August 3, 2017 Hon. Malcolm Turnbull MP Prime Minister Parliament House CANBERRA ACT 2600

Re: Encryption and Human Rights

Dear Prime Minister Turnbull,

We write to urge you to support the use of strong encryption as essential to security and human rights in the digital age. We call on you to refrain from forcing technology companies to weaken the security of their products or banning the use of end-to-end encryption.

In a July 14 press conference on national security and encryption, you discussed challenges that Australian law enforcement and intelligence agencies faced in accessing encrypted data or communications, even with a lawful court order. You announced your intention to introduce legislation that will in particular impose an obligation upon device manufacturers and upon service providers to provide appropriate assistance to intelligence and law enforcement on a warranted basis, to access data in unencrypted form. While the conference released few details, you stated that the legislation would be modelled on the United Kingdoms Investigatory Powers Act and that you will seek a coordinated approach with international partners, including the Five Eyes intelligence alliance.

Governments have a human rights obligation to investigate and prosecute crime and thwart terrorist attacks. However, any policy response should not do more harm than good, while also be effective at achieving its aim. Forcing companies to weaken encryption or effectively forbidding the use of end-to-end encryption fails on both counts, and would undermine human rights worldwide.

Strong encryption is the cornerstone of cybersecurity in the digital age. Todays cybercriminals are increasingly sophisticated, targeting Internet companies, credit card and identity data, critical infrastructure, and even nation-state intelligence agencies.[1] Strong encryption built into private sector technology protects the dataand the human rights and securityof billions of Internet users worldwide against these growing security threats. You yourself have acknowledged that you use encrypted applications like Wickr and WhatsApp because traditional communication methods are not secure.[2]

Weakening encryption for any purpose effectively weakens it for every purpose, including malicious hacking, financial fraud, and for other illicit purposes. And unfortunately, weak or partial encryption provides not just weak or partial protection, but no protection at all against sophisticated repressive regimes and capable criminals. Some companies that manufacture encrypted apps or devices do not have the ability to disclose conversations or data to law enforcement because that information is encrypted end-to-end and companies do not have the decryption keys. A requirement of assured decryptability for all data would force such companies to redesign their products without security features like end-to-end encryption or to introduce deliberate vulnerabilities, or back doors, into their software.

The overwhelming consensus of information security experts, along with some former Five Eyes intelligence officials, is that there is no technical solution that would allow specific law enforcement agencies to decrypt communications without creating vulnerabilities that would expose all users to harm.[3] Europol has also warned that solutions that intentionally weaken technical protection mechanisms to support law enforcement will intrinsically weaken the protection against criminals as well.[4] Determined cybercriminals and rival foreign intelligence agencies will find and exploit such back doors, for profit or abuse. This would undermine cybersecurity for all users, including billions that are under no suspicion of wrongdoing.

For human rights defenders and journalists, the harm can be even more serious. Activists and media organizations with whom we work in places like Hong Kong, Vietnam, Thailand, and across the Middle East rely on encryption built into phones and chat applications to protect sources and victims from reprisals. In 2015, the UN special rapporteur on freedom of expression, David Kaye, recognized that encryption enables the exercise of freedom of expression, privacy, and a range of other rights in the digital age.[5] Countries like Russia, China, and Turkey need no encouragement, they are already blurring the line between human rights activism and terrorism in order to justify surveillance and repression of human rights activists.

While strong encryption may limit some existing surveillance capabilities, weakening such security features will only increase the vulnerability of billions of ordinary people to cybercrime, identify theft, and malicious hacking. Such harm would be broadly disproportionate to any gains in law enforcement capabilities that undermining encryption would achieve.

It is also unlikely that limiting strong encryption in Australiaor even in all Five Eyes countries would prevent bad actors from using it. As a recent global survey of encryption products confirms, terrorists and criminals could easily shift to the many available foreign alternatives that would not be subject to Australian law.[6]

Technology companies face an escalating digital arms race to secure their software and devices against cybercriminals, and encryption is a key part of their arsenal. Instead of hindering efforts to protect ordinary users, we urge your government to invest in modernizing investigation techniques and increasing resources and training in tools already at their disposal, consistent with human rights requirements.[7] For example, any limitations encryption poses to police capabilities are greatly offset by the explosion of new kinds of investigatory material enabled by the digital world, including location information and vast stores of metadata that are not encrypted. And encrypted data can often be accessed in unencrypted form through cloud-based backups or by directly accessing it on devices with hacking or forensic tools. Of course, these alternative approaches should also be necessary and proportionate to legitimate security goals, regulated in public law, and subject to strict safeguards to ensure respect for privacy and other rights.

