COMMENTARY

This article first appeared on The Conversation.

The Australian government wants the ability to read messages kept secret by encryption in the name of aiding criminal investigations. But just how it proposes to do this is unclear.

As Australian Attorney-General George Brandis recentlytold Fairfax Media, "[a]t one point or more of that process, access to the encrypted communication is essential for intelligence and law enforcement."

Inan interviewwith Sky News, he spoke favorably of controversial U.K.legal powersthat seek to impose on device makers and social media companies a greater obligation to work with authorities where a notice is given to them to assist in breaking a communication.

Brandis has insisted the government doesnt want a backdoor in secure messaging apps. How, then, he expects companies to break them is unclear.

As many havepointed out, its hard to see any tool that gives law enforcement privileged access to otherwise encrypted messages as anything else but a backdoor.

How end-to-end encryption works

Backdoor or not, its worth being skeptical of any mechanism aimed at accessing encrypted messages on platforms like WhatsApp. To explain why, you need to understand how end-to-end encrypted messaging services work.

Encrypted messaging servers scramble the original message, the plaintext, into something that looks like random gibberish, the cyphertext.

Translating it back to plaintext on the receivers phone depends on a key -- a short string of text or numbers. Without access to the key, it isnt feasible to get the plaintext back.

Keys are generated in pairs, a public key and a private key, of which only the private key must be kept secure. The sender of the secure message has the receivers public key, which is used to encrypt the plaintext. The public key cannot be used to unscramble the cyphertext, nor does possessing the public key help in obtaining the private key.

End-to-end encryption simply keeps the private key securely stored on the phones themselves, and converts the cyphertext to plaintext directly on the phone. Neither the private keys nor the plaintext are ever available to the operator of the messaging service.

Compromising security

An encrypted messaging app could hypothetically be modified in a number of ways to make it easier for authorities to access.

One would be to restrict the range of keys that the app can generate. That would make it possible for the government to check all possibilities.

The U.S. government, which imposedregulations to this effectfor a brief period in the 1990s, may have once had computing resources far in excess of any other entity, but this is no longer the case. In fact, these old rules are themselves still causing security problems, as some applications can be tricked into reverting to the insecure export mode encryption that is trivially crackable today.

Other national governments and well-funded private bodies would find brute force checking of all the possible keys well within their capabilities, compromising the security of legitimate users.

And while governments might believe they can keep their backdoor secure, such secrets have a nasty habit of leaking out, as did hacking techniques used by theCIAandNSA.

Nor can governments simply make possessing encryption software a criminal offence.

Take the application Pretty Good Privacy (PGP) -- or, more precisely, its open-source equivalent GNU Privacy Guard (GPG).

Once used for securing email messages, its now more often used to ensure software updates on Linux systems are from the original authors and have not been tampered with. For instance, thesystem update tool in Ubuntu Linuxuses the GPG machinery for this. Without it, the Linux servers that run much of the internet would become much more vulnerable to hackers.

Similar mechanisms are used in Windows, iOS and Android to prevent tampered applications from being installed. As such, banning or undermining end-to-end encryption would seriously affect internet security.

Endless workarounds

In any case, creating backdoors in end-to-end encrypted messaging services would not achieve its goals. Once messaging app backdoors became known, savvy users would simply switch to another service, or make their own.

Originally posted here:
When is 'not a backdoor' just a backdoor? Australia's struggle with encryption - GCN.com

The FBI is asking for more than $20 million in the 2018 fiscal year budget to counter what the bureau sees as the threat of encryption, both in devices and in real-time communications tools such as text or voice apps.

The request is part of the Department of Justices proposed budget for the next fiscal year, and Deputy Attorney General Rod Rosenstein said during a Senate hearing Tuesday that the FBI would use the money for a wide variety of things. In his testimony, Rosenstein said that the increased use of encryption, which the FBI and other law enforcement agencies refer to as the problem of going dark, is a growing challengeand needs funding support.

The seriousness of this threat cannot be overstated. Going Dark refers to law enforcements increasing inability to lawfully access, collect, and intercept real-time communications and stored data, even with a warrant, due to fundamental shifts in communications services and technologies, Rosenstein said.

This phenomenon is severely impairing our ability to conduct investigations and bring criminals to justice. The FBI will use this funding to develop and acquire tools for electronic device analysis, cryptanalytic capability, and forensic tools.

