Skip to main content

A dangerous precedent: why the tech giants are refusing to decrypt users’ data

News story

With so much of our sensitive, personal information being digitised these days, it’s comforting to know that it’s protected by encryption technology so robust it can’t be accessed by any unauthorised party – even the most powerful intelligence agencies in the world.

Whatsapp app on smartphone
After the Manchester bombing in May 2017, messenger service Whatsapp wouldn’t decrypt the messages of the attacker Khalid Masood.

But in recent years, an increasing number of nations, including Australia, have been pushing the likes of Google and Facebook to break that encryption. Politicians argue that gaining access to the personal data of terrorists would be a highly effective and reasonable course of action, but their frustration has steadily mounted after a series of unsuccessful attempts to force the hand of tech companies to help.

In the wake of the horrific 2015 San Bernadino, California shooting, Apple refused to help US authorities unlock the iPhone of attacker Syed Farook. After the Manchester bombing in May 2017, messenger service Whatsapp wouldn’t decrypt the messages of the attacker Khalid Masood. Their reason? They say any tool they come up with to decrypt data will inevitably create a ‘backdoor’ – a vulnerability in the system that will inevitably be exploited by hackers. This, they say, would present an even greater risk.

In June 2017, heads of the intelligence services of Canada, New Zealand, Australia, the UK and the US – known as the ‘Five-Eyes’ alliance – met in Ottowa, where they agreed to “explore shared solutions” to the encryption stalemate.

Fresh from that meeting, Prime Minister Malcolm Turnbull joined Attorney General George Brandis and Australian Federal Police Commissioner Michael Phelan in July to announce new Federal laws that will oblige a range of social media platforms to allow access to users’ data. He declared the laws “vitally important reforms to keep Australians safe.”

But the actual effectiveness of such laws is unclear, as the tech giants, mostly based in California, fall outside Australia’s geographical jurisdiction. And they remain steadfastly defiant.

American cybersecurity expert and Curtin alumnus Dr Richard Forno explains that although the political attacks against encryption are in the interest of public safety, potential future government-mandated weaknesses in encryption technology would leave the personal data of law-abiding web users significantly more vulnerable to hackers.

Dr Richard Forno

Dr Richard Forno

“I think the renewed push for controlling, limiting or ‘backdooring’ encryption in recent years may look attractive to politicians eager to show they are doing something against terrorism or crime, but in the end it will result in a less secure internet for everyone,” he says.

“We fought this battle in the early 1990s when the modern internet was new, but sadly, these same issues and the so-called ‘War on Cryptography’ have returned – only now the internet is an indispensible part of modern society, and making it less secure is not a good idea for many reasons.

“Should weakened encryption become reality through legislation, the ‘bad guys’ will simply create and use their own encryption technologies, staying ahead of the good guys, so the only folks really impacted will be law-abiding governments, companies and citizens now being forced into using less-secure technologies and thus made more vulnerable to online attacks.”

Forno was one of the early researchers on the topic of ‘information warfare’ and has has forged a highly successful career as a cybersecurity advisor to an impressive list of clients, spanning military, government and commercial sectors in his US homeland. In 1996 he helped build a formal cybersecurity program for the United States House of Representatives.

In 2010 he received a PhD in Internet Studies from Curtin.

These days, he directs the Graduate Cybersecurity Program at University of Maryland, Baltimore County (UMBC), serves as the Assistant Director of UMBC’s Center for Cybersecurity, and is a Junior Affiliate Scholar at the Stanford Law School’s Center for Internet and Society.

He says attacking encryption is simply too dangerous a precedent.

“The bottom line,” he says, “is that governments are going to have to learn to adapt with the times and the reality of modern technology, even if it means some of their prior capabilities to monitor communications become reduced. After all, you can’t halt innovation or human ingenuity – either for the bad people or the good ones.”

If data encryption is so strong, why do we still have cyberattacks?

Cyberattacks are still common because there are plenty of other weaknesses that cybercriminals can target – the most common being our trust. Forno explains.

“When you think about it, people are the cause of, and can be the solution to, nearly all of our cybersecurity problems, but unfortunately while the human brain is the most complicated computer in the world, it’s also the one most easily compromised,” he says.

What is phishing?

Phishing is an attempt to gain access to sensitive information, such as credit card details or passwords, often by directing a web user to a fake website that resembles a legitimate one. It’s any online scam that exploits the trust of the victim.

“Despite all the tools, techniques, policies, and procedures implemented, companies frequently fall victim to common attacks such as phishing or social engineering. What explains that, other than the end-user being tricked? After all, the potential for being tricked isn’t something exclusive to the internet – it’s part of the human condition.”

The crippling WannaCry and Petya ransomware attacks in 2017 are good examples of this. They were created by criminals with high-level technical knowledge, but their effectiveness relies on victims being tricked into downloading seemingly innocent files containing the malicious software. Once on the victim’s machine, it encodes the data with a unique encryption, which the hackers promise to unlock on payment of a ransom.

Forno says the technical side of cybersecurity is therefore only part of the equation, and that

“To be a good cybersecurity professional, you need to be a decent geek – that is, you need some familiarity with the technology involved,” he says, “but my view, after 20 years in the cybersecurity industry and now as an educator, is that knowing about people is just as, if not more, important.”

Your comment

Your email address will not be published. Required fields are marked *