If you heard the reverberation of a few thousand heads exploding last week, it was the sound of information security professionals reacting to US Attorney General Barr saying that Big Tech "can and must" put backdoors into encryption.
In his speech for a cybersecurity conference at Fordham University, Barr warned tech companies that time was running out for them to develop ways for the government to break encryption. FBI Director Christopher Wray agreed with him.
At this week's big meeting of the "Five Eyes" countries, Barr was in attendance. His demands that internet companies break safe security standards of encryption -- with backdoors, or whatever gets the job done -- was one of the meeting's main topics.
Yep, you read that right — we're doing the "war on encryption," again.
Encrypted communication — the highest standard of security — means "converting the Internet and communications into a law-free zone," Barr told the conference, explaining that encryption made the web into a neighborhood that local cops have abandoned to criminals. He said that encryption's "cost" was measured in the victims left in its wake, and placed blame squarely at the feet of tech companies' "dogmatic" stance, likening the hard facts of computer science to a set of malleable beliefs.
Further, Barr incorrectly added, "We are confident that there are technical solutions that will allow lawful access to encrypted data and communications by law enforcement, without materially weakening the security provided by encryption."
The AG's remarks were reminiscent of former Australian Prime Minister Malcolm Turnbull's unforgettable line regarding encryption backdoors, that "the laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia."
Turnbull said that in 2017, when Australia was preparing to force legislation requiring tech companies to break end-to-end encryption (again, it's that thing that ensures your connection and communications are secure from attackers). That legislation passed in December 2018, with the laws being rushed through Parliament on the last day of the year, against massive outcry from many quarters -- including over 100 security, privacy, and safety amendments ignored on the promise they'd be addressed later. It was an ugly scene.
Australia basically did what Barr intends to do in the US. So if we want to see what's probably going to be in the next executive order, we need to look at what happened in Australia -- and how it's working out. Or not. Really, it's not.
Australia's Assistance and Access Bill 2018 forces companies to break their own encryption on demand, a la cracking their own security systems. By making it a mandatory obligation for companies to decrypt communications when authorities demand it, they neatly sidestepped the "mandatory backdoors" argument — they're still going to break encryption, just with a game of semantics.
This approach puts the act of hacking you on the backs of companies.
Remember FOSTA? It made companies police users and kick people off of services that might put the company at risk of lawsuits or prosecution from the government. (FOSTA also gave companies license to discriminate, and made it harder for law enforcement to find and stop sex traffickers.) Like with FOSTA, Australia's model for "backdooring" encryption for authorities' access means the companies have to attack their users or face the wrath and punishment of the government.
- Install malware on their users' devices as a way to work around encryption. This malware could then be used to access their accounts and unencrypted communications.
- Modify the service they are providing, including potentially blocking messages.
- Assist law enforcement without alerting the end-user.
Australia's attack on secure encryption by way of the "Assistance and Access Bill" made the country into an infosec petri dish, and that's not a good thing. The bill modeled its distorted approach to internet security after the UK's Investigatory Powers Act, aka the "Snooper's Charter" that no one wanted.
But Australia is the one being watched by the "Five Eyes" countries (an alliance of Australia, Canada, New Zealand, the UK and the US), most of which want to break encryption and tend to favor blanket citizen surveillance, regardless of risk and abuse, which we know has happened. By the way, Russia, Turkey, and China don't bother with backdoor legislation — services with end-to-end encryption are banned in those countries.
So, how's it going in Australia?
Great, if your ideal gardening tool is a flamethrower.
While everyone's privacy and security panics simmered, cybersecurity professionals had a literal moment of OMFG, I can't believe they did something so stupid at this year's big RSA security conference. "Australia's anti-encryption laws ridiculed on the world stage," reported IT News Australia. "Australia's decision to rush in laws designed to weaken encryption has drawn ridicule from international cryptographic experts ... [they] criticized the laws for making it possible for law enforcement to target individual employees to secretly weaken systems and then not tell anyone, including their own employer, under threat of significant jail time."
That same month, Microsoft revealed that companies and governments it works with say they "are no longer comfortable about storing their data in Australia as a result of the encryption legislation." Guardian wrote, "Microsoft's president and chief legal officer, Brad Smith, said customers were asking it to build data centers elsewhere as a result of the changes, and the industry needed greater protection against the creation of "systemic weaknesses" in their products."
They're trashing our rights.
But that was in March. Fast forward to May this year, when documents obtained by the Guardian show Australia's law enforcement taking a pretty broad approach to what they can make companies do to citizens. They wrote:
People accessing the internet at McDonald's and Westfield in Australia could be targeted for surveillance by police under new encryption legislation, according to the home affairs department.
A briefing by the department, obtained under freedom of information, reveals that police can use new powers to compel a broad range of companies including social media giants, device manufacturers, telcos, retailers and providers of free wifi to provide information on users.
If you think that's a bad result of a "backdoor" bill, just wait. "The briefing also provides examples of what type of assistance authorities can lawfully require," Guardian explained, "including: a social media company helping to automate the creation of fake accounts; a mobile carrier increasing the data allowance on a device so surveillance doesn't chew up users' data; blocking internet messages to force a device to send messages as unencrypted SMSes; and a data centre providing access to a customer's computer rack to allow installation of a surveillance device."
As if the world of hacks, attacks, malware and ransomworms wasn't bad enough. FOSTA actually helped sex traffickers by making them go underground and removed the ways law enforcement found them on the open internet. With what Australia is doing, and by extension what AG Barr intends for the US, by breaking all manner of security measures around encryption Australia is definitely doing the world's attackers a favor.
Right now, cybersecurity professionals of all stripes and hackers of every interest from around the world are preparing to attend the Black Hat and DEF CON conferences in Las Vegas. Tens of thousands of infosec citizens, of all ages, genders, colors, and beliefs will come together to share their passions about computer security. Namely, the art of breaking things to make them better, safer, more secure than before, and to create a better future for everyone. For their friends, their families, their loves, their communities, and the places they call home.
You can bet AG Barr's declarations of intent to weaken the one tool that works to secure the internet is going to be a hell of a topic for discussion.
You know how every cryptographer and security person feels when this comes up? Like the poor schmuck at NASA who signed up to explore space but instead has to spend their day explaining why the moon landing wasn't a hoax. Again and again.— matt blaze (@mattblaze) July 23, 2019