In the proposed budget, the FBI asked for $21.6 million to address the encryption issue. As Rosenstein said in his testimony, the money may be used for developing or buying tools and techniques to analyze encrypted devices, perform forensic analysis, or cryptanalytic analysis, all of which are time consuming and expensive. While the FBI has been raising concerns about the use of encrypted communications for years, much of the current concern comes from the proliferation of encrypted communications apps and devices that store user data in encrypted form by default.

Most currentiPhones and Android devices have encrypted data storage enabled by default, and law enforcement agencies have struggled to bypass the protections. During the tense showdown between Apple and the FBI last year over an encrypted iPhone used by a terrorist, the bureau sought a court order to getApple to build a backdoored version of iOS specifically to bypass the devices encryption. Apple officials called the request offensive and fought it. Eventually the FBI bought a technique from a third party to unlock the phone.

But that case was just one of many involving encrypted devices, and FBI officials and others in the law enforcement community have continued to push for methods to bypass or weaken encryption systems, both in transit and at rest. Privacy advocates and security experts have pushed back, saying that any backdoored or intentionally weakened encryption system would put all users at risk.

Read more:
FBI Seeks $21M to Counter Encryption - On the Wire (blog)

A lobby group for IT workers has slammed the Coalition government over its proposal to introduce laws to gain access to encrypted communications, saying such moves were completely unworkable.

IT Professionals Association president Robert Hudson said though the government was saying it did not want a backdoor into encrypted communication applications, such a method was the only way that it could achieve what it had stated it wanted to do.

In the wake of the terrorist incidents in London, both Prime Minister Malcolm Turnbull and Attorney-General George Brandis have proposed that curbs be imposed on encryption.

But Hudson said just making such statements could be interpreted as "political opportunism" because anyone who had an understanding of how encryption worked would know that such proposals could not be implemented.

"With modern encryption processes, this is only possible if you have access to the key required to decrypt the message, as 'cracking' the encryption is largely not possible otherwise due to the mathematical complexity of the algorithms used."

Hudson said this meant that despite the government's protests that it did not want backdoors, "that's the only way to achieve what they want and if they have backdoors into the encryption, then two things will happen:

"The backdoor will be leaked/exposed. This basically means that the encryption process can no longer be trusted.

"People will stop using encryption processes they cannot trust."

He said this would have little effect on the "bad guys" because those who were competent would switch to communications protocols they trusted or else manage the encryption keys themselves.

"By some reports, less than half of all communications between 'bad guys' is estimated to be encrypted today and these are likely already the competent ones. Such a knee-jerk reaction will, however, have a horrific impact on innocent use of encryption. Legitimate users will be forced to find other methods of encryption," Hudson said.

"If SSL certificate vendors are forced to bake 'backdoors' into their certificates, the impact on eCommerce alone (currently a $32 billion business in Australia in 2017) will be immense.

"This government appears to have not learnt anything from past technology initiatives that were implemented on the run. In typical fashion, there appears to have been no serious consultation with experts and disregard for (or no understanding of) the complexities involved."

Read this article:
ITPA slams Turnbull Government over proposed encryption laws - iTWire

Source: Thinkstock

June 14, 2017 -Healthcare cybersecurity is essential for covered entities of all sizes, especially as ransomware attacks and other types of malware become more common. Healthcare data encryption is often discussed in these situations as well, with many in the industry underlining its importance.

HIPAA regulations do not specifically require data encryption, and instead qualify it as an addressable aspect. However, it is a very necessary piece to the larger data security puzzle.

In this primer, HealthITSecurity.com will review the basics of healthcare data encryption and explain why it is so critical in the current healthcare cybersecurity landscape.

Encrypting data means an organization converts the original form of the information into encoded text. Data is unreadable unless an individual has the necessary key or code to decrypt it.

With healthcare data, this involves securing ePHI and keeping it confidential so unauthorized individuals cannot access or use the information, even if they are able to find the information in a database or network.

READ MORE: Implementing HIPAA Technical Safeguards for Data Security

The Security Rule defines confidentiality to mean that e-PHI is not available or disclosed to unauthorized persons, HHS states on its website. The Security Rule's confidentiality requirements support the Privacy Rule's prohibitions against improper uses and disclosures of PHI.

