Australia is weighing in on the encryption debate regarding exceptional access by law enforcement. As George Brandis, the Australian Attorney-General, described last month, the Prime Ministers office advocates requiring internet companies and device makers [to follow] essentially the same obligations that apply under the existing law to enable provision of assistance to law enforcement and to the intelligence agencies, where it is necessary to deal with issues: with terrorism, with serious organized crime, with paedophile networks and so on. He further asserted that the chief cryptographer at GCHQ, the Government Communication Headquarters in the United Kingdom had assured him that this was feasible.

The Prime Minister of Australia, Malcolm Turnbull, subsequently entered into an interesting interchange with a reporter. When asked by Mark DiStefano, a reporter from ZDNET, Wont the laws of mathematics trump the laws of Australia? And then arent you also forcing people onto decentralized systems as a result? The Prime Minister of Australia said the laws of Australia prevail in Australia, I can assure you of that. The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia."

This interchange provides a good opportunity to explore where the laws of mathematics and the laws of nations hold sway. DiStefanos comment about the laws of mathematics is a reference to the conclusion offered by many technically informed parties that including a capability for exceptional access into any encryption scheme invariably reduces the security afforded by that scheme.

But this conclusion is not what the Attorney-General was referring to; he spoke only of an obligation of vendors to provide assistance to law enforcement and intelligence agencies (presumably to provide clear text when required by law). It is certainly possible to develop a system that enables vendors to meet this requirement, and a system with this capability must be that which the chief cryptographer at GCHQ asserts is feasible. This system will not be as secure as it would be without this requirement, though it will enable certain law enforcement and intelligence activities to take place that would not otherwise be possible.

So once again, we see that participants in this debate are not arguing about the same thing. The anti-exceptional access community is talking about the impossibility of developing a system with exceptional access capability that affords the same security as one without such a capability. The pro-exceptional access community is talking about the feasibility of a system with exceptional access capabilities that provides the best security possible given that requirement. And both communities are correct.

Whether the tradeoff is worthwhilelesser security for all in exchange for better ability to pursue certain law enforcement and intelligence activitiesis clearly a policy and legal decision for the Australian government. Of course, to have a reasonable debate about this question, the Australian government would have to acknowledge the first part of this tradeofflesser security for alland whether or not it is willing to do so is not yet clear.

Turnbulls statement is absurd on its face. A more astute response would have been to acknowledge that human laws must be consistent with the laws of mathematics but then to say that the laws of mathematics do not prevent compliance with a requirement such as the one proposed by the Attorney-General. But the Prime Minister would also have had to acknowledge the above-mentioned trade-off explicitlyand maybe such an acknowledgment would have been politically inconvenient.

As I have writtenbefore, these comments also apply precisely to the corresponding debate in the United States. To make progress on either side of the Pacific Ocean, it would help if both sides were talking about the same thing.

More:
The Laws of Mathematics and the Laws of Nations: The Encryption Debate Revisited - Lawfare (blog)

eperi , a provider of cloud data protection solutions, will be presenting its eperi Gateway at this year's it-sa (10-12 October 2017 in Nuremberg, stand 10.1-430).

At the stand, Elmar Eperiesi-Beck, founder and CEO of eperi, Holger Mnius, Sales director DACH and System Engineer, Stefan Mark, will inform the audience about data encryption and what it means for the General Data Protection Regulation (GDPR), which will come into force in May 2018.

They will also demonstrate the eperi Gateway and show how it can be used to reduce the scope of GDPR to effectively meet compliance requirements.

By October 2017, companies will only have eight months to prepare their business for the GDPR requirements, said Elmar Eperiesi-Beck. The clock is ticking and organisations that continue to process personal data on EU citizens without the necessary security could face six to seven-digit penalties in the next year. They have to be able to prove at all times that they comply with the data protection requirements.

The eperi Gateway provides transparent, fast and effective encryption of data at rest, in use and in transit, without affecting the functionalities of the protected applications, databases or file storages. It helps solve the data protection problem by ensuring only authorised users have access to the data in plain text.

Outside the secure environment of the company, the information is encrypted. This reduces the impact GDPR has on a company and minimises the scope of the regulation since the information is unreadable to unauthorised outsiders; for example, if the data is processed in the cloud.

The GDPR requirements for centralised control and Security by Design are also met because the eperi Gateway enables enterprises to manage their cryptographic keys completely internally and maintain full control of their data - even in decentralised cloud environments.

