Undermining encryption won’t work, and police have enough powers anyway

Moves in Australia for new powers to access encrypted communications will diminish online security for everyone and aren’t necessary for law enforcement, Monique Mann, Adam Molnar and Angela Daly write.

Over the last few years the Five Eyes governments have made statements about intelligence collection capabilities ‘going dark’ because of encryption. They say it is having deleterious impacts on their ability to prevent, detect and investigate serious crimes.

In Australia, there have been calls for new powers to enable access to encrypted messages. This may involve forcing companies to build ‘backdoors’ into encrypted services. Prime Minister Malcolm Turnbull has stated that “the laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia.”

Confusingly, Turnbull has also said there will be no backdoors and that we “need even stronger cooperation from the big social media and messaging platforms.”

Without backdoors, it is not clear how cooperation would provide access to encrypted communications.

More on this: When is it ok for the government to hack your mobile?

No confirmed details outlining what the government will do have been released, but it has been reported a draft is in a very advanced stage. This is despite the Senate recently passing a motion to resist attempts to undermine strong encryption.

Other proposals have included weakening encryption standards, the introduction of ‘key escrow’ systems where the ability to decrypt is held by the government or a third-party entity, and there have also been proposals to introduce mandatory decryption obligations for service providers.

While these strategies enable access to encrypted communications at a network-level, they also allow access for nefarious actors such as hackers, criminals, or foreign state spies.

There are also questions about how banning the use of open source software, for example as provided by the encrypted messaging application Signal or WhatsApp, would even operate. Users could easily switch to other services, as occurred when Brazil blocked WhatsApp. A Virtual Private Network (VPN) allows easy circumvention of geo-location based censorship.

Security researchers in the US have been working with the White House and US Federal authorities to find a new technical solution. One idea is for devices to have an access key capable of unlocking the phone without the passcode. This key would be stored in a different hardware component that only the manufacturer could ‘unlock’ under court order.

More on this: Podcast: Australia’s new intelligence jigsaw

This proposal has been criticised by cryptography experts who argue over time more individuals will come into contact with the keys which increases the risk of disclosure. Other ‘middle-way’ solutions are short on important details that would allow for meaningful evaluation.

There are a number of ways that law enforcement can already gain access to digital devices. For example, there are powers to hack computers and phones to conduct search and seizure through computer network operations. The laws that authorise these operations are ambiguous and outdated, making them unfit for purpose.

Law enforcement also makes extensive use of ‘off-the-shelf’ commercial phone cracking solutions from companies such as Cellebrite and GrayKey. Important information about the present use of these technologies is missing from the larger policy debate about the necessity of weakening or undermining encryption.

Claims about ‘going dark’ are overstated.

Police already have powers to compel people to hand over their passwords with the threat of imprisonment if they fail to do so. For example, amendments to the Cybercrime Act 2001 (Cth) introduced powers to compel an individual to reveal their passwords. This can be used to compel decryption of information on lawfully seized devices.

ASIO also has a range of special powers at its disposal. The Australian Criminal Intelligence Commission, meanwhile, has coercive powers that can be used to compel individuals to give evidence, produce documents or things that are deemed relevant to a special operation or investigation.

More on this: Hacking your health

While these powers exist, they are exceptional, and it is important they operate with independent oversight and within a robust legal framework that upholds democratic safeguards.

There is no evidence that any new powers are necessary, or proportionate, when viewed against existing police powers and investigative capabilities. Yet the stakes could not be higher for cybersecurity and digital rights.

Let’s not forget that encryption has many legitimate and socially desirable applications. There have even been proposals for strong encryption to be recognised as a human right in and of itself. A comprehensive report by Citizen Lab and the Canadian Internet Policy and Public Interest Clinic argued that access to strong encryption serves the public interest as it is integral to protecting human rights including privacy and freedom of expression.

Undermining encryption means introducing vulnerabilities into critical digital infrastructure at a time when cyber-attacks and data breaches are having severe negative impacts across government, banking, health and other sectors.

Australian intelligence agencies have enough existing powers to cast doubt on claims they are at risk of ‘going dark’ due to encryption. But unless we stand up to ensure any new legislation is both necessary and proportionate, digital rights in the country could face a dark future.