The government wants to read your messages

There are many things that are immoral, there are some things that are just plain wrong and there is a minute selection of things that are just plain stupid. The Australian government has failed to realise it is in the third category.

Earlier this year, Malcolm Turnbull stated: “Encryption for example is a vital piece of security…However encrypted messaging applications are also used by criminals and terrorists” and “The Attorney-General will discuss with Five-Eyes nations, options to ensure terrorists are unable to operate with impunity within ungoverned digital spaces online”. Sorry for the long quotes but you have to be aware that the government has not done its research. If that isn’t utterly damning, 14 of the worlds best cryptographers assembled to oppose this idea.

What the government actually wants

Essentially the government wants the ability to intercept communication platforms that are encrypted end-to-end. They state “this is not about creating or exploiting “backdoors””, it is rather “collaboration with and assistance from industry”. I imagine that specific platforms that would be targeted include: Facebook Messenger, WhatsApp, Signal, iMessage or anything here.

Cryptography has been around for thousands of years. World War II was a particular milestone, where complex maths started being applied to both encryption and breaking encryption. Only the last decade has it become widespread and easily accessible. You use it every day, to verify that you are visiting the website you intend to, or using a pin to decrypt the contents of your phone.

The government realises that it shouldn’t (or are mathematically able to) break all encryption, but how are they going to be able to make sure that such services are not being used for illegal activitites?

Ways to intercept encrypted messages

Encryption is really, really, really, really hard to get right, by yourself. That is why elite cryptographers, like multiple PhDs are required to verify that the algorithms and code we use is safe. It is often very hard to prove an encryption alogrithm is safe, so they often rely on previous knowledge of failure modes and rely on the process of peer review.

  1. That isn’t to say that the government could try to achieve this, and create a new crypto primitive that only they know how to break. This wouldn’t be the first time a government agency has tried to undermine cryptographic security.
  2. A quicker method would be to mandate supplemental keys that all messages are to be encrypted with. This would be extremely taxing on development of tools on both the provider and governments end, due to any variety of implementations. It would also mean that there exists a key out there that is able to decrypt your supposedly safe message.
  3. Alternatively, there could be some code injected by any of the platforms above, supplied by the government that runs on your device and exfiltrates your messages before they’re encrypted.

That said, these are all technically possible. Should we emply them? Absolutely not.

There are two major issues

  1. Anyone who actually wants to communicate securely can just use an application outside the jurisdiction of those targeted. This would mean that the majority of people who are under surveillance are regular, law abiding citizens.
  2. None of these would be implemented securely. Without public peer review of these systems, they are utterly broken. Say it with me: encryption is useless without peer review. It is important to note that even huge companies like Microsoft get these wrong.

How do they currently plan to get access to these services? According to George Brandis (current Attorney General), having a company assist in decrypting messages on their platform is not a backdoor – because it is their platform. I hope the following shows you how inept the government is at communicating technological ideas to the public.