Weakening encryption not the answer for NZ
Shane Te Pou argues that we need to equip law enforcement with all reasonable tools to fight crime, on and offline. But weakening encryption is a muddled, bound-to-fail approach.
Encryption - simply a means to enable secure communication on the Internet - is nothing new. In fact, it secures the majority of the traffic on the world wide web. It helps prevent unauthorised charges on your EFTPOS card and makes it harder to intercept your WhatsApp messages. While it also enables the Dark Web, the genie has long since left the bottle – unbreakably strong cryptography is in the public domain, and nobody can unring that bell. When governments express a desire to do exactly that – as they are in Australia – the average citizen needs to be very wary of what politicians wish for.
I get the political arguments for prising open so-called “backdoors” into computer encryption. Good way to infiltrate the worst of the Dark Web, from cybercrime to terrorism, to child pornography and illegal arms sales. Who wouldn’t want to take on the criminals running these enterprises? And, in any event, who cares about their right to conceal wrongdoing behind impenetrable walls of ones and zeroes? Data privacy is all well and good, but it can’t take priority over protecting innocent populations from the most nefarious actors in cyberspace. It’s a no-brainer, right?
Well, no brainer is right -- but not in the way you might think. Any proposed new regulation to enable encryption backdoors, if enacted, is bound to invoke an age-old law: that of unintended consequences. It risks less being mere legislative over-reach, but a total misfire; not merely a sledgehammer to crack walnuts, but a sledgehammer that cracks the wrong walnuts altogether. As David Barnes wrote in The Hill newspaper, “tech companies cannot build a backdoor that would guarantee only law-abiding officials have access. If you create a way in, somebody you don’t want to get in will find it”. Any 'backdoor' soon becomes a front door.
The recent intrusion into the Australian Parliament’s servers underscored how governments are mostly hapless in the face of sophisticated hacking, and any effort to create a safe backdoor is bound to be exploited. As Carlo Minassian writes in the Australian Financial Review, “once this decryption tool is in the wild, it's game over. The horse has left the stables”.
Any product in which cryptography can be weakened or turned off without incurring that risk of discovery was never secure in the first place.
While the very actors targeted by these laws will do whatever it takes to evade the consequences, the average privacy-conscious citizen will pay the price. Make no mistake: whether it’s trading encrypted text messages, or remitting money online, or even paying your credit card or utility bills, your ability to do so without exposure to unwarranted, even criminal, snooping will be compromised.
Notwithstanding these realities and risks, the NZ Government last year joined its Five Eyes allies last year to urge a backdoor for encryption, even as it acknowledged that “encryption is vital to the digital economy and a secure cyberspace, and to the protection of personal, commercial and government information”. What they fail to see - or perhaps are unwilling to admit - is that all of this is placed at risk when encryption is compromised, however well-intentioned. As Barnes wrote in The Hill, “once that door is open, it’s almost impossible to close it”. Do you believe only benevolent actors will walk briskly through any such open door? Or, like me, do you suspect cybercriminals will sweep through in no time?
That’s why, in the United States, a bipartisan group of legislators are jointly sponsoring a bill - the Secure Data Act - to prevent encryption backdoors. Notably, one of the bill’s six co-sponsors is the new Democratic majority Chair of the House of Representatives’ Judiciary Committee, Jerry Nadler. It’s a two-page law, drafted in simple but striking terms: “No agency may mandate or request that a manufacturer, developer, or seller of covered products design or alter the security functions in its product or service to allow the surveillance of any user of such product or service, or to allow the physical search of such product, by any agency.” It would prevent backdoor access to encrypted mobile phones, tablets, desktop and laptop computers, as well as end-to-end encrypted message apps like MEGA, Signal and WhatsApp. It will also stop the US government from seeking to force tech companies to weaken encryption.
Putting the bad guys on notice about the existence of government-mandated backdoors will simply result in them switching to widely available, open-source encryption products that cannot be weakened or backdoored. What’s more, anyone in the field will tell you this: any product in which cryptography can be weakened or turned off without incurring that risk of discovery was never secure in the first place.
Of course we need to equip law enforcement with all reasonable tools to fight crime and prevent terrorism, on and offline. But weakening encryption is exactly the kind of muddled, bound-to-fail approach we have sadly come to expect from political leaders who struggle to keep up with the challenges of a rapidly-changing tech environment. Instead, we urge the NZ government to bring industry experts to the table so we can find a solution that, unlike this one, won’t backfire spectacularly.
While Shane Te Pou blogs and comments, he also works for Mega Ltd as a director and HR manager.