How the Australian government plans to access encrypted messages

The story title mentions Australia but this is relevant to all the 5eye nations, as they&#x27;re obviously pre-briefing the media on what the agenda will be and this is the first time that we&#x27;re getting detail on what they&#x27;ll be proposing (the UK proposals were vague)<p>What they seem to be talking around is implementing an app-level CALEA-like capability.<p>What I think how they think it would work: companies would be made to build lawful targeted intercept capability into their apps, in the same way telephony and other equipment is today. The app developer receives a warrant for an identifier and they&#x27;re required to split off that traffic and change the keys, or encrypt it twice (the sender&#x2F;recipient key and an intercept key - one per warrant (this happens with some net and tele warrants now)).<p>We all know the downsides of this approach, but it isn&#x27;t technically impossible. What would be impossible is enforcing it, as it is more a regulatory hurdle. It is more possible today because of vertically integrated walled gardens being used for most app distribution - and backed by two of the largest companies in the world who may be susceptible to a compromise (especially as there is the large tax issues hanging over both their heads).<p>On a scale of how bad things can get - I think warranted targeted surveillance is better than device backdoors which is better than metadata retention which is better than the mass surveillance we have today (leading to cable splitting and DPI, or situations like Lavabit)<p>I don&#x27;t see how, even if you&#x27;re ok with warranted targeted surveillance, how a compromise is made here that doesn&#x27;t lead to a wack-a-mole game where legitimate users are inconvenienced while the &#x27;bad guys&#x27; are pushed onto alternate Android distributions and unofficial apps.<p>I also don&#x27;t see how a CALEA-like capability is kept secure and safe - especially with apps (we saw the NSA use CALEA intercept to surveil political targets). Clapper et al always vaguely answer &quot;key escrow&quot; to this question without spelling out how that would work.<p>With subsequents backdowns in the scope of what these governments are wanting to do (and this latest proposal is again is a minor backdown) we might be reaching the finite conclusive point where comms do go dark and the new reality is that despite all of the tech we have law enforcement mostly relies on human intelligence and they&#x27;ll have to scale back up for that. 3,500 terror suspects in the UK, 4,000 employees at MI5 - and notably in the recent attacks there were HUMINT warnings.

&gt; &quot;I personally want to live in a world where reasonable people and companies would say, &#x27;You know what? Under the rule of law, and with the right oversight and a warrant, communications can be listened to when it&#x27;s needed to protect us.&#x27;&quot;<p>Yes well, I don&#x27;t. But hey – why not facilitate foreign actors spying on our companies so that we may or <i>may not</i> catch any terrorists?

&gt; Attorney-General George Brandis said the government will not pursue the controversial &quot;backdoor&quot; access option by forcing firms to plant flaws in their encryption software that would allow it to be cracked by police or security agencies<p>Forcing firms not to implement end-to-end encryption is forcing firms to implement flaws in their encryption software.

&gt; The rapid proliferation of encrypted messaging by terrorist networks has prompted...<p>Giving governments the power to perform mass interception and decryption of communication doesn&#x27;t seem like a sensible way to fight terrorists, even if they say it&#x27;s only to be used on suspects. Terrorist attacks aren&#x27;t increasing because the &quot;bad guys&quot; suddenly got their hands on a copy of OpenSSL.<p>In the case of the most recent attacks, these people were let into the country voluntarily.

Fantasy land stuff. Moxie is going to backdoor his encryption because some Australians he&#x27;s never heard of tell him to?<p>The prime minister, Malcolm Turnbull, is a noted user of Signal...<p>One day these stories will be written by and about people who have a clue. One day...

&gt; In mid-2013, less than 3 per cent of counter-terrorism investigations intercepted communications that were encrypted. Today that figure was more than 40 per cent, Senator Brandis said.<p>I want to hear more on this, because so far as reporting has gone on terrorist attacks since 2013... The use of encrypted messaging systems seems conspicuously absent.

None of any of this ever makes any sense. There will always be communication styles that are inaccessible to authorities. And if we ever get &quot;spooky action at a distance&quot; style communication that does not rely on an interposing medium (regardless of speed), then all this becomes even more moot.

Once again politicians making decisions about stuff they fundamentally misunderstand.

Obviously, either encryption works flawlessly for both legal and criminal purposes, or it works for neither.<p>What the proposal seems to concentrate is endpoints, where plaintext inevitably exists, and legal protocols for accessing it.<p>OTOH any sane implementation would only generate plaintext for display purposes, and would clear the RAM as soon as display (or input) is done, so finding the plaintext anywhere may be honestly impossible. At least, without tampering with the software on either end.