Furthermore, the Security Rule also emphasizes the importance of ePHI integrity and availability. Covered entities maintain integrity by ensuringePHI is not altered or destroyed in an unauthorized manner, while availability relates to the data is only accessible and usable by authorized individuals.

There are also two kinds of two kinds of data that can be encrypted: data in motion and data at rest.

Data in motion is information that is being sent from one individual or device to another. For example, this can be done through secure direct message or email. Data at rest is when the information is being stored.

Encryption and decryption fall under the Access Control aspect of HIPAA technical safeguards. The Security Rule does not require specific technical solutions, and instead maintains that there are many technical security tools, products, and solutions that a covered entity may select to maintain PHI security.

READ MORE: How Data Encryption Benefits Data Security

Determining which security measure to implement is a decision that covered entities must make based on what is reasonable and appropriate for their specific organization, given their own unique characteristics, as specified in 164.306(b) the Security Standards: General Rules, Flexibility of Approach, states the HIPAA Security Series from HHS.

Access Control will give users the necessary rights or privileges to access certain areas containing information, including information systems, applications, programs, or files. These rights and/or privileges should be granted based on an individuals necessary job function, and the minimum necessary must be followed.

Essentially, individuals should only be given the minimum necessary access to properly perform their job. This is especially critical when PHI access is taken into account.

For encryption and decryption specifically, HHS explains that healthcare organizations must determine if this measure will be necessary and benefit workflow.

it permits covered entities to determine whether the addressable implementation specification is reasonable and appropriate for that covered entity, HHSstated. If it is not, the Security Rule allows the covered entity to adopt an alternative measure that achieves the purpose of the standard, if the alternative measure is reasonable and appropriate.

READ MORE: HIPAA Data Breaches: What Covered Entities Must Know

HHS added that covered entities should consider which ePHI should be encrypted and decrypted to prevent unauthorized access by persons or software programs. Additionally, organizations can consider reasonable and appropriate mechanisms to prevent access to ePHI by persons or software programs that have not been granted access rights.

Healthcare organizations can use their risk analysis to better determine whether or not something is addressable or required. This is another key aspect of HIPAA regulations, and all entities should be performing regular risk analyses.

Davis, Wright, Tremaine LLP associate Anna Watterson explained in a previous interview with HealthITSecurity.com that the risk analysis is the foundation of the security role for an organization.

The addressable ones need to be implemented if reasonable and appropriate, Watterson said. So the risk analysis can be the basis for determining whether a particular addressable implementation specification is reasonable and appropriate to implement in a particular circumstance.

The National Institutes for Standards and Technology (NIST) explained in a storage encryption guide that organizations should implement encryption solutions that use existing system features, such as operating system features.

It can be more difficult when solutions require extensive changes to the infrastructure. Furthermore, end user devices should generally be used only when other solutions are not sufficient.

Organizations should carefully consider how key management practices can support the recovery of encrypted data if a key is inadvertently destroyed or otherwise becomes unavailable, NIST wrote. Organizations planning on encrypting removable media also need to consider how changing keys will affect access to encrypted storage on removable media and develop feasible solutions, such as retaining the previous keys in case they are needed.

NIST also establishedthe Cryptographic Module Validation Program (CMVP) to analyze, test, and validate that crypto modules are functioning properly and deploying approved algorithms. All algorithms and modules are tested for conformance with the Federal Information Processing Standard (FIPS) 140-2.

Many federal agencies require FIPS 140-2 validation, noted HealthITSecurity.com contributor Ray Potter.

Essentially this means that crypto is useless until proven otherwise, a blunt but accurate sentiment, Potter wrote. Other sectors have adopted the standard as their own, as well, with increasingly strict adherence in state and local government, finance, and utilities. Either encryption is validated or it is not. Its very black-and-white.

With healthcare data encryption, NIST also released NIST SP 800-66:An Introductory Resource Guide for Implementing the HIPAA Security Rule.

NIST security standards and guidelines (Federal Information Processing Standards [FIPS], Special Publications in the 800 series), which can be used to support the requirements of both HIPAA and FISMA, may be used by organizations to help provide a structured, yet flexible framework for selecting, specifying, employing, and evaluating the security controls in information systems, the guides executive summary explained.

