THE BLOG

The New Encryption Laws Won't Expose Criminals, Just The Public's Privacy

The real bad guys will not be stopped -- nor even slightly inconvenienced -- by this poorly researched, uninformed thought-bubble legislation.

13/09/2017 9:54 AM AEST | Updated 14/09/2017 4:13 PM AEST
Getty Images/iStockphoto
The criminals in question aren’t even using the applications the government has in its cross-hairs. So, what we’re left with is a useless law that would gamble the privacy of millions of Australians.

The Australian Government's recently announced encryption legislation, forgetting for a moment its completely inoperable absurdity, is based on two deeply flawed assumptions which couldn't be further from the truth... Either that, or it is a thinly veiled grab at unbridled mass surveillance.

When Prime Minister Malcolm Turnbull -- flanked by Attorney General George Brandis, Acting AFP Commissioner Michael Phelan and a surprising dearth of Australian flags given the rhetoric -- revealed legislation that would force tech companies to provide the Government with unrestricted access to encrypted messages, assumptions were made that a) the caliber of criminals they named (terrorists, child pornographers, etc.) use these services to communicate, and b) the Government is capable of defending encryption keys from falling into the hands of cyber attackers.

Perhaps I'm an optimist, but the only other conclusion is that the legislation was inspired by a Machiavellian motivation to monitor the communications of Australian citizens -- which in effect is all this legislation would achieve.

So, instead of chalking this up to Orwellian-level malevolence, let's give the Government the benefit of the doubt and proceed as if the legislation was conceived from a complete misunderstanding of the topic at hand.

In other words, this law is like turning off the lights to blind the nocturnal, drowning a fish or throwing an eagle off a cliff.

First, let's take apart the two assumptions underpinning the legislation to expose both its utter ineffectiveness and the dire risk it places us all in.

The key argument made to support this legislation was that it would make it easier for law enforcement to monitor and thwart terrorist cells, child pornographers and other highly organised criminal networks. This assumes that these types of criminals use the apps that would be subject to the legislation.

In reality, the real bad guys will not be stopped -- nor even slightly inconvenienced -- by this poorly researched, uninformed thought-bubble legislation.

Having worked in deep and dark web intelligence gathering for years, it is true to say that only the stupidest and most small-fry of the criminal world use WhatsApp, Facebook and other widely-used social media platforms to communicate.

Most criminal networks are highly organised and have extremely professional communications infrastructure. Generally, communication takes place through the deep and dark web, every message cloaked with non-common and proprietary encryption applications.

In other words, this law is like turning off the lights to blind the nocturnal, drowning a fish or throwing an eagle off a cliff.

This first fallacy, whether born from a foundation of misinformation or a blind-willingness to follow similar pushes in the US and the UK, highlights the ultimate ineffectiveness and futility of the proposed legislation.

The second false assumption upon which this policy is built is that the government is capable of defending the decryption methods from cyber attackers.

Having worked with multiple government bodies and agencies, I would not trust them to protect encryption keys or any other means of access to our communications. These public agencies have incredibly weak cyber security postures as almost all of them rely on cheap security resources acquired after race-to-bottom tender processes.

A key contributing factor to this public service cyber insecurity is the much-maligned cyber security skills shortage. Essentially this means that there is a lack of highly-skilled local security analysts, and those that do exist rarely work for the government because private sector roles -- whether with vendors, security companies or service providers -- are much more lucrative.

Compounding this is the seemingly endless litany of Government privacy breaches waved away time and again as either 'user error' or 'insignificant'. Of all the voluntarily reported breaches in Australia last year, government agencies topped the list. How many times can you downplay a serious privacy breach before the instances weave a pattern of systemic neglect?

Ultimately, if you're going to give someone a 'golden ticket' like a back door or decryption keys, you want to be 100 percent sure they can keep these treasures secure.

Not only do I doubt the Government's ability to protect such a precious asset, but I wouldn't be surprised if the keys were inadvertently posted on a Government website in an act of 'human error'.

This, of course, ignores the fact that the companies behind the apps in question also argue that providing such a means is technically impossible and that the only way to do so would completely undermine that platform's security.

Not only is this legislation nigh impossible to implement, it would also be completely futile as the criminals in question aren't even using the applications the government has in its cross-hairs. What we're left with is a useless law that would gamble the privacy of millions of Australians on the Government's ability to keep such tools from falling into the wrong hands.

More On This Topic