Nov 19, 2014

Keane: will Brandis and Turnbull go after encryption next?

The growing use of encryption and anonymisation tools by companies and consumers is infuriating security agencies and the copyright industry. When will they move against them?

Bernard Keane ā€” Politics editor

Bernard Keane

Politics editor

By the logic of surveillance, and given the government's enthusiasm for the agendas of security agencies and the copyright industry, an attack on privacy may be coming that will dwarf the government's current data retention proposal. Soon, internet anonymity and encryption may be in the firing line. The attack, already developing in the US and the UK, has been driven by two key changes: the attempts by major IT and online companies to reassure customers about their privacy in the wake of the Edward Snowden revelations, and the growing use of encryption and anonymity tools by ordinary internet users. With their reputations for protecting their customers from government surveillance in tatters, the United States' biggest IT and internet companies have now moved to offer greater privacy protections. Overnight, WhatsApp announced it was embedding end-to-end encryption in its messaging service, making messages unreadable even by the company itself. Earlier this month, Facebook pledged support for Tor, the anonymisation service. In September, Apple revealed encryption on iPhone 6s and new iPads would be in place by default and the company would not hold the encryption keys, so it would be unable to provide them to security agencies. Google soon followed with a similar announcement about the next version of Android. In August, Yahoo announced it was working on end-to-end encryption, using the OpenPGP standard, for its webmail service with Google, so that Yahoo and Gmail users will be able to email one another securely. In July, Microsoft announced it would improve encryption in Outlook and that it would make its code available so that governments could inspect it to check there were no NSA backdoors in it -- though unlike WhatsApp, iPhone and Android encryption and (depending on where keys are stored), Yahoo Mail and Gmail from next year, Microsoft can still provide access to user data to security agencies, if they have the appropriate legal authority. Webmail encryption is tricky, and potentially unappealing to users (you have to keep your key somewhere) but the option will be there for those who want to protect their privacy, and there appears to be a growing appetite for that. Usage of Tor spiked in 2013 in the wake of the Snowden revelations, and since then has plateaued at a level twice that of pre-2013, despite constant claims it has been successfully tapped by security agencies. In Australia, around 30,000 users are connecting to Tor at the moment, three times the 2013 level, and the number is rising; US numbers show the same pattern, but with an extra zero. In May, Essential Research found at least 30% of Australians were taking some measures to stay anonymous online. But concern about surveillance and privacy isn't the only, or maybe even the main, driver for the growing use of Virtual Private Networks to encrypt and anonymise traffic. One survey claims 32% of male and 22% of female internet users worldwide use proxy servers or VPNs to access geoblocked content; another recent report suggests a quarter of internet users are doing so. None of the tools listed above are complete protection against determined intelligence agencies: if a government agency decides to place you under surveillance, it will manage to do it one way or another. But for the 99.99% of Western citizens who aren't identified terrorists, pedophiles or organised crime figures, more, default and easier encryption and anonymisation tools make it significantly harder and more resource-intensive for law enforcement agencies to track what you're doing, and in some cases prevent it altogether. And anonymisation tools such as VPNs (especially those that don't log traffic and have nothing to retain anyway) or Tor also render data retention pointless for online traffic.
"The problem now facing security agencies is one entirely of their own creation."
Security agencies aren't happy about this. Outgoing Attorney-General of the Obama administration and lead whistleblower-persecutor Eric Holder recently accused unnamed companies -- viz, Apple and Google -- of, in essence, helping kidnappers and sexual predators with encryption (in the same way, presumably, car manufacturers help criminals who use cars). Holder wanted a "backdoor" built into encryption to allow governments to access users' data, an idea quickly demolished by security experts, who pointed out a backdoor could and would be used by anyone, not just police (which has happened). FBI director James Comey had also accused Apple of marketing a product that allowed people to "place themselves above the law". And the new director of the UK's spy agency GCHQ went entirely over the top, accusing firms like Apple and Google of "facilitating murder or child abuse" and accusing companies offering encryption of, in effect, helping terrorists. Some commentators are now talking about a new "crypto war"; in a hilariously dumb editorial, The Washington Post backed law enforcement, declaring that while a "backdoor" in encryption was undesirable, "perhaps Apple and Google could invent a kind of secure golden key they would retain", as if a "golden key" would be in any way different to a backdoor. The problem now facing security agencies is one entirely of their own creation. The mass surveillance systems the NSA and GCHQ created were an example of wild, do-it-because-we-can overreach, which led to massive abuse and then exposure by a brave whistleblower. As is now a matter of public record, such mass surveillance was unnecessary for preventing terror attacks. Now, this overreach has prompted a reaction as both companies and consumers look to protect themselves better against mass surveillance. In doing so, agencies have now created a very real version of their long-running complaint about "going dark" on phone data, only internet users are the ones taking their data beyond the gaze of authorities and retention schemes. The copyright cartel, which is similarly hostile to anonymisation tools, is also pushing back. It has pressured Netflix to stop Australians using VPNs to get around its geoblock (Hulu has already shut down access to well-known VPN nodes). And in a submission to the government's copyright inquiry earlier this year, BBC Worldwide demanded that ISPs assume VPN users were pirates. Where does that leave Attorney-General George Brandis and Communications Minister Malcolm Turnbull, who have repeatedly demonstrated their willingness to give security agencies and the copyright cartel whatever they demand? According to a report this week by Fairfax's Ben Grubb, the government will shortly consider a proposal to allow the copyright cartel to force ISPs to censor internet sites they claim are responsible for file sharing. Such a censorship scheme, which has demonstrably failed overseas, would be effortlessly thwarted by VPNs. Indeed, such a move would simply exacerbate the new "going dark" problem as the consumers who hadn't done so move onto VPNs (VPN companies' providers will be desperately hoping for Brandis and Turnbull to get their way.) And security agencies know that VPNs render data retention pointless for online metadata. As with data retention, which took several years to finally reach parliament in Australia, the push to Do Something about encryption and anonymisation may not happen immediately. Until recently, it's not been clear senior security agency officials fully understood what they were facing: in 2012, then-secretary of the Attorney-General's Department Roger Wilkins declared that the problem posed by Tor could be met simply by "demanding the encryption keys", when there are no permanent Tor encryption keys. The push is thus likely to grow stronger over time. But eventually, the same warnings of marauding sex predators and unsolved kidnappings and murders will be produced by police forces, the same dire warnings of coming terrorist attacks will be uttered by senior spies; the same mainstream media national security stenographers will run the same arguments as for data retention. And all for a problem created by security agencies themselves.

