Today, the boundaries of our personal privacy are constantly challenged. The same communication channels we use for e-commerce, open communication and freedom of speech are also used by criminals who hide behind the privacy that protects these channels. Governments all over the world struggle with a seemingly endless game of “whack-a-mole” and see access as a way to more effectively track these malicious actors, but that directly conflicts with the goals of privacy advocates and technologists.
Due to this inherent and ongoing conflict, fear, uncertainty and doubt have surrounded the recent Assistance and Access (or AA) bill that became law in December and will have global implications. The reaction to the bill thus far illustrates the historical conflict — one that began with the “crypto wars” of the 1990s and that we’ve grappled with for many years since — in agendas between government and technology activists.
Setting the scene
During this time period in the 1990s known as the “crypto wars,” governments attempted to block or undermine the spread of strong cryptography; however, thanks to the combined efforts of a global cast of technologists, privacy activists, cypherpunks, hackers and privacy lawyers, it became widely available. This led to the explosion of e-commerce and ultimately, the creation of secure messaging apps and the current generation of privacy-centric services.
But as we entered into the new millenium, a different breed of criminals came onto the scene. Modern cyber-criminals took the skills of so-called “blackhat” hackers, marrying them with traditional criminal innovation and created an entirely new, highly sophisticated adversary. Crimes ranging from financial fraud to bank robberies became digital, and these advances in technical adoption by criminals weren’t just limited to financially-motivated criminals: terrorists also began to leverage these same advances, often hiding in plain sight by using popular communication services.
As a result, crypto wars became hot once again. Governments now continue to struggle with the fact that many traditional investigatory methods are severely limited by strong end-to-end encryption and increasingly seek ways to sidestep or even outright disable the cryptography they see as their number one hurdle. From cracking the alleged terror plot in Melbourne last year to FBI versus Apple after the San Bernardino shooting in the USA, governments all over the world have been confounded and are looking for a solution.
Both sides of the coin
As a technologist, I understand just how difficult this problem is, and as a hacker, I know some of the proposed suggestions are deeply flawed.
First of all, we rely on cryptography for every business transaction — without it, e-commerce would quite literally disappear overnight. But in some ways, building backdoors is more problematic than banning cryptography outright. Introducing flaws into cryptography is extremely difficult to do without fundamentally undermining the integrity of the cryptography it resides in. In addition, once backdoors are known, they become a highly attractive attack vector; anyone who can steal the keys or find a flaw suddenly has power.
I don’t have an answer to the conflict, but I do know the only way we will solve the problem is if we work together. Without guidance from technologists on potential risks and complications of specific bills put into place, government officials can lose sight of the significant impact imposing new laws can have on privacy.
Implications of the Assistance and Access bill
Because there is no easy answer, we’ll face ongoing conflict as more bills emerge along the lines of the AA bill, which can itself be considered a close relative of the UK’s Investigatory Powers Act. It empowers law enforcement to serve warrants on companies or entities responsible for encrypted services. These warrants can request simple metadata such as details about who contacted who, IP addresses or account information. However, they can just as easily request access to encrypted services, messages or encryption keys. Specifically, it includes three types of requests: Technical Assistance Notices, Technical Capability Notices, and Technical Assistance Requests.
Technical Assistance Notices and Technical Capability Requests are both compulsory while currently the Technical Assistance Requests are voluntary. Just like the UK Investigatory Powers Act, these requests all come with built-in gag orders. Disclosing any request or failing to comply with either of the two compulsory notices could land you in jail for up to five years or a fine of up to $10m. We should also note how far-reaching this bill is: essentially, any organization within the “Five Eyes” group of countries (UK, US, Canada, Australia and New Zealand) that has Australian customers could be impacted.
We will see more bills like this in the future, and I suspect the eyes of every government are fixed on Australia right now, ready to judge how this one is received.
Almost all of these capabilities have been around for years: the UK has had laws covering access to keys and interception technology since 2000, and Germany has experimented with endpoint trojans for almost just as long. The FBI has tried to force the hand of companies using encryption to install backdoors, and in the late 90s, the US attempted to introduce federally backdoored cryptography with the “Clipper Chip.” None of these methods have proven to be anything but harmful to user trust and privacy.
As a result, criminals will continue to hide in plain sight. Cryptographers, technologists, policymakers and law enforcement need to come together and find a solution that enshrines privacy and protects all lawful users of the internet. Any solution produced by just one of these groups without building on the knowledge from the others will likely be heavily biased and deeply flawed.