Thursday, 16 August 2018
Do you Trust Australia? Part Two
After a couple of sleeps, I think my concerns about the proposed Assistance and Access Bill 2018 have crystallised.
While it attempts to preserve the trust we have in end-to-end encryption – great – that’s actually the easy part; our trust in encryption is based upon maths, so the ways it can be violated are limited (banning it, export controls, attacks against the math itself, and so on).
Much of the rest of the Internet’s operation is based upon a different, more human and more fragile kind of trust, and the proposed legislation could undermine much of that.
Let’s dig into two relevant examples.
To Catch Every Thief
This morning brings this very timely story from the US:
Back in March, as it investigated a spate of armed robberies across Portland, Maine, the FBI made an astonishing, unprecedented request of Google. The feds wanted the tech giant to find all users of its services who’d been within the vicinity of at least two of nine of those robberies. They limited the search to within 30-minute timeframes around when the crimes were committed. But the request covered a total space of 45 hectares and could’ve included anyone with an Android or iPhone using Google’s tools, not just the suspect.
The amount of information our digital devices collect and contain about is is astounding; where we go, who we talk to, what we buy, what we read, the politics we espouse, and what we listen to. Our TODO lists, our shopping lists and our diaries – really, our lives – are all tied up in these increasingly small bits of silicon.
Most of that information is now encrypted in transit and at rest, but that doesn’t mean it always stays that way. If you get content from a server, share a document, or if something is advertising-supported, it probably is encrypted when it goes from you to the service you’re using (Google, Facebook, Amazon, whatever), but the other side decrypts it to work with it. We trust the other end of the connection to treat our data in an appropriate way, governed by the terms and conditions that we agree to*.
This is where the proposed legislation enables access, at a very large scale. It effectively gives authorities a window into a tremendous amount of data, in many cases even if it has been encrypted.
In fact, the bulk of the proposed legislation is devoted to enabling exactly this kind of access – not only from Internet services, but the infrastructure that they use, the networks they’re carried over, all the way down to the chip suppliers for routers and servers (as well as your computer and phone).
As a result, the amount of data protected by this proposal’s approach to encryption is relatively small; it’s a few end-to-end chat applications like Signal and WhatsApp, and places where you’re the only person who holds the encryption keys (for example, some backup applications).
So, Australians will need to ask themselves if they’re still comfortable using, well, computers, given this amount of access to their information coupled with the level of oversight over these powers.
As we can see in the article linked above, this is already happening in the US and elsewhere too. That situation could play out very differently under the proposed legislation:
The warrant was the request. As far as I can tell, the proposed legislation decouples the warrant for a particular investigation from the request/demand for technical assistance. This brings the possibility of Australian authorities using these powers for overly broad fishing expeditions, using parallel construction once they find something interesting.
Google could contest the warrant. They chose to stall instead, but if they had, it would have been judged on merit and relevance to the case at hand. Under the proposed legislation, as far as I can tell, a recipient of one of these instruments can only contest the lawfulness of the instrument itself, which is judged by the decision-maker’s “subjective state of mind” (its words). The applicability to the warrant isn’t relevant.
The gag order was time-limited. The judge didn’t allow Google to talk publicly about the order, but only for a period of 180 days. The proposed legislation puts an indefinite gag order on all of its instruments, so we won’t know how they’re being used, or how much. Transparency reports won’t differentiate between an investigation focusing on one IP address for a day and every mobile phone in Australia for a year (for example).
Messing with Trust
The explanatory document goes out of its way to point out that the Internet’s trust infrastructure is not off-limits (emphasis mine):
Item 6 of the table lists persons that develop, supply or update software used, for use, or likely to be used, in connection with a listed carriage service or an electronic service that has one or more end-users in Australia. This category would include, for example, persons involved in designing trust infrastructure used in encrypted communications or software utilised in secure messaging applications.
Based upon this, one can easily imagine a situation where ASIO or a police commissioner or the AFP uses this authority to require a Certificate Authority (CA) to give them a valid certificate for a Web site or app.
They would likely say that doing so wouldn’t violate section 317ZG’s prohibition against building “systemic weaknesses”, since the effect was limited to the target client.
However, I’d argue that there’s still systemic harm; the sole function of a CA is to serve as an impartial trust authority. If they issue a certificate for a Web site to anyone other than the owner, they’re obviating their basic function in the infrastructure of the Internet. And people will trust CAs and the WebPKI less.
I suspect that’s an acceptable harm from the standpoint of the drafters of this legislation. From the standpoint of the Internet’s infrastructure, however, it’s deeply worrisome – especially once tens or hundreds of other jurisdictions pass their versions of this legislation. It’s very possible that requests that are legal in Australia will cause service providers to break the law in others.
And all of this gets especially fascinating when you mix in CA’s obligations to report every certificate they issue via Certificate Transparency. If they fail to log a cert issued under this legislation, it’s hard to see how that doesn’t undermine trust in CT and by extension, WebPKI.
One can imagine similar scenarios for DNSSEC (where things will get REALLY interesting, because of how it’s administered), as well as app stores (e.g., iPhone and Android).
Again, this is breaking down fundamental trust in the Internet’s infrastructure. If people aren’t sure that the software updates they get are authentic – for whatever reason, even if it’s just paranoia – they’ll turn them off, harming cybersecurity. And if people aren’t sure about the integrity of a Web site they’re looking at, it harms the Web.
I’m kind of hoping that someone is going to point out how I’m wrong on the points above (references please!), but if that’s not the case, I can think of a few ways to mitigate the worst effects of the proposed legislation:
Improve oversight. This might be through coupling of the request with a warrant, or providing separate judicial review. Anointing the decision-maker’s state of mind as the sole source of truth for the scope and applicability of a request just isn’t appropriate – especially considering that they’ll be judging technical feasibility. Include record-keeping requirements.
Consider systemic harm. Section 317ZG is off to a good start, but it needs to be more precise and expansive about potential harms. No one wins if trust in the Internet suffers. This might be through direct consultation with representatives of the Internet’s industry and institutions, or through a competent ombudsperson.
Time-limit the gag order. Once an investigation has finished, a service provider should be able to talk about at least the general nature of the request – in the press if need be. There might be exceptions to this, but they should be just that – exceptional.
Discriminate between agencies, acts and providers. The police superintendent of an Australian state has no business asking an overseas software developer to add code to their product, or asking Cisco to ship a rooted router. Some of the capabilities that this proposal enables are appropriate to ASIO and perhaps the AFP, but there’s no reason to lump it all together. It’s especially important to limit the scope of requests to providers without an Australian presence.
You might say that only the criminals need be worried about these things, but if that’s the case, why do we have anti-corruption commissions? And, remembering that the Internet we use is global, do we trust every other jurisdiction to act in good faith when they pass similar laws?
Again, I believe that the authorities that are empowered by this proposal act in good faith, but in checks and balances over powers – especially ones as strong as this – are fundamental to democracy.
* Yes, that’s problematic, but that’s a whole other blog post.