Australia’s Security Chief Says It’s Time To Start Forcing Companies To Break Chat Room Encryption
More than a half-decade ago, the Australian government gave itself more powers. These new powers allowed the government to compel decryption - something far easier said than done, especially if existing encryption was expected to still protect everyone else but the government's targets.
Shortly after the law was passed, Australia's federal law enforcement and national security agencies started wielding it against service providers. The first wave was noticeable, but subsequent efforts have flown under the radar for the most part, whether due to extreme amounts of secrecy or the new powers not being quite as possible as the Australian government hoped.
Three years after the enactment of the law, the powers and their side effects were reviewed by federal overseers. The review came to a couple of unsurprising conclusions. First, the joint committee noted the program suffered from a lack of rigorous oversight, which is pretty ironic when the statement is being made by one of the program's oversight bodies. Second, it said the law was great and had no downsides, a conclusion it reached by... simply stating there were no downsides.
Agencies have made the case that these powers remain necessary to combat serious national security threats, and some of the worst fears held by industry at the time of passage have not been realised," committee chair and Liberal Senator James Paterson said.
Really refreshing to see a government body declare an unprecedented expansion of powers to be a net benefit for all mankind. What's hilarious is that there are actually downsides, but since not every outcome has been negative, the new powers are somehow an unmitigated success. The committee chair did not say none" of the worst fears" stated by the industry in opposition to these powers have come to pass. Senator James Patterson says only some" have not been realised," which suggests others have been realised."
Apparently, getting its way isn't sitting right with the current head of the Australian Security Intelligence Organisation (ASIO). Companies must be made to comply more often and more quickly. As Sarah Ferguson reports for Australia's ABC News, ASIO believes it's time to fully flex powers that have apparently only been partially flexed previously.
ASIO head, Mike Burgess, says he may soon use powers to compel tech companies to cooperate with warrants and unlock encrypted chats to aid in national security investigations.
If you actually break the law or you're a threat to security, you lose your right to privacy, and what I've been asking for those companies that build messaging apps (is to) respond to the lawful requests. So when I have a warrant you give me access to that communication," Mr Burgess told 7.30.
Mr Burgess said ASIO is seeking targeted access to chat rooms hosted on encrypted platforms - which are increasingly used by bad actors to hide their communications.
We're not asking for mass surveillance. We need their cooperation," he said.
If they don't cooperate, then there's a private conversation I need to have with government about what we accept or what I need to do my job more effectively."
This goes beyond simply breaking encryption to give intelligence and law enforcement agencies access to communications at rest. This is the ASIO amping things up to demand companies provide them access to ongoing communications in the form of message groups of chat rooms.
Obviously, this creates a much larger problem for non-targets of investigations. It's one thing to give the government access to a single user's communications. It's quite another to break encryption on chat rooms or multi-person messaging groups, which means exposing everyone in these conversations to surveillance, even if they're not actually targets of investigations.
On top of that, this means stripping encryption from entire communications platforms. It's not like service providers can just bypass the encryption safeguarding one set of communications. To allow ASIO the access its boss is demanding, the entire platform must be deprived of its security.
And, once again, we have a supposed expert in the fields of law enforcement and surveillance completely misunderstanding what's at stake and what he's asking for. Targeted access" is a meaningless term when doing so means depriving every user of these services of the protection encryption provides.
The more Mike Burgess says, the stupider he looks.
I understand there are people who really need [encryption] in some countries, but in this country, we're subject to the rule of law, and if you're doing nothing wrong, you've got privacy because no one's looking at it," Mr Burgess said.
Nothing about this statement makes any sense. Encryption is acceptable for people in other countries? The rule of law concept is only present in Australia? Australians aren't deserving of the security and privacy communication encryption provides?
And please do not give us another helping of this horseshit nothing wrong/nothing to fear" platitude. If Burgess is given the access he wants, people who are doing nothing wrong" can still have their privacy invaded if they happen to participate in chats/messages with people the government is targeting. Once the encryption is broken, it's broken. Everyone's communications can be seen, even if the government is only interested in a few chat room members. Worse, once the platform itself is compromised, people who aren't even participating in chats/messages with government targets can be surveilled.
Then there's this, in which Burgess insists unicorns not only exist, but that tech companies are perfectly capable of generating all the unicorns the Australian government demands.
Mr Burgess says tech companies could design apps in a way that allows law enforcement and security agencies access when they request it without comprising the integrity of encryption.
Wrong! It simply does not work like that. There's no magic switch that can be built in that the government can flip on and off when it wants to intercept or view communications. Either the encryption is solid or it's broken. At best, the encryption is compromised, which means anyone with the means or willingness to do so can eavesdrop on communications or intercept/exfiltrate sensitive data. At worst, it means no one is protected from anything because encryption is simply no longer an option.
These are dangerous people. They're the worst combination of powerful and stupid. And it doesn't even matter to them that they're wrong. They're on the side of the rule of law" and any incremental gains in law enforcement effectiveness will always outweigh the critical collateral damage these mandates will generate. The theoretical security of the nation is more important than the quantifiable security encryption provides to millions of Australians. No sacrifice is too great... just so long as it's not the government making the sacrifice.