Before you start reading this post, please make sure you don’t stop at the first two paragraphs. I am dredging up an old issue from early 2016, but it is relevant to some recent news.
I have a fairly libertarian viewpoint on the world. So whenever I hear about a government asking for cooperation from a company to catch criminals, I don’t automatically start rooting for the government to get their way just because some bad guy might get caught. I take a step back and review the situation, then I make a judgement on what the government is asking for. That is what happened when the FBI asked Apple to break their encryption on an iPhone that belonged to one of the terrorists that were involved in the San Bernardino, California, shooting in 2015.
In that case, because Apple did not have the ability to break the encryption, the FBI was asking Apple to create a new version of their software that would give the FBI the ability to bypass the iPhone’s protections. I was adamantly opposed to this idea because of precedent of allowing the government to bully a private company. And also, if that version got out, what did it mean for the rest of us who depend on that encryption of that device for our privacy?
Yet on the latest edition of the Risky Business podcast, I was told by the Australian Prime Minister’s cyber security advisor Alastair MacGibbon that my second concern from above is a “red herring”. And I was told by Patrick Gray (as he has said over the few podcasts) that people who are concerned about the government asking for stepped down cryptography are “losing their minds” or have “spun off the planet.”
I consider Mr. MacGibbon’s statement to be one of two things (you can chose which one you prefer, but I have my ideas on which one is correct):
- a wildly naive view by someone who is an expert in this field (which is the same thing I said to another person who should know better back when the case was still in full swing)
- a bureaucratic statement that is being issued by someone who was appointed by political masters, hence he cannot give a straight answer to the question.
As to Patrick saying we’re all nuts for thinking that the gubment might be considering legislating stepped-down encryption, just listen to the podcast interview for about 2 minutes. Patrick asked a very direct question, and the bob-and-weave strategy came out immediately. And it seems like it caught Patrick off guard. It’s almost like he expected a straight answer from a political appointee. Patrick, you’re likely correct when you said in your well-written post that Australians “don’t really have the same libertarian streak” as us Yanks (he said US cousins, but I liked “Yanks” better). That is partly because of that kind of non-answer from a bureaucrat that we get all the time. We just don’t trust ’em!
The long-and-short of this that I do not put it past any government to ask for the stepping down of crypto. It is very easy to justify a lot of bad ideas with the good idea of protecting the citizens of your country. Dictators and tyrants have been doing it for centuries. And people keep buying it wholesale. I do agree that there needs to be some form of cooperation from companies when the government is trying to get answers in investigations. But if that comes in the form of reduced encryption (and that seems to be the only answer in some of these cases), then count me out. Patrick lays out other ways that government can get communications without breaking encryption, which is also pretty dang scary. We know it exists (EternalBlue anyone?), but it doesn’t mean it is justifiable (Patrick didn’t justify it either, BTW).
A few qualifiers before I end this:
Patrick did a great job keeping after Mr. MacGibbon to get a straight answer. This is one of the main reasons I listen to Patrick’s podcast and respect the hell out of his abilities as a journalist.
I was very happy to read this from Patrick’s post:
Let me put this bluntly: If this is what the government winds up suggesting, then by all means hand me a bullhorn and show me where to point it. It is a ridiculous idea that would erode so many of the security gains that we’ve made over the last decade.
While our Australian cousins trust their gubment a little too much for my taste, at least they aren’t just blindly trusting them with the keys.
Also, let me add that I don’t know Mr. MacGibbon. Patrick vouches for him, so I have to respect that. I am simply stating how I see this in the context of this issue and this interview. It just feels very “bureacratic-y”.
This is a Security Bloggers Network syndicated blog post authored by Michael Farnum. Read the original post at: An Information Security Place