Slashdot Mirror

← Back to Stories (view on slashdot.org)

Australia Set To Spy on WhatsApp Messages With Encryption Law (bloomberg.com)

Posted by msmash on from the shape-of-things-to-come dept.

Australia is set to give its police and intelligence agencies the power to access encrypted messages on platforms such as WhatsApp, becoming the latest country to face down privacy concerns in the name of public safety. From a report: Amid protests from companies such as Facebook and Google, the government and main opposition struck a deal on Tuesday that should see the legislation passed by parliament this week. Under the proposed powers, technology companies could be forced to help decrypt communications on popular messaging apps, or even build new functionality to help police access data.

Prime Minister Scott Morrison has said the legislation is needed to help foil terrorist attacks and organized crime. Critics say it is flawed and could undermine security across the Internet, jeopardizing activities from online voting to market trading and data storage.

18 of 151 comments (clear)

  1. About time by 110010001000 · · Score: 2

    I have always been suspicious of those Aussie's with their long knives and funny accents. What exactly are they up to down under there? They must be plotting something.

    1. Re:About time by Joce640k · · Score: 2

      But they communicate with pheromones, not Whatsapp.

      --
      No sig today...
  2. Idiots by Anonymous Coward · · Score: 5, Insightful

    Do these legislative entities not realize that the bad guys can write their own encrypted apps?

    Or send coded messages through existing apps that still won't help law enforcement?

    1. Re:Idiots by AmiMoJo · · Score: 2

      To be fair they are more concerned about the average low tech criminal having easy access to powerful encryption tools.

      If they wanted to go full 1984 they could simply make the use of unbreakable encryption for messaging a crime and charge anyone found to be using it. Apple and Google would block such apps in their app stores, and most criminals would not have the skills to write their own (and even if they did would be convicted if discovered).

      So actually this law can be quite effective if they are willing to take it far enough. If not the best they can hope for is deterrent. And of course either way it's a really terrible thing to do to your country and the citizens you are supposed to be serving.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  3. How does this tell good guys from bad? by mark-t · · Score: 4, Insightful

    Under the proposed powers, technology companies could be forced to help decrypt communications on popular messaging apps, or even build new functionality to help police access data.

    What's to stop nefarious people from using that same functionality? If police can use it, even if you give them the benefit of all doubt that they would never do anything harmful with it, then the bad guys can use it too.... either because of leaks or hacking or what have you... and because the technology has to accommodate being decrypted in this way by legitimate law enforcement, how does the technology tell the difference, and recognize when it is being accessed by legitimate law enforcement and when it is not? And if (when) it cannot, then what extra measures are law enforcement going to take to protect the general public from such eventuality?

    It seems to me that this is going to make law enforcement's job harder, not easier.

    Australian lawmakers are idiots.... and that's being complimentary to actual idiots.

    --
    File under 'M' for 'Manic ranting'
    1. Re:How does this tell good guys from bad? by AmiMoJo · · Score: 4, Interesting

      If it were true that Google had a plaintext copy of messages it says are end-to-end encrypted it would be another Snowden moment. I assume you have zero evidence for this assertion or you would have provided it.

      I assume the same goes for WhatsApp.

      Back in reality for a moment, it actually makes a lot of business sense to use E2E encryption. If you don't you are going to get bombarded with requests from law enforcement, which cost money to process. Not to mention the reputation damage.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    2. Re:How does this tell good guys from bad? by AmiMoJo · · Score: 2

      Can they actually enforce it against WhatsApp? Does WhatsApp have any business dealings in Australia?

      Otherwise it seems like the most they can do is pressure Google and Apple to block it from the Australian app stores. Maybe try to get ISPs to block it, good luck with that.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  4. Stupid politicians ... by Anonymous Coward · · Score: 5, Insightful

    This is stupid. Encryption is mathematics, and mathematics has no built in back-doors for illiterate politicians who don't understand how encryption works.

    If you poke holes in it, then another motivated actor can find those holes and exploit them. Period.

    Tell you what, politicians who demand broken encryption should be forced to use any such system for their own security. They'll cry loudly how their stuff is too important to use broken encryption.

    Any encryption method which has back doors is, by definition, no longer secure. This will impact literally everything which uses encryption -- which these days is pretty much everything, including financial transactions.

    You can't legislate that Pi is 3, and you can't legislate that encryption can be bypassed without understanding that if you can bypass it, someone else can and will also bypass it.

    This is like mandating that all locks have a law enforcement button which opens the lock, and then saying nobody else will ever use that button because they're not supposed to -- it simply doesn't work that way in real life. Once you break it, it's broken for good.

    These companies can't deploy once means of encryption in one place, and another means for Australia. So, yeah, TFS is right, this could undermine all network security.

    Fucking idiot politicians.

    1. Re:Stupid politicians ... by Anonymous Coward · · Score: 2, Informative

      Correct. The real reason to be against it is that a backdoor key would be a secret which, if lost, would wipe the messaging company's stock value and cause a total of billions of dollars of damage to their clients. I doubt the government is intending to purchase insurance against this kind of eventuality. They want a shiny toy and if they lose it then their answer will be "oops".

    2. Re:Stupid politicians ... by dgatwood · · Score: 2

      It is entirely possible to encrypt content for both the public key of the receiver and the government, without introducing any flaw into the encryption itself.

