{"id":32585,"date":"2017-06-27T06:00:10","date_gmt":"2017-06-26T20:00:10","guid":{"rendered":"https:\/\/www.aspistrategist.ru\/?p=32585"},"modified":"2017-06-26T15:17:11","modified_gmt":"2017-06-26T05:17:11","slug":"not-dark-yet-strong-encryption-security-part-2","status":"publish","type":"post","link":"https:\/\/www.aspistrategist.ru\/not-dark-yet-strong-encryption-security-part-2\/","title":{"rendered":"Not dark yet\u2014strong encryption and security (part 2)"},"content":{"rendered":"
<\/figure>\n

In the previous part<\/a> of my exploration of the impact of strong encryption on our security agencies, I described the unsophisticated days of intercepting telephony in the 1970s. With voice communications, it\u2019s largely a case of \u2018grab it or it\u2019s gone\u2019. Most of the history of signals intelligence is about eavesdropping on moving data. But the advent of internet communications introduced a new angle, as data \u2018at rest\u2019 in a computer or smartphone at either end of the communications channel became a potential source of intelligence.<\/p>\n

The Apple handset that became the centre of a 2016 court case<\/a> in the US last year provides an intriguing case study. Even after being presented with a court order to provide the FBI with access to the handset, Apple declined on the grounds<\/a> that they would have to create an access channel that could be used to render vulnerable any iPhone using that system. It wasn\u2019t a case of encryption being the sticking point\u2014the problem was getting past the phone\u2019s passcode. It\u2019s a more complicated story<\/a> than sometimes appreciated, but it brought the tension between customer privacy, information security across the wider economy, and the requirements of law enforcement and intelligence agencies very much into public view.<\/p>\n

There\u2019s something a little puzzling about the pushback in the iPhone case. As I pointed out last time, we all lived happily enough in the post-1979 world of legislatively-guaranteed warranted access to our telecommunications. Philosophically at least, it seems reasonable for governments to want that level of access to be preserved (or, perhaps more accurately, reinstated). In principle I\u2019m inclined to agree, with the proviso that there\u2019s robust and effective oversight<\/a>, including the stipulation of warranted collection.<\/p>\n

It must be said that some governments haven\u2019t helped themselves in that respect. The public is more tolerant of focused investigations of suspicious behaviour and individuals than it is of wider \u2018fishing expeditions\u2019 into big data pools. In 1979, it was hard to do much of the latter, but more recently the US National Security Agency was caught out hoovering up large quantities of metadata<\/a> under their Prism program without sufficient oversight<\/a>. A UK system called Tempora went well beyond metadata<\/a>, and was undiscriminating in its targeting. And the Australian government did a horrible job<\/a> of explaining its own ambitions for metadata collection.<\/p>\n

And in practice, I don\u2019t think we can get there from here. Encryption isn\u2019t just a tool used by bad people to plan bad things: it\u2019s now a critical part of the rapidly growing online economy. Banking and e-commerce couldn\u2019t function effectively without it. As we saw in part 1, the US government rolled out strong encryption for exactly that reason in the 1970s (and continues to support today). And individuals have perfectly valid reasons to implement security mechanisms such as virtual private networks<\/a>\u2014any traveller doing internet banking over someone else\u2019s Wi-Fi network has good reason to want the additional protection. In fact, given how poor network security can be, it makes good sense for users to implement protective measures over sensitive data.<\/p>\n

Perhaps most important are end-to-end encryption systems, used by applications like WhatsApp, Signal, iMessage, and Facebook Messenger. Only the two client users have the key to decrypt any message. Companies such as Apple and Facebook, on whose products the messages are transmitted, don\u2019t have access to unencrypted messages or to encryption keys.<\/p>\n

There have been calls to outlaw strong encryption<\/a> so that law enforcement and intelligence agencies can crack communications between targets of interest. That begs many questions. Who decides how strong is \u2018too strong\u2019? Does ASIO or the AFP need to be able to access data in an hour, a day, or a week? Moore\u2019s Law<\/a> tells us that what the NSA can do today, others will be doing in the not too distant future. So how can we ensure the protection of innocent but sensitive communications? Or is the government going to decree that some privacy measures won\u2019t be available to the public at large?<\/p>\n

