The Australian government is proposing legislation, similar to that introduced in the UK, that will compel technology companies to provide access to users’ messages, regardless of whether they have been encrypted.
The attorney general, George Brandis, said on Friday: “What we are proposing to do, if we can’t get the voluntary cooperation we are seeking, is to extend the existing law that says to individuals, citizens and to companies that in certain circumstances you have an obligation to assist law enforcement if it is in within your power to do so.”
Here is how encrypted messaging currently works.
I use an app, such as WhatsApp, to type a message to Darren on my phone. Before sending the message to the Darren via WhatsApp’s server, my phone encrypts the message specifically for Darren using what is called a “public key”. Now, the message can only be read by Darren using his “private key”, which corresponds to the public key the message was encrypted with.
WhatsApp’s server doesn’t have access to the private keys of either user, and so cannot decrypt the message. The situation is the same for other apps that use end-to-end encryption, such as Signal and iMessage.
With a warrant the proposed legislation could compel companies such as Apple, Google and Facebook, to provide access to messages from phones and other devices.
There are several ways this could occur.
One way is that at the point of message encryption the message is not just encrypted for the recipient’s key but also with a key belonging to the technology company that makes the app. Then the technology company would be able to decrypt the message, store it and then later provide this to law enforcement agencies. This amounts to what most people would call a “backdoor” – that is a method introduced, usually by the manufacturer, that allows someone to bypass a security system.
Another way is to circumvent the encryption entirely, by copying the message before it is encrypted or after it is decrypted. This requires either the phone operating system or the messaging application to be modified to record what someone is typing, and then store the unencrypted message for later retrieval or send it to another server.
This is very similar to the way that criminals use programs known as “keyloggers” to steal people’s passwords and other details, and is also a method used by intelligence agencies to get around encrypted messaging.
Brandis has repeatedly said the government will not “require” a backdoor, telling the ABC: “Well, we don’t propose to require ‘backdoors,’ as they are sometimes called, though there is a debate of course about what is or is not a backdoor.”
However, confusingly Brandis has also said that encryption keys should be provided to the government if necessary.
“At one point or more of that process, access to the encrypted communication is essential for intelligence and law enforcement,” he told the Sydney Morning Herald in June.
“If there are encryption keys then those encryption keys have to be put at the disposal of the authorities.”
Seemingly contradictory statements aside, and without yet seeing the legislation, it looks as if the government is going to lay out the requirements for tech companies and then let the companies themselves work out the methods.
Various security researchers have expressed concern that if companies did install backdoors that allow them to decrypt messages, this would have significant security implications for the general public. Once discovered, it’s possible that any backdoor method could be exploited for criminal purposes, compromising the privacy of all users of a service.
It’s also likely that people concerned about security and privacy would simply stop using the services of any company that introduces methods to decrypt or record messages, and switch to other means of secure communication.
For example, in addition to using encrypted messaging apps, members of the terrorist group Isis have also been known to use simple, open-source encryption software to encrypt files which can then be transferred conventionally. It’s hard to see how the government’s legislation could address methods such as this, given the basic function of encrypting and decrypting files is done by mathematical algorithms.
This situation led tech reporter Asha McLean from ZDnet to ask the prime minister: “Won’t the laws of mathematics trump the laws of Australia? And then aren’t you also forcing people onto decentralised systems as a result?”
To which Turnbull replied: “The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia.”
Just how the law of Australia will override mathematics is still unclear.
guardian.co.uk © Guardian News & Media Limited 2010