      Pedantically, yes, but instead of introducing a flaw in the encryption, you're just shifting the flaw to the architecture surrounding it. Now you have a key that is so secret that law enforcement cannot be trusted to possess it, because if it gets out, every piece of encrypted data can then be decrypted.

      The best you can do is come up with a key escrow scheme in which every device has its own unique government key. But even this approach has fundamentally the same problem. All it takes is one person gaining access to the server that holds all those keys, and suddenly everybody's data is at risk.

      To come up with a scheme that has even a modicum of security, you have to go absolutely nuts with it, e.g.

      • Split each per-device key into multiple parts.
      • Store each part in a different country, in a room that only specific people have access to.
      • Ensure that access key holders are non-overlapping so that no single person can be coerced into providing access to more than one room.
      • Store all keys in printed form so that they cannot be accessed electronically (even temporarily). Place the printer itself in the locked room, with only a unidirectional serial cable providing a one-way data stream through the wall.
      • Provide independent databases in each of the rooms (all isolated from the public Internet) for looking up the location of the box in which that specific part of the key is physically stored.
      • Store the key in such a way that you can have a certain number of missing parts and still be able to reconstitute the key so a fire in one building will not destroy all of the keys.

      Such things are theoretically possible, but they result in multi-million-dollar (maybe even multi-billion-dollar) expenses for the companies involved. And even if you do this, you are still at risk of a nefarious third party compromising the servers used for generating those keys and associating them with specific users' accounts, either allowing them to substitute their own keys or sniff the keys, effectively compromising all new users of the service after a specific date.

      In short, there can be no technical solution to this problem that does not inherently create a gaping security hole so big you could drive a thousand M1A2 tanks through it side-by-side. So the only practical response when a government proposes something like this is to immediately put up a message on your site that says, "[Name of company] may soon become illegal in your country. Call your [legislator, parliamentarian] and tell them to vote no on [bill]." Then, if the law passes, follow through and deny access to your service to anyone in that country so that the government in question can serve as a cautionary tale for other governments considering similarly idiotic laws.

      Scorched earth really is the only answer that neofascist governments understand. If they think they can get away with this sort of thing, they will try, and everyone will suffer greatly when (not if) the inevitable total compromise happens as a direct result. The only winning move is not to play.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

  5. Re:So everyone must be able to read all messages n by bluefoxlucid · · Score: 2

    Sometimes, they are. We know this because sometimes someone takes the software apart with reverse-engineering tools, then tells everyone.

    That kind of universal verifiability is the basis of integrity. I've been pushing it for voting. Current electronic voting machines use secret software reviewed by some people under NDA and loaded on the machines before the election, so you can't verify any of it. For an electronic voting machine to be usable during an election, you need to publish the software image, and then prove that image is the image loaded at the beginning of polling--achievable, but brutally-stringent on exact procedures for opening and closing the polling day.

    I've suggested the same about things like Single Transferable Vote and other voting rules: the state must publish the full ballot sets (which must be traceable to polling centers or marked as non-traceable mail-in absentee ballots) and the algorithm used to compute the results.

    It's not that everyone has the tools and knowledge to verify the election; it's that we've made it impossible to get rid of the kid pointing out that the Emperor has no clothes. He won't stop telling everyone.

    How long do you think we could hide code in WhatsApp to parallel-encrypt with another public key and send to another server?

    How long could we hide code that downloads additional code and adds it to the application?

    How would we keep people from dumping the memory space to find out what exactly that additional code does?

    How quickly will Google start screaming that Facebook is doing something shady? What about RMS? Peter Gutmann?

    --
    Support my political activism on Patreon.
  6. Geoblock? by Midnight+Thunder · · Score: 2

    Whatâ(TM)s the chance that as soon as this is inacted some corporations will simply geo block Australia?

    Unlocking the vault could be a slippery slope to anyone wanting to get in.

    --
    Jumpstart the tartan drive.
  7. So... by fearm0nger · · Score: 2

    Just put that your application is not supported to run in Australia. As long as there is no business presence in the country the law should have no impact.

  8. iMessage by k2r · · Score: 3, Interesting

    I'm looking forward to Apple turning off iMessage in Australia to make a point.

  9. The world so far. by Impy+the+Impiuos+Imp · · Score: 2

    Of course, all access to this system will be recorded and stored on multiple sites with no way to delete or alter the records, for later review by elected officials to ensure no funny business like spying on political opponents.

    What? No?

    Huh.

    --
    (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
  10. Re:Don't use a secure messaging app available by AHuxley · · Score: 2

    The 5 eyes networks will share every win in real time. Got some new keys to crypto? 4 other governments just got the same :)

    --
    Domestic spying is now "Benign Information Gathering"
  11. Five eyes stalking horse by lordlod · · Score: 3, Insightful

    It is worth knowing that this proposal emerged fully formed from the security agencies. This probably means that it was cooked up by the five eyes collective led by the USA and Australia was chosen as the country most likely to support it's introduction.

    As many people have pointed out there is no way of implementing this without fundamentally violating the security of encrypted message applications and the impacts would flow on across the world. The assumption is that doing this would be undesirable.

    Once in place, and proven to work other countries will rush to "catch up" with similar laws. Until this occurs the five eyes nations can all utilize the Australian back doors via existing intelligence sharing agreements.

  12. The pineapples walk by night by ben_kelley · · Score: 2

    If you can read this message, you'll know what to do.