Finally, even if we managed to tie up all of the loose ends in the Australian telecommunications marketplace, how do we quarantine local users from apps and hardware that are compatible with Australian networks and are readily available from offshore vendors? Australia, the UK, and even the US can\u2019t legislate for the totality of the messaging app universe, and any lawful intercept legislation would quickly move serious threats onto other platforms that could be even worse for law enforcement\u2014or even wider society. High profile companies like Apple, Google and Facebook tend to help when it\u2019s clearly a public duty to do so (they work with authorities to identify and eliminate child pornography, for example). But smaller firms, especially those in other countries, might feel no such obligation. And any vulnerabilities engineered into products will be available to be exploited by entities other than our own security agencies.<\/p>\n

I think it\u2019s an intractable problem. The horse has bolted, and the access to data through lawful intercept that our security agencies once enjoyed will never be possible again. As Bob Dylan might put it, it\u2019s not dark yet, but it’s getting there<\/a>.<\/p>\n

 <\/p>\n

Note: I had a lot of useful feedback from my ASPI colleagues on these two posts. I thank them, but don\u2019t blame them for anything here.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"

In the previous part of my exploration of the impact of strong encryption on our security agencies, I described the unsophisticated days of intercepting telephony in the 1970s. With voice communications, it\u2019s largely a case …<\/p>\n","protected":false},"author":6,"featured_media":32586,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_mi_skip_tracking":false,"footnotes":""},"categories":[1],"tags":[578,1570,170,649],"class_list":["post-32585","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-general","tag-attorney-general","tag-encryption","tag-intelligence","tag-nsa"],"acf":[],"yoast_head":"\nNot dark yet\u2014strong encryption and security (part 2) | The Strategist<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.aspistrategist.ru\/not-dark-yet-strong-encryption-security-part-2\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Not dark yet\u2014strong encryption and security (part 2) | The Strategist\" \/>\n<meta property=\"og:description\" content=\"In the previous part of my exploration of the impact of strong encryption on our security agencies, I described the unsophisticated days of intercepting telephony in the 1970s. With voice communications, it\u2019s largely a case ...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.aspistrategist.ru\/not-dark-yet-strong-encryption-security-part-2\/\" \/>\n<meta property=\"og:site_name\" content=\"The Strategist\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/ASPI.org\" \/>\n<meta property=\"article:published_time\" content=\"2017-06-26T20:00:10+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2017-06-26T05:17:11+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2017\/06\/ppt-backgrounds-2405737_960_720.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"960\" \/>\n\t<meta property=\"og:image:height\" content=\"640\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Andrew Davies\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@ASPI_org\" \/>\n<meta name=\"twitter:site\" content=\"@ASPI_org\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Andrew Davies\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.aspistrategist.ru\/#website\",\"url\":\"https:\/\/www.aspistrategist.ru\/\",\"name\":\"The Strategist\",\"description\":\"ASPI's analysis and commentary site\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.aspistrategist.ru\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-AU\"},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-AU\",\"@id\":\"https:\/\/www.aspistrategist.ru\/not-dark-yet-strong-encryption-security-part-2\/#primaryimage\",\"url\":\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2017\/06\/ppt-backgrounds-2405737_960_720.jpg\",\"contentUrl\":\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2017\/06\/ppt-backgrounds-2405737_960_720.jpg\",\"width\":960,\"height\":640},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.aspistrategist.ru\/not-dark-yet-strong-encryption-security-part-2\/\",\"url\":\"https:\/\/www.aspistrategist.ru\/not-dark-yet-strong-encryption-security-part-2\/\",\"name\":\"Not dark yet\u2014strong encryption and security (part 2) | The Strategist\",\"isPartOf\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/not-dark-yet-strong-encryption-security-part-2\/#primaryimage\"},\"datePublished\":\"2017-06-26T20:00:10+00:00\",\"dateModified\":\"2017-06-26T05:17:11+00:00\",\"author\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/08a9125f7af3039520d264e965235a73\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/not-dark-yet-strong-encryption-security-part-2\/#breadcrumb\"},\"inLanguage\":\"en-AU\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.aspistrategist.ru\/not-dark-yet-strong-encryption-security-part-2\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.aspistrategist.ru\/not-dark-yet-strong-encryption-security-part-2\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.aspistrategist.ru\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Not dark yet\u2014strong encryption and security (part 2)\"}]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/08a9125f7af3039520d264e965235a73\",\"name\":\"Andrew Davies\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-AU\",\"@id\":\"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/bbb47ebb41d4978346dbf2e1d21b992a?