Overall, healthcare organizations need to take the time to understand all available options to properly maintain ePHI security. Technology will only continue to evolve, and covered entities and their business associates are becoming more digital and connected both to other organizations and in utilizing internet connected devices.

A ransomware attack could lead to data becoming compromised, but what if it was already encrypted in the first place and was inaccessible? A laptop containing ePHI might be stolen, but what if that data is unreadable without an access key?

HHS even notes in its ransomware guidance that if the ePHI was properly encrypted before an incident occurs, then it is not considered unsecured PHI and the entity is not required to conduct a risk assessment to determine if there is a low probability of compromise, and breach notification is not required.

Healthcare organizations should conduct thorough and regular risk analyses to properly determine how and where data encryption would be beneficial. Staying educated on all available options and any federal or state requirements will also help entities ensure ePHI security. While not technically required, data encryption is quickly evolving into a very necessary part of data security.

More here:
Healthcare Data Encryption not 'Required,' but Very Necessary - HealthITSecurity.com

Officials from the United States, the United Kingdom, Canada, Australia and New Zealand will discuss next month plans to force tech companies to break encryption on their products.

The so-called Five Eyes nations have a long-standing agreement to gather and share intelligence from across the globe. They will meet in Canada with a focus on how to prevent "terrorists and organized criminals" from "operating with impunity ungoverned digital spaces online," according to Australian prime minister Malcolm Turnbull.

In the most forthright call yet from a national leader to break encryption, Turnbull told Parliament: "The privacy of a terrorist can never be more important than public safety never."

Turnbull's comments reflect a more vague but similar response from UK prime minister Theresa May earlier this week in which she said she was focused on "giving the police and the authorities the powers they need to keep our country safe." And the UK authorities have already put in a legislative placeholder for breaking encryption into the Investigatory Powers Act.

The United States meanwhile has been having a long debate on the issue of encryption, with tech firms battling it out with law enforcement in both public and private.

It is in the United States where the issue will ultimately be decided however, since the most widely used encrypted services ranging from Apple's iPhone to Facebook's WhatsApp messaging are developed and run by US companies.

Even the UK's heavily criticized anti-encryption law recognizes that it may be powerless to enforce encryption breaking on products and services that come from overseas and online that geographic boundary doesn't exist.

The Five Eyes group is also going to have to decide how to deal with the mathematical realities of encryption. If companies are forced to insert a backdoor into their encryption products in order to make their contents accessible, there is nothing to stop a malicious third party from doing the same: you cannot wall off a vulnerability.

Security experts have called the argument put forward by law enforcement and politicians that they want access but don't want the bad guys to be able to do the same "magical thinking." The Five Eyes group needs to reach a decision on how to answer the inherent conundrum of magical thinking. Europe, which has been making its own noises about anti-encryption legislation, needs to do the same.

It is also possible of course that the vast and massively powerful spying machinery owned and run by the Five Eyes could be focused on cracking encryption. To isolate specific messages of concern and then throw all computing resources at them.

Or, a third way could be for the security services from the five nations to oblige tech companies to develop a way to undermine specific devices ie, create a piece of software that could be sent to an individual's phone that would allow spies direct access to the device and so enable them to bypass encryption protection.

America's National Security Agency is already known to have developed software that uses undiscovered vulnerabilities in software to give itself access to people's phones. If you have full access to someone's phone (or other device), all the encryption in the world won't make a difference.

Although some tech companies have been public in their determination not to introduce backdoors such as Apple and its feud with the FBI, and Facebook's fight with the Brazilian authorities it is notable that others have been silent or have called for compromise. Google, for example, has stayed out of the fray, while Microsoft has repeatedly implied it is open to a shared solution.

Where exactly the decision comes down will be hard to say not least because the security services will want the details to be as secret as possible. Next month in Canada, they will likely emerge with a plan.

Read the rest here:
Five Eyes states stare menacingly at encryption - The Register

Financial News (subscription)

BlackBerry touts encryption-busting WhatsApp tech to banks Financial News (subscription) BlackBerry is planning to promote new surveillance tech that can sidestep message encryption alongside sales of its smartphones and comms software, allowing banks to keep tabs on traders' calls, texts, and use of Whatsapp and WeChat. The phonemaker ... and more »

See the article here:
BlackBerry touts encryption-busting WhatsApp tech to banks - Financial News (subscription)

Federal opposition leader Bill Shorten has indicated his party is likely to support the government's push to force technology companies to be able to decrypt user communications.

