INDUSTRY & RESEARCH
campusreview.com.au
Open or shut case
International debate rages over whether
encrypted data should be required to have
a ‘back door’ for government access.
By James Wells
M
andatory ‘back doors’ into
secure, encrypted data could
compromise university research
worldwide, a cybersecurity expert
has warned.
US and UK law enforcement and
intelligence agencies have been pushing
for all encrypted data to have a back door
that government can use for surveillance
purposes. This is a purpose-built weakness
in an encryption system that can be used
to hack data by any party that has the key
to this hidden access point. Australia could
adopt a similar policy.
US Federal Bureau of Investigation
director James Comey argued in a recent
blog post that universal strong encryption
impedes the ability of law enforcement to
identify criminal threats. In the aftermath
of last year’s Paris terrorist attacks, Michael
Keenan, Australian federal justice minister,
also labelled widely available encryption a
“significant challenge” to intelligence and
security agencies.
But Dr Suelette Dreyfus, from the
University of Melbourne, says computing
experts widely oppose mandatory back
doors. She says they would risk giving
criminals and foreign governments access
to sensitive information. This, Dreyfus
says, would unnecessarily breach people’s
privacy and would probably be unworkable
in practical terms.
It could also compromise the security of
university research, Dreyfus warned.
“Universities hold a wealth of valuable
intellectual property,” she says. “If you force
researchers to use security software that is
deliberately broken, you risk making it easier
for criminals and IP espionage agents to steal
it. It would weaken the protections of one of
Australia’s greatest assets for the future.”
University data isn’t all that could
become vulnerable. Banking details, private
conversations, credit card statements and
insurance details are some of the types of
sensitive information that could potentially
be exposed if governments mandated
cyber back doors, Dreyfus says. The
argument that security benefits outweighs
risk doesn’t hold to water, she says, because
“if you weaken all encryption, it effectively
turns 23 million Australians into targets”.
Mandatory back doors could also pose a
serious risk to consumer confidence in the
digital economy, she says.
Dreyfus isn’t the only expert to express
such concerns. Keys Under Doormats:
mandating insecurity by requiring
government access to all data and
communications, co-authored by Creative
Commons co-founder professor Harold
Abelson, Cambridge security engineering
professor Ross Anderson, and Microsoft
Research senior cryptographer Josh
Benaloh, – along with 12 others – warned
against mandatory back doors as well.
Such measures would compromise
security systems and add another layer of
complexity, they argued.
It’s generally accepted among the
computer security industry that the more
complicated a security system is, the less
secure it is.
The group’s paper also raised concerns
about the rule of law, presumption of
innocence before guilt, and human rights.
Jurisdiction was also an issue.
“The greatest impediment to exceptional
access may be jurisdiction … This is not
only a US issue,” the paper read. “The UK
Government promises legislation this fall to
compel communications service providers,
including US-based corporations, to grant
access to UK law enforcement agencies,
and other countries would certainly follow
suit. Which countries have sufficient respect
for the rule of law to participate in an
international exceptional access framework?
How would such determinations be
made? How would timely approvals be
given for the millions of new products with
communications capabilities? And how
would this new surveillance ecosystem be
funded and supervised?”
At securetheinternet.org, there is an
international petition responding to
these concerns, calling for the world’s
governments to reject any policy that
mandates weakened encryption, creates
back doors, or coerces parties to weaken
their encryption. Users have the right to
secure their data, the petition states, and
shouldn’t have to turn it over without due
process and respect for human rights.
Dreyfus is a signatory. The petition was
launched on January 12. ■
13