Australias approach to encryption will be emulated by other countries facing similar challenges. Your government can demonstrate true leadership by adapting to a world with strong encryption instead of fighting the gains the private sector has made in shoring up security and human rights in the digital age.

Sincerely,

Elaine Pearson Australia Director

Cynthia Wong Senior Internet Researcher

CC:

Senator the Hon. George Brandis QC, Attorney-General

Mr. Michael Phelan APM, Acting Commissioner of the Australian Federal Police

[1] See, for example, Sam Thielman, "Yahoo hack: 1bn accounts compromised by biggest data breach in history," The Guardian, December 15, 2016, https://www.theguardian.com/technology/2016/dec/14/yahoo-hack-security-o... (accessed August 2, 2017); Nicole Perlroth & David Sanger, "Hacks Raise Fear Over N.S.A.s Hold on Cyberweapons," New York Times, June 28, 2017, https://www.nytimes.com/2017/06/28/technology/ransomware-nsa-hacking-too... (accessed August 2, 2017).

[2] Eliza Borrello, "Malcolm Turnbull confirms he uses Wickr, WhatsApp instead of unsecure SMS technology," ABC News, March 2, 2015, http://www.abc.net.au/news/2015-03-03/malcolm-turnbull-uses-secret-messa... (accessed August 2, 2017).

[3] Nicole Perlroth, "Security Experts Oppose Government Access to Encrypted Communication," New York Times, July 7, 2015, https://www.nytimes.com/2015/07/08/technology/code-specialists-oppose-us... (accessed August 2, 2017); Mike McConnell, Michael Chertoff and William Lynn, Why the fear over ubiquitous data encryption is overblown, July 28, 2015, https://www.washingtonpost.com/opinions/the-need-for-ubiquitous-data-enc... (accessed August 2, 2017); John Leyden, "Former GCHQ boss backs end-to-end encryption," The Register, July 10, 2017, https://www.theregister.co.uk/2017/07/10/former_gchq_wades_into_encrypti... (accessed August 2, 2017).

[4] Europol and ENISA joint statement, "On lawful criminal investigation that respects 21st Century data protection," May 20, 2016, https://www.enisa.europa.eu/publications/enisa-position-papers-and-opini... (accessed August 2, 2017).

[5] UN Human Rights Council, Report of the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, David Kaye, A/HRC/29/32, May 22, 2015, http://ap.ohchr.org/documents/dpage_e.aspx?si=A/HRC/29/32 (accessed August 2, 2017).

[6] B. Schneier, K. Seidel, and S. Vijayakumar, A Worldwide Survey of Encryption Products, February 11, 2016, https://www.schneier.com/academic/archives/2016/02/a_worldwide_survey_o.... (accessed August 2, 2017).

[7] Orin Kerr and Bruce Schneier, Encryption Workarounds, March 20, 2017, https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2938033 (accessed August 2, 2017).

Read the rest here:
Letter to Prime Minister Turnbull re Encryption and Human Rights - Human Rights Watch (press release)

August 4 2017, 12:00am,The Times

Edward Lucas

Giving the state access to encrypted phones wont stop terrorist attacks and would weaken security for the rest of us

Encryption is one of the words that make most readers hurriedly turn the page. Yet if you ever use a plastic payment card, you benefit from it. If you ever let your personal details be stored on someone elses database, you rely on it. If you ever use a password on your computer, you use it. Contrary to the home secretarys assertion this week that strong encryption is not a priority for real people, these are applications that real people depend on.

Most people, perhaps even Amber Rudd, do not understand the maths behind encryption. But its effects are simple enough. The internet, a deeply insecure computer network, has become the central nervous system of modern civilisation. Encryption gives us the best chance of protecting

Read more from the original source:
Why Rudd is wrong about online encryption - The Times

Tokenization is the security process that most recently unlocked the mobile payments market, but the concept can be expanded.

All the major "OEM Pays" (Apple Pay, Samsung Pay etc.,) use the technology to secure the transmission of payment data between device and terminal. The process itself however, of replacing sensitive data with unique identifiers which retain the essential information but dont compromise security, can, in theory, be applied to any kind of transaction, from bank details, to health records, ID numbers, even to the idea of money itself.

