With Malcolm Turnbull declaring on Friday that the laws of Australia will override the laws of mathematics, you’d think we’d be closer to understanding exactly what the government wants to do to undermine encryption. But despite media conferences and interviews, it’s still entirely unclear exactly what the government proposes to compel IT companies to do — although the Luddite-for-the-ages George Brandis insisted on Friday that it would all be straightforward because the UK’s electronic spy agency GCHQ had assured him it would be.
So what form will this war on maths take? What we know is that agencies like GCHQ, the NSA and the CIA haven’t — despite Brandis’ blithe dismissals — managed to penetrate widely used encryption methods used online by companies like Apple and Google. Instead, what they aim to do is access the devices using that encryption to obtain information before it is encrypted, and relay it to agencies. That was a key lesson from the trove of CIA hacking tools that turned up on Wikileaks last year.
And in 2014, the government handed security agencies exactly the power to do that — or, rather, validated something that agencies were almost certainly doing already. Courtesy of the government’s national security legislation changes that year, security agencies were given the power to interfere with computers under warrant, including planting software on them.
Except, this isn’t any safer or smarter than what the government constantly rules out — having backdoors into encrypted communications systems. As the CIA tools showed, the malware that agencies place on mobile devices or computers relies in security flaws in operating systems — flaws that Google, Apple and other manufacturers should be warned about so they can patch, but which agencies prefer to exploit instead. This is exactly what led to the recent spate of ransomware attacks, all derived from an NSA tool that exploited a flaw in older Microsoft operating systems. There’s no magic rule that prevents hackers, criminals, terrorists or our enemies in China and Russia from exploiting the same flaws.
Nor is there any guarantee that these tools — which are often purchased by security agencies from hackers, rather than internally developed — work as intended. There’s the notorious example of the “Bundestrojaner”, malware used by the German police to provide a backdoor into targeted computers, revealed in 2011 by the German hacker group Chaos Computer Club. That malware permitted the logging of keystrokes on the target computer, remote control of its cameras and microphone, broader control of the functionality of the device and the capacity to relay information back to German police. It could be used by anyone who found it, not just the agencies who put it there, and allowed the planting of information on the target device (thus enabling the planting of evidence), and its use to attack other computers; its unencrypted connections to police computers potentially also allowed third party access to agencies’ IT infrastructure.
The government may be keen to request — and if unsuccessful, compel — IT companies to assist in planting malware on devices, which would not involve weakening encryption, but accessing data pre-encryption. But as the Bundestrojaner illustrates, a backdoor is a backdoor, regardless of whether it’s pre- or post-encryption.
But we don’t know. The government continues to jabber incoherently on the issue. As with the imposition of mass surveillance in 2014, the government insists it wants to do nothing new, merely keep laws up to date with technology. As in 2014, it can’t actually explain what it wants to do. As in 2014, it’s embarrassing itself trying to explain its agenda. This time, the humiliation is global: Malcolm Turnbull’s insistence the laws of maths are subordinate to whatever he wants is drawing mockery around the world.
Like the War on Drugs and the War on Terror, Turnbull’s War on Maths will probably still be going decades hence, and going about as well as those conflicts have fared so far.
Crikey is committed to hosting lively discussions. Help us keep the conversation useful, interesting and welcoming. We aim to publish comments quickly in the interest of promoting robust conversation, but we’re a small team and we deploy filters to protect against legal risk. Occasionally your comment may be held up while we review, but we’re working as fast as we can to keep the conversation rolling.
The Crikey comment section is members-only content. Please subscribe to leave a comment.
The Crikey comment section is members-only content. Please login to leave a comment.