In the wake of the recent terrorist attacks in London, there is a renewed attempt by global governments to increase surveillance of the internet.
Taking aim at encryption, Malcolm Turnbull stated that, despite it being “a vital piece of security for every user of the Internet … encrypted messaging applications are also used by criminals and terrorists – at the moment much of this traffic is difficult for our security agencies to decrypt, and indeed for our Five Eyes partners as well”.
In June, attorney-general George “Darth” Brandis, along with his Five Eyes counterparts from the UK, US, Canada and NZ, met in Ottawa to discuss ways to weaken encryption and pressure the tech industry to build back doors through which they can spy on global communications.
In response, a joint statement by 83 organisations and individuals from these five countries opposed these plans. The executive officer of Electronic Frontiers Australia, Jon Lawrence, said, “Calls to undermine encryption in the name of ‘national security’ are fundamentally misguided and dangerous”. Jim Killock, executive director at the UK’s Open Rights Group, said, “Security experts and cryptographers are as united in their views on encryption as scientists are on climate change”.
At the time of writing, we don’t know what decisions were made at the Five Eyes ministerial meeting, but new attempts to circumvent encryption reflect the ways that state surveillance has changed since revelations from US whistleblower Edward Snowden.
In 2013, Snowden shocked the world when he revealed that the US and its allies had created the largest and most complex system of state surveillance that has ever existed. One of the US National Security Agency’s most invasive programs was XKeyscore, a searchable database with millions of people’s emails, web browsing histories and more. This also allowed for real-time monitoring of almost any individual around the world while they used the internet.
Just four years later, the state of computer security has changed immensely, making this surveillance more difficult. According to a report published in February by the Electronic Frontiers Federation, more than half of all internet traffic is now encrypted. The expansion of Virtual Private Network services and use of the Onion Router (TOR) has made it easier for everyone to remain anonymous online. However, the development that is of most concern to the likes of the NSA is the widespread use of encrypted mobile devices and messaging applications such as Signal and WhatsApp.
These applications use a method called end-to-end encryption in which messages are encrypted, and the tools to decrypt those messages exist only on the device of the sender and receiver. Therefore, a company like WhatsApp cannot read the messages sent through its servers. As a WhatsApp spokesperson said in 2016 as part of an ongoing court case brought by the Brazilian government, “We cannot share information we don’t have access to”.
Years before James Comey began presenting himself as the supposed good guy of the US establishment, the then FBI director railed against the use of domestic encryption tools. In 2015 he stated, “If the challenges of real-time interception threaten to leave us in the dark, encryption threatens to lead all of us to a very dark place”.
He pressured companies such as Apple to build back doors to bypass encryption. While the intelligence agencies recognise that they cannot currently break modern encryption algorithms, they have focused their resources on trying to get around them by hacking directly into mobile devices.
This strategy was demonstrated in March when whistleblower website WikiLeaks released Vault 7, the largest ever publication of confidential documents leaked from the CIA. Additional leaks this year by hacking group Shadow Brokers have further revealed the extent of the intelligence agencies’ hacking capabilities. These documents show that the US has been developing, purchasing and stockpiling security vulnerabilities in Apple and Android mobile devices. Exploiting these vulnerabilities has allowed them to read WhatsApp or Signal messages as they are being typed or read.
One of the most damning leaks in Vault 7 revealed that the CIA had discovered how to turn Samsung Smart TVs into covert listening devices, even when they are turned off.
The recent WannaCry and Petya ransomware attacks, which caused immense damage across the world, both used security holes codenamed EternalBlue that had been stockpiled by the CIA and deliberately left open. While the CIA did not intend these vulnerabilities to be used in this way, it is the inevitable result of keeping software insecure and creating back doors.
With leaks from the CIA and the NSA exposed, these security flaws are now being fixed, making it more difficult for the agencies to continue their spying activities. This explains the increased push from Five Eyes countries to force tech companies to install back doors so they can bypass encryption.
However, the argument that states should have the right to bypass encryption to stop terrorism simply doesn’t hold up. It would be ludicrous to suggest that turning Smart TVs into listening devices is about stopping ISIS. It has always been about developing tools for mass surveillance, and now increasingly for espionage and cyberwar. This has been seen before. For example, the worm Stuxnet was written by the US and Israel and used to target Iranian nuclear facilities.
It is not a question of whether governments will one day use these hacking techniques for domestic surveillance – they already do. On 30 June, it was revealed that Centrelink has been paying Israeli hacking company Cellebrite to break into mobile phones. The methods used are the same ones Cellebrite developed in 2015, when it helped the FBI break into an iPhone as part of the San Bernardino terrorism case.
It is now known that government departments such as the Australian Tax Office and the Department of Employment have paid around $500,000 to Cellebrite for equipment and training to hack into phones.
In the debate about metadata storage, George Brandis was adamant that the government wasn’t after the content of Australians’ communications, just who we are talking to. These new revelations and the entire debate about encryption show that the content is exactly what they are after. No matter the justification, we should resist any attempt to weaken encryption and our right to privacy.