption 'may be necessary,' deputy AG Rosenstein says - Washington Times - August 31st, 2017
- Cloud Encryption Market by Component, Service Model, Organization Size, Vertical And Region - Global Forecast to ... - Markets Insider - August 31st, 2017
- Cipher Suites: Ciphers, Algorithms and Negotiating Security Settings - Hashed Out by The SSL Store (registration) (blog) - August 31st, 2017
- Encryption in Office 365 - Office 365 - August 29th, 2017
- Need-to-Know Only: Use Encryption to Make Data Meaningless to ... - Security Intelligence (blog) - August 29th, 2017
- Four strategies to prevent data encryption from hijacking your network - Digital News Asia - August 29th, 2017
- Amber Rudd is wrong - real people do want end-to-end encryption - ITProPortal - August 29th, 2017
- Why encryption is for everyone - IFEX - August 29th, 2017
- 4D quantum encryption successful in first real-world test - New Atlas - New Atlas - August 29th, 2017
- For the First Time Ever, Quantum Communication is Demonstrated in Real-World City Conditions - Futurism - August 26th, 2017
- High-Dimensional Quantum Encryption Takes Place in Real-World ... - Photonics.com - August 26th, 2017
- Hedvig Bakes Encryption into Software-Defined Storage Platform - IT Business Edge (blog) - August 26th, 2017
- Hedvig storage upgrade adds flash tier, encryption options - TechTarget - August 26th, 2017
- How to use EFS encryption to encrypt individual files and folders on Windows 10 - Windows Central - August 26th, 2017
- Cloud Encryption Market Worth 2401.9 Million USD by 2022 - Markets Insider - August 23rd, 2017
- To Protect Genetic Privacy, Encrypt Your DNA - WIRED - August 23rd, 2017
- Data Encryption in OneDrive for Business and SharePoint Online - August 21st, 2017
- Researchers use encryption to keep patients' DNA private - Engadget - August 21st, 2017
- Additional proof that Lancaster County Commissioners should reconsider encrypting police transmissions - LancasterOnline - August 21st, 2017
- iPhone Secure Enclave firmware encryption key leaked - TechTarget - August 21st, 2017
- Encryption, speed push the modern mainframe into the future - TechTarget - August 21st, 2017
- Hardware encryption vs software encryption: the simple guide - Kroll Ontrack UK (press release) (blog) - August 21st, 2017
- Encryption Technology Could Protect the Privacy of Your DNA - Gizmodo - August 21st, 2017
- Beginner's guide to Windows 10 encryption - Windows Central - August 18th, 2017
- Encryption key for iPhone 5s Touch ID exposed, opens door to further research - AppleInsider (press release) (blog) - August 18th, 2017
- How security pros look at encryption backdoors - Help Net Security - August 18th, 2017
- The Laws of Mathematics and the Laws of Nations: The Encryption Debate Revisited - Lawfare (blog) - August 18th, 2017
- 72 percent of security pros say encryption backdoors won't stop terrorism - BetaNews - August 18th, 2017
- Ex-MI5 Boss Evans: Don't Undermine Encryption - Infosecurity Magazine - August 14th, 2017
- Despite end to end encryption, apps like WhatsApp, Messenger are still vulnerable to hacking: Study - Firstpost - August 13th, 2017
- What is Encryption? (with pictures) - wiseGEEK - August 12th, 2017
- Ex-MI5 chief warns against crackdown on encrypted messaging ... - The Guardian - August 12th, 2017
- Former UK security service head says weakening encryption would be too dangerous - 9to5Mac - August 12th, 2017
- News in brief: facial recognition planned for Carnival; spy chief backs encryption; ginger emoji planned - Naked Security - August 12th, 2017
- Avoid getting lost in encryption with these easy steps - We Live Security (blog) - August 12th, 2017
- Here's why IBM Z Mainframe Wants to Encrypt the World - Edgy Labs (blog) - August 10th, 2017
- Symantec Announces Plesk Will Integrate Symantec Encryption Everywhere Security Into Its Website Management ... - Business Wire (press release) - August 10th, 2017
- IBM India Helps Create Breakthrough Encryption Technology That's Completely Hacker Proof - Indiatimes.com - August 6th, 2017