You can’t take our encryption
An open letter to the Morrison Government.
-----BEGIN PGP MESSAGE-----hQEMA5NjHU5k4/IIAQf/TIigoL4IDyaDvKSGVYh4r+3Aay6Ux7C6EliUgFwrPf+m
fOrreVaaleYvorzqyrcn5YnhvEv+Vj2kqxB/H2ZaSyy75ug6dIHgjwtvaWG2CqWO
a75fAFYXGf+seD6YbuqNmfoEv5sy7GyLKjl7cqsFFvb4+qU/UXQT41/ARLEb7KVS
jXrQWRAqIGoIUB0xaFbOKlkVToclyp5ekt+VASj1xxsfV3FVCaLAf2nC2KOlLmpV
ZxvC31mtAtyFCC21wm4aN+s4o9kw+OygMgBxHnZSyNt0EptASFUdP5OGsip2HycU
LDgqu6y0J17dleDPFlQyUlx8xNci29jWXWr2mI3zRtLqATLLrutLSIVkfmodE2fM
sJeMVFDeWfgal4PUqz/xdnRhzcXan3ZQFVj8eAIUat8yL1MvnYkFGQFgBwrYHnak
LBzwsl9HiKB3WtD69rulpv/Z2557OIQ1Q9adrMx9c1c3rzefsC06AQgbU3Qy2lDn
4w1WyjvSVEgq/MQH2k8CcCdYMGvh89BwlvdEhji96zoxFLHjmzbFgAxRxBnydaR6
FWHkUU4Nzhb7J8s78Jsy0Le18L/ASEYL2yfzpmEir2XfEoHwn6Pvo2zUW6LF1Vmn
OqEaRLyO0tgr2NE+4jjYDKFj/H1wcTGzWYCIt5XBSMvXWmbTHoJwZgGKW+TnpJ1L
I2df/6mnhT3J0OXihVkChswp5EOlsNKyVpk+nXlDnfcY5c/aDaTStKuqiloDsp8Y
OGGujntS3QCxtbzbsrNa8yXbYODv2qWCr0syDas1tQffWT15s+mcry2JLv7JzbwV
kisJRELisnytzkdU3P3PsHzPExrVPrNnYPN6UR+8n1Kdvk4gDqYyA1b6bMjJwI8d
2PSHVwyFuA2INshyyVL+i3BCGR7+KvYixy/Bie0DOfRqxAoH/11caMBX47dJNZ2b
G47Sru0oB82SB810bVjDv4FNbjxKWivaPz/f6WBwgJGTDvfUmReyBOU3i9OI7JSm
UmTQbQ+rBhVcFhFjQEi48gCbr0tkkJE5xHaU2zfGOjNj5KK1YIgzUA6yn+pWk48b
YfDVNhHNJS8C7w+mAVE3wCvo9HNyuhrUffMyseFCDhwbzTbBycXTo7lPqmWPVH2n
mxjwBnRRhG6vPsB2cz9UewPpJofsYketEMZUQx7CmsHhIJHB/R96JzOSCwTYHFBX
qKSpDLqaF4gV+YYt+utg/UljgCo1LsUUuMx++RCVcvQLuikbWyE7AbDs38l00TdC
uKA/aFJtjhkehpNW81PpMKnL4xhHBWdgVLm/eebD1FRDgN43XSL3iFHI+RmndE+D
arXZZpzniyNVNG4lqXwYtHBcNtfvJdAl2Dn5rMq7AF8WB7qtGJ3BWew67XqivxnD
urP0ufE7lyi8RSiorUCNjv9G6CSTb1WHQ824JVSGu+15tZY8f+8O7G9tYkYuqSRc
fDSdofiTnhxo/15Rq12jf3BjlkTpcdbalFJZq5UJFLfzM8Vq/oaHaNi/zae20pJK
s6+/OHmga0DnRAuWXbfghOK2pY6aOD9O908fa+yBydoABh4qCjRHUT5H3VtHQ32t
1CpuQCgy33eIGBAynPzuM8v28kBtvDt0vSUe+/oi5H6LELjAEhIGg7ItgOCfNHf7
1fFGdQQJMSix0/D7nXcftF3azA5RQ7kAjxcvuBhVQvOUjalny+Lne3irvz+MeyZl
lTFSkTBHn8HXi9UQ2fGVXzph00VQtJ1RVG+nv2Kwh1ZMZgNwUBU5LbxWtd1xkPKl
pZrN
=2qgv
-----END PGP MESSAGE-----
…so obviously you can’t read this message and that’s the point. Having read today’s latest plans (that are supported for the most part by the opposition) for a new bill which pushes technology companies to “help [the authorities] access” private encrypted data on sites like Whatsapp and Telegram — I’m honestly befuzzled. No, that isn’t a word — that’s just how befuzzled I am!
