Over dinner last night, I commented about how asinine the new law passed by the Australian government was. After some time, it was clear to me that most people just don't understand enough about how encryption works to be able to see how crazy this is, and what the negative consequences are going to be. My friends have encourage me to explain this, in non-technical terms, and put it out there for people to see and refer to. So, here it is.
Now, before your brain says: "Computers — blah, blah, blah!", I need you to re-engage with me here. I promise I won't get technical and just stick to the concepts you need to understand so you can make sense of this whole issue.
Firstly, you need to undestand what encryption is. Basically, it is a way of taking something meaningful — an email, a text message, a picture, a video or whatever — and transforming it in such a way that it is indistinguishable from random noise, but with a mechanism to convert it back to the original if you know how. Sound reasonably straightforward, and it is at a conceptual level. The trick is to do it so that, without knowing or possessing something, you can't do the conversion back to the original.
Now, to avoid technical details. just take it on faith that a lot of really smart people have put their minds to it, and we know how to do that. We basically take a secret key — a password if you like — and use that, together with the original data, as input into some complex mathematics and out the other end we get the encrypted version. As a general rule, the longer the key, the harder it is to decrypt the file without knowing it. And modern encryption techniques use REALLY LONG KEYS.
Now, there are two distinct forms of encryption that provide different features.
The one you are probably most familiar with is what is known as 'symmetric' encryption. Basically, it used the the same secret key to do both the encryption and the decryption. Think of it as the way you would password-protect a ZIP file. We often call this encryption 'shared secret' encryption because, well, we have to somehow share the secret key (or password). That's actually the problem with symmetric encryption — you have to somehow transmit the key to the receiver so he or she can decrypt the data. It's advantage is that it is simple to understand because it's a little like having a lock and a key — just give someone a copy of the key and they lock can be openned.
The other form of encryption is perhaps more interesting, and you actually use it a lot without realising it. It is called 'asymmetric encryption', or "public key" encryption.
Now, the mathematics behind this is quite complex, but you don't need to undestand it. You just need to get a few simple concepts.
With asymmetric encryption, you use a complex bit of mathematics (coded into a program) to create a PAIR of keys — essentially, two REALLY, REALLY, REALLY, big numbers. These numbers have a very special relationship: if you encrypt something with one of them, you can ONLY decrypt it with the other. You can't use the same number to both encrypt and decrypt the data. What this means is that I can publish one of those numbers for anyone to see, and keep the other one totally secret. Now, if you want to send me an encrypted message, you encrypt it with the number that I have published (which is called my public key) and you can be confident that only I can decrypt it, because presumably only I know the other number (my private key).
The same technique can be used to authenticate a message's sender. If I encrypt some identifying information in a message I want to send you with my private key, anyone can confirm that it was indeed sent by me by decrypting it with my public key. This is called 'signing' the message and there are few more details that I have deliberately left out to keep it simple, but the concepts are correct.
How secure is all this? Well, every time you do online banking, the encryption is based on exactly this mechanism. The web server and your browser exchange each a set of randomly generated keys using a complex series of to-and-fro communications, and thereafter all transmissions are effectively encrypted with this type of encryption.
The other thing to be aware of is just how strong either of these encryption methods are. In a word, they are VERY, VERY, VERY strong. It all depends on the length of the keys, and modern hardware is able to use very long keys indeed. Using what is now a pretty common key length of 2048 bits (that's about 256 characters), it would take a modern computer around 6.4 quadrillion years to break it. Really. That's 6,400,000,000,000,000 years. Now, you can throw more powerful computers at it, and many of them, and computers get faster over time, but you get the idea — you can't guess the key in any reasonable period of time no matter how much computer hardware you throw at the problem. Remember, the universe is less than 14 billion years old, we're talking quadrillions here.
And that brings us to the reason for this article. Encyption is a solved problem (for now at least — we'll handle quantum computers when they get here). What this means is that it is mathematically impossible to arbitrarily break into well-coded encryption. So, the powers that be want to force us to use encryption that has been deliberately broken so that they can intercept transmissions and look inside to see the contents.
Now, I really do get the desire for this. After all, who doesn't want to see terrorist plots exposed and their plans thwarted? Who doesn't want to see those pedophiles apprehended and thrown in jail to protect the children?
The problem is, it's just impossible.
To allow encrypted messages to be read by authorities without access to the key, one of two things needs to be done.
One is to always include a copy of the decrypting key in every message (probably itself encrypted with the master key that they authorites have). Of course, should that key ever leak, then essentially ALL messages encrypted prior to that time are essentially broken, because that leaked key can extract the key needed to decrypt them. Umm, do we really trust a government authority not to ever leak that key? They have proven time and time again to be fundamentally incapable of maintaining security.
The other way is to use a trusted man in the middle. So, if I want to send you a message using, say, Google, then in fact I encrypt it TO GOOGLE, who decrypts it and re-encrypts it FROM GOOGLE to you. In this case, GOOGLE (or whoever the "trusted" man in the middle happends to be) has access to the unencrypted contents. Again, do we trust any of these tech intermediaries to both do the right thing and not ever make a mistake and leak data?
The answer to both these questions is, no, we can't. Even with the best of intentions, even with a commitment to high ethical standards and strict security protocols, mistakes WILL happen and data will leak.
But what about the terrorists and child molesters, I hear you ask. Isn't a little loss of privacy worth it for those benefits?
Well, actually, no, for two reasons. Firstly, there are very valid reasons to preserve privacy controls. We're blessed in Australia to enjoy relatively free speech, but in many parts of the world that is not the case. We need to be able to trust secure communications for wistleblowers to come forward, for anonymous witnesses to report in, for our secret agents abroad to be protected, for commercial in confidence communication to be exactly that — confidential.
But more importantly, it will have NO effect on the bad guys. If I want to send you something terrible, all I need to do is encrypt it locally, on my computer, using either form of encryption, then let the broken system re-encrypt it on its way to you. As long as you have the required key, you can decrypt it but the authorities cannot; if they decrypt the doubly-encrypted package, they only decrypt the outer layer and all they can see is the inner, also encrypted, contents to which they do not have the key.
This is trivially easy to do. And I do mean trivially easy — I can compile an industrial-strength local encryption program from source that I can verify has none of the back door mechanisms in place in no time.
So, what does this mean for Australia? Well, amongst other things, it means that:
- Anything exported from Australia must be assumed to be compromised, so other countries must avoid using our products. We're in the same boat as Xaiomi from China.
- Any company wanting to deal with Australia must assume all communications are compromised. Why bother? Australia just isn't that big a market.
- The large technical players (Google, Facebook, Apple, Twitter, Snapchat and so on) will need to decide between deliberately introducing a vulnerability in their product or just banning Australian users. This also applies to companies like WinZip, who will need to make a similar decision.
Folks, this is just crazy. Everyone, write to your federal MP (and I mean using pen and paper, not email) and tell them they've lost their marbles and need to correct this crazy mistake that they have made.