{"id":1290,"date":"2024-09-22T16:27:02","date_gmt":"2024-09-22T16:27:02","guid":{"rendered":"https:\/\/xdr-mdr.lmntrix.com\/main_web\/?p=1290"},"modified":"2024-10-19T13:17:02","modified_gmt":"2024-10-19T13:17:02","slug":"proposed-encryption-law-is-futile-flawed-and-based-on-cyber-fantasy","status":"publish","type":"post","link":"https:\/\/lmntrix.com\/blog\/proposed-encryption-law-is-futile-flawed-and-based-on-cyber-fantasy\/","title":{"rendered":"Proposed encryption law is futile, flawed and based on cyber fantasy"},"content":{"rendered":"
\n
\"encryption\"<\/figure>\n<\/div>\n\n\n

The Australian Government\u2019s recently announced encryption legislation, forgetting for a moment its completely inoperable absurdity, is based on two deeply flawed assumptions which couldn\u2019t be further from the truth\u2026 either that, or it is a thinly veiled grab at unbridled mass surveillance.

When Prime Minister Malcolm Turnbull \u2013 flanked by Attorney General George Brandis, Acting AFP Commissioner Michael Phelan and a surprising dearth of Australian flags given the rhetoric \u2013 revealed legislation<\/a> that would force tech companies to provide the Government with unrestricted access to encrypted messages, assumptions were made that a) the caliber of criminals they named (terrorists, child pornographers, etc.) use these services to communicate, and b) the Government is capable of defending encryption keys from falling into the hands of cyber attackers.

Perhaps I\u2019m an optimist, but the only other conclusion is that the legislation was inspired by a Machiavellian motivation to monitor the communications of Australian citizens \u2013 which in effect is all this legislation would achieve. So, instead of chalking this up to Orwellian-level malevolence, let\u2019s give the Government the benefit of the doubt and proceed as if the legislation was conceived from a complete misunderstanding of the topic at hand.

First, let\u2019s take apart the two assumptions underpinning the legislation to expose both its utter ineffectiveness and the dire risk it places us all in.

The key argument made to support this legislation was that it would make it easier for law enforcement to monitor and thwart terrorist cells, child pornographers and other highly organised criminal networks. This assumes that these types of criminals use the apps that would be subject to the legislation.

In reality, the real bad guys will not be stopped \u2013 nor even slightly inconvenienced \u2013 by this poorly researched, uninformed thought-bubble legislation.

Having worked in deep and dark web intelligence gathering for years, it is true to say that only the stupidest and most small-fry of the criminal world use WhatsApp, Facebook and other widely-used social media platforms to communicate. These kinds of criminal networks are highly organised and have extremely professional communications infrastructure. Generally communications takes place through the deep and dark web, every message cloaked with non-common and proprietary encryption applications.

In other words, this law is like turning off the lights to blind the nocturnal, drowning a fish or throwing an eagle off a cliff.

The first fallacy, whether born from a foundation of misinformation or a blind-willingness to follow similar pushes in the US<\/a> and the UK<\/a>, highlights the ultimate ineffectiveness and futility of the proposed legislation.

The second false assumption upon which this policy is built is that the government is capable of defending the decryption methods from cyber attackers.

Having worked with multiple government bodies and agencies, I would not trust them to protect encryption keys or any other means of access to our communications. These public agencies have incredibly weak cyber security postures as almost all of them rely on cheap security resources acquired after race-to-bottom tender processes.

A key contributing factor to this public service cyber insecurity is the much-maligned cyber security skills shortage<\/a>. Essentially this means that there is a lack of highly-skilled local security analysts, and those that do exist rarely work for the government because private sector roles \u2013 whether with vendors, security companies or service providers \u2013 are much more lucrative.

Compounding this is the seemingly<\/a> endless<\/a> litany<\/a> of Government privacy breaches waved away time and again as either \u2018user error\u2019 or \u2018insignificant\u2019. Of all the voluntarily reported breaches in Australia last year, 80% were by government agencies. How many times can you downplay a serious privacy breach before the instances weave a pattern of systemic neglect?

Ultimately, if you\u2019re going to give someone a \u2018golden ticket\u2019 like a back door or decryption keys, you want to be 100 per cent sure they can keep these treasures secure. Not only do I doubt the Government\u2019s ability to protect such a precious asset, but I wouldn\u2019t be surprised if the keys were inadvertently posted on a Government website in an act of \u2018human error\u2019.

This, of course, ignores the fact that the companies behind the apps in question also argue that providing such a means is technically impossible<\/a> and that the only way to do so would completely undermine that platform\u2019s security.

Not only is this legislation nigh impossible to implement, it would also be completely futile as the criminals in question aren\u2019t even using the applications the government has in its cross-hairs. What we\u2019re left with is a useless law that would gamble the privacy of millions of Australians on the Government\u2019s ability to keep such tools from falling into the wrong hands.<\/p>\n","protected":false},"excerpt":{"rendered":"

The Australian Government’s recently announced encryption legislation, forgetting for a moment its completely inoperable absurdity, is based on two deeply flawed assumptions which couldn’t be further from the truth… either that, or it is a thinly veiled grab at unbridled mass surveillance. When Prime Minister Malcolm Turnbull – flanked by Attorney General George Brandis, Acting […]<\/p>\n","protected":false},"author":1,"featured_media":1291,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-1290","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog"],"_links":{"self":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/1290","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/comments?post=1290"}],"version-history":[{"count":2,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/1290\/revisions"}],"predecessor-version":[{"id":3714,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/1290\/revisions\/3714"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media\/1291"}],"wp:attachment":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media?parent=1290"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/categories?post=1290"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/tags?post=1290"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}