We need more encryption, not less.
Every day we send sensitive information via the internet – whether this is voice, credit card data or government secrets – the success of which lies with competent encryption.
Encryption protects information stored and transmitted via computers, including smartphones and other devices.
Encryption algorithms provide confidentiality and drive key security initiatives including authentication, integrity, and non-repudiation.
Authentication allows for the verification of a message’s origin, and integrity provides proof that a message’s contents have not changed since it was sent.
Non-repudiation ensures that a message sender cannot deny sending the message.
There are lots of good reasons to embrace encryption.
It's a widely used form of data security because its ciphertext and coding make it more difficult to crack than basic password protected information.
It may also be an organisation’s last line of defence against a cyber attack.
Even if hackers gain access to a network, encryption will stop them from viewing any protected data.
Encrypted communications are provided by widely used computing devices and services – such as smartphones, laptops, and messaging applications – which are used by hundreds of millions of users.
Individuals, organisations, and governments rely on encryption to counter threats from a wide range of actors, including serious and organised criminals, foreign intelligence agencies, and even some governments.
Encryption on its own does not solve the challenge of providing effective security for data and systems, but it is an important tool.
Recently there has been debate surrounding law enforcement and national security agency access to encrypted communications.
The idea being, criminals are using encrypted communications to discuss, plan and potentially execute their activities in relative anonymity.
But we already have legislation.
Some government agencies have the ability to intercept and access communications and other data for law enforcement and national security purposes.
In terms of requirements for persons to assist in decrypting information, s3LA of the Crimes Act 1914 allows the police to obtain a court order for certain persons to provide “any information and assistance” necessary to enable an officer to access data in a computer or digital storage device that is subject to a warrant and to make that data intelligible.
Such orders can only be made with respect to a “person under investigation, an owner of the device, an employee of the owner, a relevant contractor, a person who has used the device, or a systems administrator.”
The Telecommunications (Interception and Access) Act 1979 provides for various federal and state agencies to obtain interception warrants and stored communications warrants for law enforcement and national security purposes.
Carriers and carriage service providers (including internet service providers) are required to provide certain assistance to ASIO and law enforcement agencies under the Telecommunications Act 1997.
However, there is no specific requirement for carriers and service providers to assist agencies by making intercepted or stored encrypted communications intelligible.
While government agencies have the legal authority to access electronic information, it lacks the technical ability to do so because the information may be protected by encryption.
I understand the desire to get access to encrypted communications, but the technical and policy implications of this may weaken all the goodness we get out of encryption technologies.
The government is yet to release any formative legislative proposals, but it will be expecting organisations to take ‘reasonable steps’ for police and national security agencies to access encrypted data.
While I’m sure any legislation won’t seek to weaken encryption standards, it might make some products and services more ‘law enforcement friendly’.
To many this sounds like a ‘back door’.
A more appropriate public policy dialogue might surround a ‘front door’ approach otherwise known as encryption circumvention.
The implementation of any legislative privacy-invasive investigation tools and the conditions in which they are used and judicially monitored requires a lot of thinking.
As we spend more and more of our time online, the digital footprints we leave are everywhere (even cyber criminals conduct legitimate activities online, such as web searching, mobile banking and social media).
National security and law enforcement agencies have unprecedented access to this information through open-source intelligence, collection of metadata and geolocation, sophisticated traffic analysis tools and data analysis algorithms.
There is no need to rush such an important issue.