Over the weekend the government revealed its plans to follow the United Kingdom and introduce new requirements on operators of end-to-end encrypted communications services like WhatsApp, Signal, Telegram and Apple's iMessage.

The UK's so-called "technology capability notices" force communications operators to ensure they are technically able to hand over decrypted data in "near real time" to law enforcementfollowing the issuance of a warrant.

Critics of the scheme in the UK and now Australia say these noticesleave communications operators no choice but to build backdoors into their products.

The UK and Australian governments have both denied they are asking for backdoors, but neither have provided any detail on how they expect operators to meet the requirements of the technical capability notices.

The Australian government intends to discuss the issue with its Five Eyes partners at a conference in Canada in a fortnight.

Speaking to parliament today, opposition leader Bill Shorten said "big internet companies" needed to be "part of our society in the sense of working with us as well as taking from us".

"They need to see this fight as their fight, not just our fight, not just a fight wherethey help when asked, but a fight in which they come to us with ideas," Shorten said.

"We need them to be proactive, not reactive. Terrorism does not self-police, so we cannot rely on a self-policingsystem."

He said terrorists were hiding behind encryption technologies, Bitcoin, andthe so-called dark web to "stay in the shadows" and obscure their activities.

"We must target this threat head-on. As terrorists adapt their methods and seek to hide online, we must ensure our agencies have the tools, resources and technology so terrorism has no place to hide," Shorten said.

"We can allow them no sanctuary, no place torest - we must dislodge them from wherever they hide.

"In doing this, though, we must always be mindful of the rule of law and the properprotections of our citizens. [But] we cannot sit back when our enemies have access to a worldwide system to educate and fund extremists."

Prime Minister Malcolm Turnbull said while encryption was a "vital piece of security" for everything from communication to shopping and banking,"the privacy of a terrorist can never be more important than public safety".

He denied the campaign was about creating backdoors, but did not detail how operators were expected to decrypt communications they do not hold the keys to.

"It is about collaboration with and assistance from industry in the pursuit of public safety," he said.

Turnbull said the government would 'balance the priority of community safety with individual liberties'.

"An online civil society is as achievable as an offline one, and the rights and protections of the vast, overwhelming majority ofAustralians, must outweigh the rights of those who will do them harm,"he told parliament.

"My government is committed to this. We will not take an 'if it ain't broke, we won't fixit' mentality.The government does not set and forget."

See the rest here:
Labor is likely to support Turnbull's encryption fight - iTnews

Cyber-security experts have raised concerns about the federal governments counter-terrorism plans to crack down on encrypted messaging, saying that it may do little in the fight against terrorism and could lead to a game of whack-a-mole with new services to replace compromised ones.

The Turnbull government reportedly wants technology and telecommunications firms to cooperate with them in a bid to stop terrorists using encrypted messaging services to evade authorities.

Details are scarce but Attorney-General George Brandis will be in Canada next month to attend a meeting of the Five Eyes intelligence network in Canada.

Prime Minister Malcolm Turnbull says the meeting will be about ensuring terrorists and organised criminals are not able to operate with impunity within ungoverned digital spaces online.

Encryption technology is being increasingly used by individuals, companies and governments to keep information secure.

Encrypted messages are scrambled into a code using an algorithm, meaning it can be intercepted, but not deciphered, on the way to its destination.

Only the intended recipient has the algorithm, or key, to be able to unscramble or decrypt the original message.

End-to-end encryption means not even the server, operated by providers such as WhatsApp or Facebook, can decrypt it.

Even if the tech companies wanted to do so, the data could not be descrambled and passed on to authorities.

Mr Turnbull has denied the government will be pushing for a so-called "backdoor" to be built into encrypted messaging systems.

Now this is not about creating or exploiting 'backdoors' as some privacy advocates continue to say despite constant reassurance from us. It is about collaboration with and assistance from industry in the pursuit of public safety, he said.

Technology journalist Chris Duckett also said forcing companies like Facebook, Google, or Apple to provide governments a backdoor would just lead to new services popping up.

Alternatively anyone who wants to stay away from the government is able to go and get open source encryption libraries - make their own app, run their own servers and then they don't have to pay attention to the government at all, he said.

