mark nottingham

Do you Trust Australia? Part Two

Thursday, 16 August 2018

Australia

After a couple of sleeps, I think my concerns about the proposed Assistance and Access Bill 2018 have crystallised.

While it attempts to preserve the trust we have in end-to-end encryption – great – that’s actually the easy part; our trust in encryption is based upon maths, so the ways it can be violated are limited (banning it, export controls, attacks against the math itself, and so on).

Much of the rest of the Internet’s operation is based upon a different, more human and more fragile kind of trust, and the proposed legislation could undermine much of that.

Let’s dig into two relevant examples.

To Catch Every Thief

This morning brings this very timely story from the US:

Back in March, as it investigated a spate of armed robberies across Portland, Maine, the FBI made an astonishing, unprecedented request of Google. The feds wanted the tech giant to find all users of its services who’d been within the vicinity of at least two of nine of those robberies. They limited the search to within 30-minute timeframes around when the crimes were committed. But the request covered a total space of 45 hectares and could’ve included anyone with an Android or iPhone using Google’s tools, not just the suspect.

To Catch A Robber, The FBI Attempted An Unprecedented Grab For Google Location Data

The amount of information our digital devices collect and contain about is is astounding; where we go, who we talk to, what we buy, what we read, the politics we espouse, and what we listen to. Our TODO lists, our shopping lists and our diaries – really, our lives – are all tied up in these increasingly small bits of silicon.

Most of that information is now encrypted in transit and at rest, but that doesn’t mean it always stays that way. If you get content from a server, share a document, or if something is advertising-supported, it probably is encrypted when it goes from you to the service you’re using (Google, Facebook, Amazon, whatever), but the other side decrypts it to work with it. We trust the other end of the connection to treat our data in an appropriate way, governed by the terms and conditions that we agree to*.

This is where the proposed legislation enables access, at a very large scale. It effectively gives authorities a window into a tremendous amount of data, in many cases even if it has been encrypted.

In fact, the bulk of the proposed legislation is devoted to enabling exactly this kind of access – not only from Internet services, but the infrastructure that they use, the networks they’re carried over, all the way down to the chip suppliers for routers and servers (as well as your computer and phone).

As a result, the amount of data protected by this proposal’s approach to encryption is relatively small; it’s a few end-to-end chat applications like Signal and WhatsApp, and places where you’re the only person who holds the encryption keys (for example, some backup applications).

So, Australians will need to ask themselves if they’re still comfortable using, well, computers, given this amount of access to their information coupled with the level of oversight over these powers.

As we can see in the article linked above, this is already happening in the US and elsewhere too. That situation could play out very differently under the proposed legislation:

Messing with Trust

The explanatory document goes out of its way to point out that the Internet’s trust infrastructure is not off-limits (emphasis mine):

Item 6 of the table lists persons that develop, supply or update software used, for use, or likely to be used, in connection with a listed carriage service or an electronic service that has one or more end-users in Australia. This category would include, for example, persons involved in designing trust infrastructure used in encrypted communications or software utilised in secure messaging applications.

Based upon this, one can easily imagine a situation where ASIO or a police commissioner or the AFP uses this authority to require a Certificate Authority (CA) to give them a valid certificate for a Web site or app.

They would likely say that doing so wouldn’t violate section 317ZG’s prohibition against building “systemic weaknesses”, since the effect was limited to the target client.

However, I’d argue that there’s still systemic harm; the sole function of a CA is to serve as an impartial trust authority. If they issue a certificate for a Web site to anyone other than the owner, they’re obviating their basic function in the infrastructure of the Internet. And people will trust CAs and the WebPKI less.

I suspect that’s an acceptable harm from the standpoint of the drafters of this legislation. From the standpoint of the Internet’s infrastructure, however, it’s deeply worrisome – especially once tens or hundreds of other jurisdictions pass their versions of this legislation. It’s very possible that requests that are legal in Australia will cause service providers to break the law in others.

And all of this gets especially fascinating when you mix in CA’s obligations to report every certificate they issue via Certificate Transparency. If they fail to log a cert issued under this legislation, it’s hard to see how that doesn’t undermine trust in CT and by extension, WebPKI.

One can imagine similar scenarios for DNSSEC (where things will get REALLY interesting, because of how it’s administered), as well as app stores (e.g., iPhone and Android).

Again, this is breaking down fundamental trust in the Internet’s infrastructure. If people aren’t sure that the software updates they get are authentic – for whatever reason, even if it’s just paranoia – they’ll turn them off, harming cybersecurity. And if people aren’t sure about the integrity of a Web site they’re looking at, it harms the Web.

Suggested Improvements

I’m kind of hoping that someone is going to point out how I’m wrong on the points above (references please!), but if that’s not the case, I can think of a few ways to mitigate the worst effects of the proposed legislation:

You might say that only the criminals need be worried about these things, but if that’s the case, why do we have anti-corruption commissions? And, remembering that the Internet we use is global, do we trust every other jurisdiction to act in good faith when they pass similar laws?

Again, I believe that the authorities that are empowered by this proposal act in good faith, but in checks and balances over powers – especially ones as strong as this – are fundamental to democracy.

* Yes, that’s problematic, but that’s a whole other blog post.