nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

Oz government wants its own definition of what 'backdoor' means

When the good guys use backdoors, they're not backdoors, understand?

By Richard Chirgwin, 7 Jul 2017

Australia’s federal government has shifted its ground on the encryption debate, and is now working to hem in the debate by constraining the definition of “backdoor”.

The technologist’s understanding is that anything that compromises encryption represents a “backdoor” of some kind, from NSA-style bug-hoarding to key escrow to cryptographers planting “magic keys” in an application (which somehow, improbably, manage to remain secret).

The Australian government’s idea is that if it describes “backdoors” only in terms of NSA hacks or deliberately planned weaknesses, it can convince everyone that it’s not looking for backdoors.

If you have 15 minutes to spare, for example, this interview between Radio National’s Jonathan Green and the prime minister’s cyber-security advisor Alastair MacGibbon is informative. MacGibbon does an excellent job of explaining the government’s objective in the debate – that Australians should expect to be governed by the same laws whether their actions are online or offline.

However, he repeatedly trips up in explaining why the government isn’t seeking some kind of “backdoor” – because every “not-a-backdoor” example described some kind of backdoor.

For example, he told Green: “When it comes to encrypted communications, those people who manufacture the device, or who manufacture the software, will have a greater idea about how to gain access to information from that software or from that hardware than you or I might have, because they’re the ones that manufacture it.

“If you were the person that created and marketed a particular safe to the public – I would have great difficulty getting into the safe, but the manufacturer might be able to say ‘look, we don’t telegraph this, and you don’t need to know, police officer, how to get in there, but I might be able to help you get in there’.”

Apple or WhatsApp or Signal might know how to crack encrypted communications because they made the device or the software. Just don’t call that a backdoor, because the government says it’s not.

MacGibbon then discussed the fact that vendors are constantly pushing software updates to smartphones or laptops. “That means that the company knows that there are vulnerabilities, or there are things that aren’t functioning properly that need to be updated. Why can’t government go to those companies and say ‘look, we’re not asking you to do anything special, we’re not asking you to hard-wire in a vulnerability, a backdoor’.”

He just wants businesses to help governments exploit vulnerabilities they know about. “But if you know that there’s a way you could help us, and this phone was in the hands of a terrorist, and we’re now in lawful possession of that device, could you help us?”

But it’s not a backdoor.

Turnbull’s backdoor harmony

With that position worked out in Canberra, it’s no surprise that Prime Minister Malcolm Turnbull is practising the same semantic hair-splitting in his public statements. Ahead of this week’s G20 summit, he spoke to the ABC, starting from the same premise as MacGibbon, that the rule of law “must prevail in the cyber world”.

Encryption prevents that: Internet-based messaging services are “increasingly encrypted end-to-end. Not only are they unable to be decrypted in transit, but the operator of the service is unable to decrypt them”.

Just as police can get a warrant to open a filing cabinet, “so access should be able to be had” to encrypted messages. “We have the ability to seek an order ... but of course, it doesn’t help you if you can’t get the communications decrypted”, he said, adding that “The decrypt has to be available from the company”.

He followed up in Hamburg by saying, “There should be no ungoverned space on the Internet. We need more assistance to ensure that higher and higher levels of encryption are not being used to conceal terrorists and criminals.”

But it’s not a backdoor.

It doesn’t work like that

It seems to Vulture South that the semantic quibbling is pitched to people who don’t quite understand what the fuss about – that is, most people, because encryption is such a complex thing to explain.

“Backdoors” are what the NSA does – all the government wants is to have encryption broken under due process, and encryption is somehow special to messaging platforms like WhatsApp or Signal or Telegram. In other words: Citizen Bloggs probably doesn’t know that messaging apps and platforms like Facebook or Twitter or Google use the same end-to-end encryption that protects Internet banking.

Citizen Bloggs also doesn’t understand that the phone or laptop manufacturer didn’t write the SSL/TLS implementation that puts “HTTPS” at the start of a URL – and a compromise to SSL/TLS is a compromise to everything that uses it.

Why should citizens need to know? Developers have spent more than two decades making encryption accessible to everyone to protect them from malice.

The government can’t get around this by imposing its own definition of “backdoor”. ®

The Register - Independent news and views for the tech community. Part of Situation Publishing