Organisations that encrypt personal data reduce the risk of data theft, continued Eperiesi-Beck. Attackers cannot use the encrypted data without the cryptographic keys.

Moreover, Article 32 of the GDPR also mandates that safety solutions should be regularly checked. The eperi Gateway fulfils this requirement by using transparent, Open- Source encryption that can be checked at any time for weaknesses. Importantly, the eperi Gateway was jointly developed with the German Federal Office for Security in Information Technology (BSI).

See original here:
eperi Presents Secure Cloud Data Encryption at it-sa 2017 - BW Businessworld

The weak spots are at the ends.

Government officials continue to seek technology companies help fighting terrorism and crime. But the most commonly proposed solution would severely limit regular peoples ability to communicate securely online. And it ignores the fact that governments have other ways to keep an electronic eye on targets of investigations.

In June, government intelligence officials from the Five Eyes Alliance nations held a meeting in Ottawa, Canada, to talk about how to convince tech companies to thwart the encryption of terrorist messaging. In July, Australian Prime Minister Malcolm Turnbull called on technology companies to voluntarily ban all systems that totally encrypt messages in transit from sender to recipient, an approach known as end-to-end encryption. British Home Secretary Amber Rudd made global headlines with her July 31 newspaper opinion piece arguing that real people dont need end-to-end encryption.

These claims completely ignore the one billion real people who already use secure messaging apps like Signal and WhatsApp. And it leaves no room for people who may decide they want that security in the future. Yet some technology companies look like they might be considering removing end-to-end encryption and others installed backdoors for government access years ago. Its been two decades since the Clipper chip was in the news, but now a revival of the government-business-consumer crypto-wars of the 1990s threatens.

One thing is very clear to computer scientists like me: We real people should work on improving security where we are most vulnerable on our own devices.

For the moment at least, we do have good, easy-to-use solutions for secure communication between computers, including end-to-end encryption of our messages. End-to-end encryption means that a message is encrypted by the sender, and decrypted by the recipient, and no third party is able to decrypt the message.

End-to-end is important, but security experts have warned for years that the most vulnerable place for your data is not during transit from place to place, but rather when its stored or displayed at one end or the other on a screen, on a disk, in memory or on some device in the cloud.

As the WikiLeaks release of CIA hacking tools highlighted, if someone can gain control of a device, they can read the messages without needing to decrypt them. And compromising endpoints both smartphones and personal computers is getting easier all the time.

Why are we most vulnerable at the endpoint? Because we dont like to be inconvenienced, and because adding more protection makes our devices harder to use, the same way putting multiple locks on a door makes it harder to get in, for both the homeowner and the burglar. Inventing new ways to protect our digital endpoints without reducing their usefulness is very challenging, but some new technologies just over the horizon might help.

Suppose a criminal organization or bad government, EvilRegime, wants to spy on you and everyone you communicate with. To protect yourself, youve installed an end-to-end encryption tool, such as Signal, for messaging. This makes eavesdropping even with a courts permission that much more difficult for EvilRegime.

But what if EvilRegime tricks you into installing spyware on your device? For example, they could swap out a legitimate upgrade of your favorite game, ClashBirds, with a compromised version. Or, EvilRegime could use a malware network investigative technique as a backdoor into your machine. With control of your endpoint, EvilRegime can read your messages as you type them, even before they are encrypted.

To guard against either type of EvilRegimes trickery, we need to improve our endpoint security game in a few key ways, making sure that:

In addition, it would be ideal if users could control their apps security themselves, rather than having to rely on app store security provided by yet another vulnerable corporation.

Computer security experts are excited about the idea that blockchain technology might be able to help us secure our own endpoints. Blockchain, the technology that underpins Bitcoin and other cryptocurrencies, creates a verifiable, unchangeable public record of information.

What this means for endpoint security is that computer scientists might be able to create blockchain-based tools to help us verify the origin of our apps. We could also use blockchains to confirm our data havent been tampered with, and to ensure our privacy. And as long as the source code for these programs is also free for us to inspect as Signal is today the security community will be able to verify that there are no secret backdoors.

As with any new technology, there is an enormous amount of hype and misinformation around blockchain and what it can do. It will take time to sift through all these ideas and develop secure tools that are easy to use. In the meantime, we all need to continue to use end-to-end encryption apps whenever possible. We should also stay vigilant about password hygiene and about what apps we install on our machines. Finally, we must demand that real people always have access to the best security mechanisms available, so we can decide for ourselves how and when to resist surveillance.

More:
End-to-end encryption isn't enough security for 'real people' - The Conversation US