Electronic Frontiers Australia said even if the major tech players dilute the strength of their encryption technology, it wouldn't stop those with a sophisticated understanding of the technology.

It could push people further underground, executive officer Jon Lawrence said.

This is an issue with encryption as well, if we start breaking certain encryption technologies people will just move on to others," he said.

Then you're in a bit of an arms race or a game of whack-a-mole and eventually the really sophisticated terrorists and organised criminals are going to be well ahead of anything that the government's doing."

Chris Gatford, the director of HackLabs, said weakened encryption could be exploited by criminals. "If provider were to create a backdoor for governments to get access to certain messages, it's inevitable that hackers and hobbyists would find the backdoor also and make use of it, he told SBS World News.

And you're weakening the overall design of the encryption which then puts the average person who uses that application at risk as well."

Former Australian Federal Police officer Nigel Phair, now at Canberra University's Centre for Internet Safety, said police already had many tools in their arsenal to track extremists without having to target encryption including metadata, physical surveillance, electronic surveillance and also eavesdropping on normal communication.

And then we start going down to social media feeds and all the other things that people are doing out there, this gives a really good picture of the sorts of people that are out there and the sorts of things they are doing," he said.

Continue reading here:
'Whack-a-moles': Warnings from cyber experts on encrypted messaging crackdown - SBS

The Australian government wants to introduce laws that would force technology companies to ensure their systems are capable of decrypting communications.

The plan is a response to the use of encrypted communications channels by terrorists, and follows in the footsteps of the United Kingdom's moves to force communications operators to make sure they canhand over encrypted messages to law enforcement agencies.

The UK's new 'technology capability notices' were proposed following the Westminster terrorist attack. They impose obligations on operators of communications services to ensure they are technically able to hand over decrypted data in "near real time" to the government.

The Australian government over the weekend revealed its intention to pursue a similar path, but is yet to work out much of the detail of its plans.

Attorney-General George Brandis specifically called out the UK's technical capability notices when revealing the government's plan to "lift the legal obligations on device makers and social media companies to co-operate with authorities in decrypting communications".

He said current Commonwealth legislation 'doesn't go far enough' to impose obligations of "co-operation" on technology companies.

"Now I should also say of course, that in the first instance the best way to approach this is to solicit the cooperation of companies like Apple and Facebook and Google, and so on, and I think there has been a change of the culture in the last year or more," Brandis said.

"There is a much greater conscious proactive willingness on the part of the companies to be cooperative but we need the legal sanction as well."

He insisted the government had no intention of forcing technology companies to introduce backdoors in their products.

"A technical capability notice ... subject to tests of reasonableness and proportionality, imposes upon them a greater obligation to work with authorities where a notice is given to them to assist in breaking a communication," Brandis told Sky News.

"So thats not backdooring."

But it is unclear how the government expects technology companies to break encryption.

The UK's new laws have been fiercely criticised as being vague and giving communications providers no option but to build backdoors into their systems.

End-to-end encryption prevents the operators of Signal, WhatsApp, Telegram and Apple's iMessage, among others, from being able to simply hand over messages: the keys to decrypt the information are held by those involved in the communication.

Because of this some have taken the UK law as an attempt by the government tooutlaw end-to-end encryption.The UK government has avoided answering questions on the matter.

Brandis suggested to the Sydney Morning Heraldthat one option would be to "improve warrant-based access ... at the sender or receiver ends". However, this can largely only be achieved through compromise of an end user device, or the application.

"At one point or more of that process, access to the encrypted communication is essential for intelligence and law enforcement," Brandis told the SMH.

"If there are encryption keys then those encryption keys have to be put at the disposal of the authorities."

Brandis said the details of the plan would be nutted out at the Five Eyes conference in Canada in two weeks' time.

He indicated the government had not yet decided whether warrants would be needed to access decrypted information, but again referenced the UK technical capability notice model.

A notice works as a first step to "prepare the ground" in case an operator receives an interception warrant, ensuring they have the technical ability to comply. It does not, of itself, require an operator to conduct an interception.

"Thats a discussion that we need to have," Brandis said.

"The point at which a power is only exercised under warrant as opposed to a power that resides without the requirement for a warrant in law enforcement and intelligence will always be a part of this discussion and thats one of the issues that will be on the table at Five Eyes in Ottawa in a fortnights time."