The central idea is this: when tokenized, unlawfully intercepted payment authorization data is rendered valueless because it simply isnt there; it is replaced by a token. This means the data can, in effect, hide in plain sight.

A "smart" token takes this idea a step further. Its a regular token on steroids. It transmits the value and all the information needed to authorize the transaction together, in one go, including enhanced counterpart identity, transaction and invoicing data.

It consists of three layers: an asset, a set of rules, and a state. Lets break it down.

An asset is the source of value. Think of it as the "center" of the smart token. Typically, its a bank account, such as your current or savings account.

Surrounding this asset are a number of rules. These rules, which can be programmed by the issuer, dictate who can access the asset, at what time, for what purpose and under what set of circumstances.

Imagine youre buying a TV from Amazon. When you hit buy, your bank sends a smart token to Amazon which has the following rules: a 1000 payment limit and a two-week expiry date. In another transaction, the smart token issued in relation to the same asset (your bank account) could have completely different rules. If youre buying a series of weekly Pilates classes, the token may have a six-month duration, enabling your gym to regularly draw down on that token as each class takes place.

That is the great thing about rules. They are the flexible layer that allow smart tokens to create an almost infinite number of unique and secure digital payment types at a fraction of the cost of todays conventional payments infrastructure. Any existing payment method you can currently imagine, such as cash, credit card, cheques, and gift cards, can be emulated by a smart token, thanks to the rules. This is the flexibility that opens the door for banks.

Finally, a smart token has a state. This is the part of the token which tracks the value of the token according to its rules. After three months of Pilates classes, its the state that will record that 50% your payments have been made. The combination of asset, rules and state combine to provide banks with the power to tear up the rulebook and perform transactions faster and at a vastly reduced cost, without relying on third parties to validate the payment.

Marten Nelson is co-founder and vice president of marketing at Token.

Read more:
PayThink Innovation can take tokenization beyond simple encryption - PaymentsSource

The Indonesian government lifted its threat to ban the encrypted messaging app Telegram because it's taking steps to block "negative" content that includes forums for Islamic State group supporters. But it warned other sites could now face scrutiny.

Rudiantara, the Minister of Communications and Information Technology, who met Tuesday with Telegram co-founder Pavel Durov announced that "we have agreed to keep Telegram accessible."

Many other social media sites, messaging apps and file and video sharing systems are used Indonesia, he said, specifically mentioning Facebook and Google as platforms that could be scrutinized in the "near future."

Earlier this month, the ministry said it was preparing to shut down Telegram in Indonesia, where it has several million users, if it didn't develop procedures to block unlawful content including pro-Islamic State group discussion groups.

As a partial measure, it asked internet companies in the world's most populous Muslim nation to block access to 11 addresses offering the web version of Telegram. Durov apologized for failing to quickly respond to the Indonesian government's requests for apparent terror content to be blocked, blaming a miscommunication.

Rudiantara, who uses one name, said the ministry and Telegram will put in place standard operating procedures that improve the ability to "address the negative content in Telegram." The blocking measures against web Telegram could be lifted next week, he said.

Suspected militants arrested by Indonesian police have told authorities that they communicated with each other via Telegram and received orders and directions to carry out attacks through the app, including from Bahrun Naim, an Indonesian with the Islamic State group in Syria accused of orchestrating several attacks in the past 18 months.

Critics of the government's threat said it would make more sense to monitor the IS discussion groups for possible intelligence than banning the app.

Durov told reporters there would a line of direct communication between the ministry and top people in Telegram but also said he wouldn't have come to Indonesia if the government had made any requests that would require Telegram's encryption to be compromised.

"The basis of Telegram is a 100 percent promise of encryption. This is why our company exists," he said.

"We've discussed ways to block the public channels available for the propaganda of terrorism, which is something that we are committed to do globally, and particularly Indonesia," Durov said.

The free messaging service can be used as a smartphone app and on computers through a web interface or desktop messenger. Its strong encryption has contributed to its popularity with those concerned about privacy and secure communications in the digital era but also attracted militant groups and other criminal elements.

Durov said about 20,000 people sign up to use Telegram in Indonesia daily. It has at least 100 million users worldwide, a figure released by Telegram in February 2016.

See original here:
Indonesia lifts threat to ban encrypted app Telegram - ABC News