The message above is one I encrypted using a free and open source program called GPG. It doesn’t actually contain anything juicy but you wouldn’t know because the decryption key is stored on my computer.
If the key on your key ring is the key to your house, a decryption key is the key to your data. While the strength of the lock is important, who has the key is what matters most.
While it’s not technically impossible to break the encryption here — its really hard. So hard that it would take a billion, billion years for a super computer to crack it through brute force means.
Even more so than the burglar who gains entry via the window, when hackers (or security researchers) break into secure systems they rarely manage to do it by breaking any encryption mechanism. More often than not it’s because they were able to find an error in the code in which the encryption is written or by tricking some poor user into inadvertently giving them their secret information (such as a password). Not unlike the conman who talks his way in the front-door and lifts your Rolex off the nightstand without you noticing!
To understand what is so utterly befuzzling [sic] about this new bill, let’s take a look at some of the issues.
Who Owns the Keys?
Firstly, what makes the message above secure is that I own the decryption key. It’s stored safely on my computer for now (it will be revoked and deleted once this post has been published in case you’re wondering).
This is the equivalent of keeping my house key firmly wedged into the little pocket at the top of my jeans. It’s pretty hard for someone on the other side of the world to get at it — nor any nosy government for that matter.
Governments that wish to intercept encrypted messages sent by users who manage their own keys will need to gain access to the decryption keys directly. That means directly accessing that user’s physical device — not easy when you might not even know where that user is located.
Some cloud based services manage the encryption keys for you which means they are stored on their servers (not on your laptop). Not unlike you lending your house key to your sister or neighbour so that they can feed you cat while on holiday in Baku.
However, for a criminal who is motivated enough to hide their tracks, adding another lock and keeping a second key to themselves is jaw-droppingly simple. In other words, regardless of whether they use Whatsapp, Telegram or Carrier Pigeons, belligerents and criminals will simply encrypt messages with their own key (such as with GPG) before sending anyway.
Having said that, even messages encrypted only with keys managed by a cloud provider (your cat-feeding neighbour), would be accessible to the authorities only if the companies controlling them willingly handed them over.
Imagine your friendly neighbour being seconded by a police officer while en route to feed Jasper and being forced to hand over the key to your house. Except in this case your neighbour is the fifth largest company in the world and the police officer is a kid with a plastic police badge named Constable Morrison.
I’m hardly an expert on international law but I struggle to believe that massive organisations like Facebook — based in the US — will give up such sensitive information so readily.
Breaking the Encryption (or the code)
So, if savvy users encrypt messages with their own keys, how else could authorities gain the ability to read them? The only way I can conceive is if they intentionally develop a back-door. This isn’t entirely out of the realms of possibility as it has likely happened before but in all respects, this notion is by far the most troubling (or befuzzling as the case may be).
A back-door coded into either the encryption algorithm itself or the code in which it is implemented would not just be useful to the authorities. This is an all or nothing deal. If there is a hole it could, and likely would be exploited by the very people that this bill is intending to protect us from.
The ramifications of flawed encryption systems are dire. As if identity theft, credit card fraud and leaked data are not already bad enough, holes in the encryption systems that underpin the internet would turn the online world into a cess-pit of cyber crime not seen before (and for those who think this is already the case, you ain’t seen nothin’ yet!).
The Naive Pollies
Tragically, for our politicians, and mercifully for the rest of us, breaking the core encryption technologies that underpin our favourite apps is a pretty tall order. Most of the implementations used in the wild are open source and any bugs or exploits are almost always pounced on and fixed rapidly by an army of independent contributors.
Side note for technical readers: this is exactly why proprietary or “closed” crypto systems have rarely seen large adoption and why open tech is the norm (the notable exception being RSA until its patent expired).
Crime Just Goes Deeper
The saddest part of this whole saga is that by gaining these “powers” all our wise leaders will do is push the problem deeper. The most serious of terrorists and organised crime units are probably already so far ahead of this problem it’s laughable. While the rest of the nation suffers having our privacy invaded and our trust lost.
Truly befuzzling indeed.
This story is published in Noteworthy, where 10,000+ readers come every day to learn about the people & ideas shaping the products we love.
Follow our publication to see more product & design stories featured by the Journal team.
