Secrets and lies

In the Black Mirror episode Hated in the Nation, a dystopic Britain is confronted with a lack of bees to pollinate plants. Agriculture is jeopardised until a brilliant hi-tech company creates tiny autonomous drone bees to do the job.

But a disgruntled employee uses a coding back door into the bee communication network to reprogram the swarms, which fly off and kill thousands of people by burrowing into their brains.

Back doors are a real-life phenomenon. They let coders and others tunnel into an otherwise secure system. It may be created to fix a flaw quickly. But there’s fear they can be misused.

Federal parliament passed amendments last month to give Australian agencies more tools to access encrypted conversations to help foil terror plots.

End-to-end encryption has delivered us fantastically secure mobile communications — but terrorists, pedophiles and organised criminals also benefit.

The law was rushed through without due regard for privacy concerns and general understanding about how it actually works.

So it is being revisited, with the Parliamentary Joint Committee on Intelligence and Security conducting a review. A report is due to parliament in early April.

The government is targeting messaging apps offering end-to-end encryption such as WhatsApp, Apple iMessage, Facebook Messenger and others.

This secure encryption involves a sender’s app encrypting a message with a receiver’s special key. Only the designated receivers can decipher it. Your telco can’t read it and neither can the phone maker. Only intended recipients have matching private keys to unscramble the message.

Because of the rush to get this through parliament, Finance Minister Mathias Cormann agreed to support a review and further agreed to support amendments consistent with the committee’s recommendations.

Cormann: supports a review

So further change is likely and, to many, necessary.

Although the methodology is not spelled out, it’s useful to look at how hacking into end-to-end encryption may work.

Cyber-security expert Ren Ping Liu, from the University of Technology Sydney’s school of electrical and data engineering, says cracking the end-to-end encryption directly isn’t an option.

He says it will take the coming era of quantum computers before the modern AES-256 and similar encryption used by messaging apps can be cracked.

Liu says law enforcement would more likely want faster and easier remote access to suspects’ phones so they can read outgoing messages before they are encrypted, or received messages after they are decrypted.

He says this could be achieved by phone makers tricking suspects into installing a software update that was malware and that relayed phone activity. Such software has been available for years.

Companies such as Apple, Samsung and Huawei could push small amounts of hidden software that secretly recorded phone activity, Liu says.

“My understanding is that the Australian government is asking for that,” he says.

Another approach is altering the messaging software to generate a version of outgoing messages that is unencrypted or encrypted with a key that agencies can use to decrypt it. It’s a variation of the Clipper chip concept for intercepting phone conversations used in the 1990s.

But Liu says forcing messaging app vendors to compromise their encryption would equate to introducing a systemic weakness into messaging apps, which the government should not do.

The government says it is against creating back doors.

Stylized visualization of binary data being emitted by people waiting in a crowd and using their phones. istock

Liu says the best approach is for agencies to be able to hack into phones and read the contents without playing around with the encrypted messaging apps.

One lingering question is whether the government’s amendments will miss a lot of offshore messaging apps. Sure, you could demand that Facebook and Apple comply with the measures — they have an Australian presence. But what about Signal and Wickr in San Francisco, and Telegram in Berlin? Telegram offers end-to-end encryption and is one of the most popular messaging apps used by terrorists.

Liu says the government could block messaging apps that didn’t comply with security notifications. It could demand that these apps not be available in Australian phone app stores.

Suspects might use virtual private networks and manually load messaging apps to get around any blocking of apps, but they’d need to have patience and be tech-savvy to achieve this.

You also can go online, download 256-bit encryption and manually encrypt and decrypt messaging, as some journalists did two decades ago using PGP, aka Pretty Good Privacy. Again, it needs patience.

Liu suggests the government is playing a percentages game.

“If it can block the majority of the people or terrorists then it probably will be happy,” he says.

Some terrorists — such as Westminster attacker Khalid Masood — do prefer WhatsApp.

Locally the debate on the needed changes is hotting up, with the Communications Alliance, the Australian Information Industry Association the Australian Mobile Telecommunications Association and other groups lodging a submission with the parliamentary committee this week.

“There remains, in our view, significant problems with the amendments and other elements of the legislation,” says the submission, which was obtained by The Australian.

Much of the submission’s concern is about possible misuse of power when obtaining technical assistance notices and technical capacity notices. These notices compel companies and individuals to help law enforcement agencies hack into suspects’ phones and other devices.

One concern is lack of judicial oversight: allowing a designated person to have authority to issue notices rather than requiring a judge to approve them indepen­dently.

Another concern is the breadth of change to software systems that law enforcement agencies can order. Currently they can’t order the introduction of a systemic weakness into software but the alliance says the definition of “systemic weakness” is too vague.

The targets are also a concern. The submission says agents can hack into phones of anyone suspected of a criminal offence that carries a prison term of three years.

Media types fear “a very low bar” that erodes the protection given to journalists when a special warrant is sought to obtain their metadata.

Cybersecurity graphic Israel

Communications Alliance chief executive John Stanton says the legislation as it stands does provide for back doors, despite government assurances to the contrary.

He is worried that suspects simply will move to lesser known end-to-end messaging apps once WhatsApp or Facebook Messenger play ball with government.

“There’s always been a flight to more secure communications by bad actors,” he says.

“The practicalities of how this plays out, if the government tries to reach beyond borders, is something new we haven’t yet seen. It’ll be an interesting scenario to watch unfold,” Mr Stanton says.

Deakin University cybersecurity professor Matthew Warren, a spokesman for the Australian Computer Society, says he is concerned about companies having to comply with government, especially when it comes to building back doors into their systems.

“You would have them redesigning and remodifying systems once they’ve been created. And the problem you have is very complex systems that are hard to manage, hard to test,” he says.

Companies are likely to comply in a way that’s easiest for them, Warren adds.

He agrees the only feasible way to read phone messages is after they are decrypted.

“I certainly agree with you that in terms of adding back doors into systems to view messages, once they’ve been decrypted is real­ly the only feasible way that it can be done.”

Internationally all eyes are on Australia which is leading the charge to intercept end-to-end encrypted messages. In San Francisco Open Whisper Systems which develops messaging app Signal, published a blog about it by developer Joshua Lund. He is adamant that Signal won’t entertain back doors.

“Like many others, we have been following the latest developments in Australia related to the ‘Assistance and Access’ bill with a growing sense of frustration,” he writes. “We can’t include a back door in Signal, but that isn’t a new dynamic either.”

He says Signal doesn’t have access to its users’ encryption keys. “The end-to-end encrypted contents of every message and voice/video call are protected by keys that are entirely inaccessible to us. In most cases now, we don’t even have access to who is messaging whom.”

Dreyfus: seeks amendments

So what’s next?

Opposition legal affairs spokesman Mark Dreyfus says Labor has secured agreement from the government that it will take legislation into parliament in the first week of next month’s sitting to bring the law further into line with the recommendations of the parliamentary committee.

However, a spokesman for Home Affairs Minister Peter Dutton says the federal government will wait to see what the parliamentary committee report proposes in April.

The encryption debate will be a hot issue in the months to come.

Published in The Australian newspaper

Posted in Features.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.