Free Trial

Proudly annoying those in power since 2000.

Sign up for a FREE 21-day trial to keep reading and get the best of Crikey straight to your inbox

By starting a free trial, you agree to accept Crikey’sĀ terms and conditions


Leave a comment

15 thoughts on “Keane: will Brandis and Turnbull go after encryption next?

  1. wils

    It has been my understanding that business uses encryption. Governments won’t ‘cracked down’ because of the way our modern economy works.
    Has China been able to stop VPN s?

  2. GF50

    Good one BK. Over reach most certainly, can I suggest that a collective Of Government and the Spook agencies are suffering from hubris syndrome, an acquired personality disorder, acquired as they already have too much power.

  3. rachel612

    You need to separate out the arguments about encryption from those about anonymity. You can’t dismantle encryption standards, per se, without dismantling the banking system, among other things. In other words, there’s a major economic disincentive to blocking secure communication over various Internet protocols.

    Furthermore you can’t abolish VPNs (and various other remote administration protocols) without giving up on the idea of e-commerce, either. How would a bank maintain its servers? For that matter, how would the Government maintain its own servers?

    Anonymity is quite another thing. Unfortunately for governments, encrypted traffic means it’s relatively trivial to get “good-enough” anonymity. Tor is compromised, but there are other ways of managing identity online.

  4. Lehan Ramsay

    You know I reckon they do have a loan.

  5. Venise Alstergren

    Why do governments always assume the electorate to consist of paedophiles/terrorists/skulkers/stalkers/spies and malevolent big businesses? I believe the opposite to be true: the overwhelming numbers of people to be ordinary and decent.

    WHY are our taxes going towards catching the above, when we could have the money being spent on education?

  6. danger_monkey

    Has China been able to stop VPN s?

    China hasn’t been able to stop all VPNs, but they have been able to raise the cost in time, money and effort and risk that using a VPN requires. Of course, penalties for law breaking in China are somewhat higher than they are here.

  7. Neutral

    They won’t dismantle encryption tools but they could go the way of the UK where you are required by law to hand over the keys. This includes steganographic encryption which has has opened a can of worms (as the ‘authorities’ do).

    Imagine if Europlod wanted the encryption keys of all the drunken selfies you took in Ibiza thinking you were hiding something in the pics (but you weren’t). Failing to produce the keys whether they exist or not will land you in jail.

    As for Tor – it’s debatable if it’s compromised after the recent busts. The Europlods have talked up their new weapon without disclosing what it is, but the chatter has been around a server admin who used his real email address. Any Tor exit node can be readily monitored – it’s working out who is who that is the challenge.

    No doubt Brandis and Co. will make a hash of whatever they decide given they have already confungled metadata and content. They wouldn’t know a kiddie script from a cantenna.

  8. vbhkdjas vabhjkvh

    as far as i understand the NSA already built a backdoor into some encryption methods

  9. AR

    Is it cruel to look forward to watching Brandarse sweat & struggle to explain what encryption even is and why it won’t involve reading anything?

Share this article with a friend

Just fill out the fields below and we'll send your friend a link to this article along with a message from you.

Your details

Your friend's details