The Attorney-General, it appears, knows as much about encryption as he does about data retention. Despite every perpetrator of recent terror attacks in the UK and Australia — and pretty much everywhere else — already being identified as a potential threat to security agencies, George Brandis thinks the real issue is extending surveillance into encrypted communications, the use of which, the government is enthusiastically briefing journalists, has exploded in recent years.
How to access encrypted communications? This is Brandis on Sunday:
“what we’ve asked the Five Eyes conference in Ottawa in a fortnight’s time to consider, is lifting the legal obligations on device makers and social media companies to cooperate with authorities in decrypting communications. For example, in the United Kingdom, under the Investigatory Powers Act that was passed last year, their authorities have the capacity to issue to a device maker or a social media company what is called a Technical Capability Notice which imposes, subject to tests of reasonableness and proportionality, imposes upon them a greater obligation to work with authorities where a notice is given to them to assist in breaking a communication. So that’s not backdooring.”
Um, yes it is, George. That’s … exactly what backdooring is — a manufacturer providing a means to break the encryption of their own software or product. For manufacturers of a variety of encrypted communications applications which do not have any access to the encryption keys generated by users, this means deliberately building in a flaw in the software to allow access whenever people like George Brandis demand it — and, inevitably, whenever criminals, terrorists, paedophiles, or mischievous hackers can obtain it.
Brandis seems not to get that decryption isn’t a matter of approaching Apple and demanding it hand over some master key that will allow police to access information (after which, the myth runs, they hand the key back). For encrypted apps, there is no master key — that’s the whole point. There are only vulnerabilities, deliberate or otherwise, that can be exploited by anyone with the smarts to do so, whether they work for the company, the police, or a paedophile ring.
Presumably Brandis’s head would explode if it was explained to him that some encrypted apps delete messages after they’re sent, too, meaning there’s nothing left to access.
But exactly what the government proposes to do about encryption isn’t at all clear. There was an article in the Fairfax press on the weekend called “How the Turnbull government plans to access encrypted messages”, which was a little unfair on the journalist who wrote it given it didn’t attempt to explain that at all, beyond suggesting that the government wanted to have the Americans somehow recognise Australian warrants as legitimate in the United States, thereby requiring US companies to grant access to Australian agencies. Good luck with that.
As with data retention, which sparked a big rise in Australians’ use of VPNs to protect their online privacy, having Brandis blunder about publicly on such issues merely alerts much of the population to the need to ensure they are better protected from surveillance — by using a VPN, by using VoiP-based communications services, by using end-to-end encryption and encrypted apps. All of those things should be standard internet practice for everyone.
Whoever is briefing Brandis on such things is doing every bit the quality job they did back during the data retention debate. Consider this from Sunday’s interview:
“community attitudes, particularly among younger people towards the concept of privacy are changing. In the Facebook generation where people put more and more of their own personal data out there I think that there is an entirely different attitude of privacy among young people than there was perhaps a generation or two ago.”
This is nearly the laziest justification for mass surveillance you can offer — the laziest of all is “if you’ve done nothing wrong, you have nothing to hide”. It’s also been debunked for years now: young people do indeed have different attitudes to privacy than older generations — they’re more protective of it, not less.
What it does reveal is the kind of person we have as our first law officer — an intellectually lazy old man who has virtually no understanding of a sector he wants to impose regulation on. But then, we already knew that about Brandis.