He claimed Australians would not be concerned at the privacy implications involved in the government's plan because the "Facebook generation ... put more and more of their own personal data out there".

"I think that there is an entirely different attitude of privacy among young people than there was perhaps a generation or two ago. And I think the social media companies are regardful of that as well. So let the civil liberties point of view be heard, let legitimate privacy considerations always be had regard to," Brandis said.

"But I think where the community is at at the moment is to prioritise their concern about giving law enforcement and intelligence agencies the tools they need to thwart terrorism, and everyone knows that the internet and cyberspace are important vectors for terrorists."

Privacy and civil liberties advocates have warned that moves to decrypt communications would simply push terrorists onto other technology platforms whilst having negative consequences for financial transactions, online commerce, and security of personal data.

A UK public bills parliamentary committee highlighted several technical issues with the legislation and said it should include a specific threshold that recognises it is unreasonable to hand over decrypted content from end-to-end encrypted channels.

"The damage to security may be done as soon as a company finds itself having to comply with such a notice and install a back door, whether or not it subsequently has to provide data under warrant," the committee said.

More here:
Turnbull govt wants to force companies to break encryption - iTnews

As we learn details from investigations into recent terrorist attacks in Tehran, London, Jakarta and Manchester, a common theme is emerging of terrorists using commercial encrypted communications services to plan, support and commit terrorist attacks.

In Australia, the heads of ASIO and the Australian Federal Police have warned of the challenges of "going blind" in their attempts to lawfully keep up with criminal use of rapidly evolving communications technology - a sentiment echoed by their "five eyes" intelligence-sharing partners in the United States, UK, Canada and New Zealand.

The answer isn't just in keeping up with technical intrusion methodologies the modern-day equivalent of wire tapping. This will, of course, always continue to play a part for intelligence agencies. But encrypted communications bring challenges and unintended consequences on another scale from these previous technical interceptions.

The recent "Wannacry" ransomware attack demonstrates the hazards of the back-door approach: information on technical vulnerabilities, first identified by western intelligence agencies, wasobtained by others and used for criminal purposes - harming both public services and business.

Concerns about privacy are another reason to rethink how we go about dealing with this challenge.

In an age where most freely give much of their personal information to global corporations, the paradox of public demands for privacy from government is well known. But it is incumbent on governments in liberal democracies to protect human rights and privacy, in balance with the public interest.

The importance of secure and confidential communication to support a free press is also critical for legitimate governments. This sets a high benchmark for balancing privacy with the complex and global challenge that encrypted communications poses to security.

Get the latest news and updates emailed straight to your inbox.

We must be focused on the principles, not the technology. Communications have evolved substantially from the phone, fax and telegraph technology of the time when much of Australia's existing telecommunications security legislation was introduced. But the principles remain the same.

Where an individual or group is using any form of communications to support terrorism or other designated criminal activity, this may be intercepted by specified authorities and under appropriate authority.

For Australia and the "five eyes" community in particular - and other liberal democracies - this means that both our laws and practices need to be updated to work in partnership with the communications sector to ensure access when needed to prevent and prosecute criminal activities, including terrorism.

Just as the telecommunications sector already works closely with intelligence and law enforcement to access "wires" and call data, so the globalised communications sector is the key to dealing effectively with terrorist use of current and evolving communications and data technology.

This means that these companies - whether headquartered in Australia or overseas - must maintain visibility and access to the service they are providing.

Most businesses understand their shared responsibility for security - including corporate responsibilities to not facilitate crime - they just need to be involved as partners with government in working out how to best do this. This is where a multilateral approach is key: few of the major business players are Australian.

The laws regulating access to communications data would be, in principle, the same as those currently in place for other forms of telecommunications intercepts: companies ensuring data is available to access if required, warrants being issued by the appropriate authority such as the Attorney-General, with both time limits and regular scrutiny and review through the Inspector-General of Intelligence and Security, the Independent National Security Legislation Monitor, parliamentary committees and others.

Encrypted communications are yet another valuable innovation for our society and our economy. As our technology evolves, our policies, practices and laws need to evolve with them.

Jacinta Carroll ishead of the Australian Strategic Policy Institute's Counter-Terrorism Policy Centreand a former national security official in the federal government.

Go here to read the rest:
Terrorists are using encryption. Our laws need to keep up with the technology - The Sydney Morning Herald