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/bbb47ebb41d4978346dbf2e1d21b992a?s=96&d=mm&r=g\",\"caption\":\"Andrew Davies\"},\"url\":\"https:\/\/www.aspistrategist.ru\/author\/andrew-davies\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Not dark yet\u2014strong encryption and security (part 2) | The Strategist","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.aspistrategist.ru\/not-dark-yet-strong-encryption-security-part-2\/","og_locale":"en_US","og_type":"article","og_title":"Not dark yet\u2014strong encryption and security (part 2) | The Strategist","og_description":"In the previous part of my exploration of the impact of strong encryption on our security agencies, I described the unsophisticated days of intercepting telephony in the 1970s. With voice communications, it\u2019s largely a case ...","og_url":"https:\/\/www.aspistrategist.ru\/not-dark-yet-strong-encryption-security-part-2\/","og_site_name":"The Strategist","article_publisher":"https:\/\/www.facebook.com\/ASPI.org","article_published_time":"2017-06-26T20:00:10+00:00","article_modified_time":"2017-06-26T05:17:11+00:00","og_image":[{"width":960,"height":640,"url":"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2017\/06\/ppt-backgrounds-2405737_960_720.jpg","type":"image\/jpeg"}],"author":"Andrew Davies","twitter_card":"summary_large_image","twitter_creator":"@ASPI_org","twitter_site":"@ASPI_org","twitter_misc":{"Written by":"Andrew Davies","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebSite","@id":"https:\/\/www.aspistrategist.ru\/#website","url":"https:\/\/www.aspistrategist.ru\/","name":"The Strategist","description":"ASPI's analysis and commentary site","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.aspistrategist.ru\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-AU"},{"@type":"ImageObject","inLanguage":"en-AU","@id":"https:\/\/www.aspistrategist.ru\/not-dark-yet-strong-encryption-security-part-2\/#primaryimage","url":"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2017\/06\/ppt-backgrounds-2405737_960_720.jpg","contentUrl":"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2017\/06\/ppt-backgrounds-2405737_960_720.jpg","width":960,"height":640},{"@type":"WebPage","@id":"https:\/\/www.aspistrategist.ru\/not-dark-yet-strong-encryption-security-part-2\/","url":"https:\/\/www.aspistrategist.ru\/not-dark-yet-strong-encryption-security-part-2\/","name":"Not dark yet\u2014strong encryption and security (part 2) | The Strategist","isPartOf":{"@id":"https:\/\/www.aspistrategist.ru\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.aspistrategist.ru\/not-dark-yet-strong-encryption-security-part-2\/#primaryimage"},"datePublished":"2017-06-26T20:00:10+00:00","dateModified":"2017-06-26T05:17:11+00:00","author":{"@id":"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/08a9125f7af3039520d264e965235a73"},"breadcrumb":{"@id":"https:\/\/www.aspistrategist.ru\/not-dark-yet-strong-encryption-security-part-2\/#breadcrumb"},"inLanguage":"en-AU","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.aspistrategist.ru\/not-dark-yet-strong-encryption-security-part-2\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.aspistrategist.ru\/not-dark-yet-strong-encryption-security-part-2\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.aspistrategist.ru\/"},{"@type":"ListItem","position":2,"name":"Not dark yet\u2014strong encryption and security (part 2)"}]},{"@type":"Person","@id":"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/08a9125f7af3039520d264e965235a73","name":"Andrew Davies","image":{"@type":"ImageObject","inLanguage":"en-AU","@id":"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/bbb47ebb41d4978346dbf2e1d21b992a?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/bbb47ebb41d4978346dbf2e1d21b992a?s=96&d=mm&r=g","caption":"Andrew Davies"},"url":"https:\/\/www.aspistrategist.ru\/author\/andrew-davies\/"}]}},"_links":{"self":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts\/32585"}],"collection":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/comments?post=32585"}],"version-history":[{"count":1,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts\/32585\/revisions"}],"predecessor-version":[{"id":32587,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts\/32585\/revisions\/32587"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/media\/32586"}],"wp:attachment":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/media?parent=32585"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/categories?post=32585"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/tags?post=32585"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}