ITP Techblog

Brought to you by IT Professionals NZ
« Back to Security & Privacy

Brislen on Tech: End to the End-to-end encryption

Paul Brislen, Editor. 16 October 2020, 10:08 am

I'm many things to many people. I'm a tech commentator, I'm a public relations professional, I'm an editor, I'm that annoying guy on the internet and I'm an international arms trafficker.

That's right, never mind your cruise missiles, fissile materials or landmines, I broke the Wassenaar Arrangement, the "first global multilateral arrangement on export controls for conventional weapons and sensitive dual-use goods and technologies" and I did it by copying a bunch of encryption code I didn't understand and emailing to myself via a US server.

The late 1990s were a crazy time. The internet was taking off, tech companies were making so much money they'd actually fly journalists around the world (business class no less) to ask them awkward questions at press conferences, and the US was busy making it illegal to take your PlayStation 2 across the border with you because it was deemed to be a munition.

Hardware and software had developed to such a point that a games console and a page of code sent by email into the US and then back out were considered weapon strength.

Computers and software were slowly being identified as problem areas for the police and other law enforcement organisations and after the US Congress decided not to extend police powers in this area, the law enforcement community took it upon itself to get organised.

Thus, the International Law Enforcement Telecommunications Seminar (ILETS) was born, and New Zealand was a partner in the group. The aim was to encourage policy makers to understand that computers were the next battle ground for law enforcement and that resources were needed to stop the cyber-criminals. New tools, more money, better training and some tweaks to legislation would be needed.

But how to get these tweaks? Easy - wait for the next big international story and pin it on technology. Whether it was terrorism or financial crime or some other horror, it would provide the catalyst needed.

Not long after, a group of radicals hijacked a series of aircraft and slammed them into the United States triggering at least one war and a series of rapidly introduced laws that gave police more powers to demand access to computer systems.

In New Zealand this was a hasty amendment to the Crimes Act that said if the police seized your computer for whatever reason you would have to decrypt its contents.

Think about that for a moment.

If you're served a search warrant, your job is to step aside and let the constabulary search your premises. If they fail to find your secret stash of whatever, that's not your fault.

But if it's your computer, you have to provide the keys to unlock the stash or face prison. Even if your stash is perfectly innocent or empty - no key, no freedom.

Since then, the authorities have managed to introduce several more acts both locally and internationally in this space. In New Zealand alone we've seen the revamping of the legislation governing our signals intelligence branch, the GCSB, to allow for spying in New Zealand. We've seen the Telecommunications (Interception, Capability and Security) Act give power of veto over commercial decisions to the government. Now we're seeing calls for the breaking of end-to-end encryption because apparently bad people do bad things online and the authorities struggle to catch them.

The cynic in me says governments always want to expand their power base into new areas. I can think of quite a few I'd like government to flex its muscles in, but the world of encryption isn't one of them, not this way, because I really don't think the government of New Zealand understands what it's signing up for with this call.

It's not going to stop bad guys using encryption. How could it? There are plenty of people working on breaking encryption all the time, and they're like to carry on. But it will mean what encryption we have can never be anything but deeply flawed.

We use encryption for a lot of things. Every website you visit is secured. Your online television channel is secured (lest someone steal the copyright material). Your online banking, your online shopping, your online transactions with your government, your music, your legal documents, your work files, even your cat videos - all secured and all at risk because someone thinks it's too hard to deal with secure messaging so better if nobody has it.

But come on, you say. This is the government. They'll be careful. They won't tip the boat over just to hear the splash. They'll do what it takes to keep the secret of the back door access secure, so not just anyone can use it. Right?

Well, it didn't work so well last time round when the NSA discovered a sneaky way into Microsoft's empire and kept it secret. Or when its suite of backdoor tools were released into the wild by a grumpy former employee.

And it's not as if we have a stunning track record of keeping things secret when we do want them to be secured. The number of mega-breaches is now so high I don't bother reporting on them unless over 100 million accounts are involved. They're just too commonplace.

Now imagine you're in a world where encryption is outlawed not only by the Five Eyes nations but also by China. By Iran. By the EU. How then would you communicate securely or trust your online resources at all?

It wasn't that long ago the US spied on EU bidding for an airplane contract because of course in the US aircraft are seen as being of national interest. Now imagine what the Russians or Uzbekistan regimes are interested in.

But above all else - while it's a daft idea, while it opens up cans of worms and makes life even more difficult online - it's also hypocrisy at its finest. Because the Five Eyes nations are all cheerfully throwing Chinese equipment maker Huawei under the bus for potentially doing exactly what they're proposing to do.

It's not so good when it's on the other foot, eh?



You must be logged in in order to post comments. Log In

Ron Segal 16 October 2020, 2:02 pm

Outlawing encryption would be a such a fundamental attack on the right to privacy, as to effectively blow all the current privacy protection laws out of the water.

Web Development by The Logic Studio