For those who are unfamiliar with the Attorney General George Brandis, this is one of the people instrumental in implementing two year mandatory data retention.<p>This is a famous interview he gave which is shows how little he understands about the concept of metadata, and is mandatory viewing for all who are not familiar with him:<p><a href="https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=Hw1ryLGs2ws" rel="nofollow">https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=Hw1ryLGs2ws</a><p>His utter inability to understand the issues that he is legislating is distrubing.<p>&quot;What people are viewing on the internet is not going to get caught ... What people are viewing on the internet while they surf is not going to get caught. What will get caught is the web address&quot;.<p>The legislation ended up retaining the IP address that you visit, but not the host or URL. I suspect this is the distinction he was trying to make, but nevertheless, it is still disturbing.

Our governments appear to be pursuing mutually contradictory aims. On one hand there are increasingly frequent and powerful cyber attacks which can only be resisted through superior cyber-security and encryption. Then on the other hand we get this rubbish.<p>Is it even possible to solve both these problems at once in a way which preserves the freedom of the net and doesn&#x27;t involve some crippling PRC style regulation?

I wonder if Facebook&#x2F;WhatsApp have already been testing this type of access under this current &quot;feature&quot; that&#x27;s supposed to make it more &quot;convenient&quot; for users who switch phones:<p><a href="https:&#x2F;&#x2F;www.theguardian.com&#x2F;technology&#x2F;2017&#x2F;jan&#x2F;13&#x2F;whatsapp-backdoor-allows-snooping-on-encrypted-messages" rel="nofollow">https:&#x2F;&#x2F;www.theguardian.com&#x2F;technology&#x2F;2017&#x2F;jan&#x2F;13&#x2F;whatsapp-...</a><p>Most in the crypto community seem to have sided with WhatsApp at the time, but I wonder if they were taken for fools, too, by buying WhatsApp&#x27;s argument.<p>If I were to implement a backdoor, then implementing it as a &quot;feature&quot; that &quot;makes sense&quot; is definitely the way I&#x27;d go, especially if my app were to get a lot of attention. That way I won&#x27;t have to hide it (much) or worry about it getting discovered because I could just &quot;explain away&quot; the critiques.

One thing that seems to be left out of most discussions around this, is &quot;proof of sender&quot; would likely be compromised.<p>For example with PGP&#x2F;GPG, if some &quot;magical&quot; approach was added so messages could be intercepted and then decrypted and read by intelligence&#x2F;law-enforcement&#x2F;(etc), it seems feasible those same people may be able to spoof the sender&#x27;s signature.<p>eg create falsely signed, encrypted messages that verify as being from the real sender. Extremely good for blackmail&#x2F;framing&#x2F;similar. :(<p>It would depend upon the capabilities of the &quot;magical&quot; implementation approach of course, but it fits the scenario. PGP&#x2F;GPG is regarded as pretty strong, but SSL&#x2F;TLS certs already aren&#x27;t so seem like they&#x27;d be much more prone to this.

The 9&#x2F;11 attackers discussed their plans through email. Good thing they didn&#x27;t use encryption, or it would have been a tragedy.<p>Wikipedia says the United States Capitol&#x2F;The White House was called &quot;The Faculty of Law&quot;. The Pentagon was dubbed &quot;The Faculty of Fine Arts&quot;. Atta codenamed the World Trade Center &quot;The Faculty of Town Planning&quot;. I remember reading they had also use terms such as &quot;birthday cake&quot; and &quot;candles&quot;.<p>I don&#x27;t know if ASIO (and the US agencies pushing this agenda) are lazy or if they have some different agenda. Clearly this isn&#x27;t a make-or-break issue in policing.

Hilarious given that he is very attached his Wickr account.<p>I happen to know he uses it quite extensively.

<i>&quot;I think we&#x27;ve got to take a common position [among the five eyes] on the extent of the legally imposed obligations on the device-makers and the social media companies to co-operate,&quot; Senator Brandis said.</i><p>He&#x27;s got to realise that any such agreement will inevitably end up being the lowest common denominator of what each of the nations think they can reasonably get away with legislating, which in this case probably means that US (with the strongest device-maker and social-network lobby) will drive what is possible.

Are they following Theresa May&#x27;s lead?<p>Worrying.

I am a strong proponent of E2E encryption and the right for people to be able to communicate privately, however I thing Brandis is saying generally positive things. If Australia thinks someone is a criminal, and there is an agreed process to obtain a warrant (hopefully from a judge), I think that&#x27;s fine. The NSA mass-surveiling Americans is entirely different, as are other similar tactics to spy on presumably innocent people. Warrants are good, especially with people actively making calls.