Charles Gutjahr

Melbourne, Australia

Don't let crime flourish online, keep strong encryption.

Malcolm Turnbull said this week that “the law must prevail online as well as offline”, and I wholeheartedly agree. We shouldn’t let crime flourish just because it happens online.

Lawful interception is a long-standing way of dealing with crime, and I think it has been a good thing. Australian Federal Police should be able to intercept and monitor communication between people when they have a warrant. However if end-to-end encryption is used then police are unable to read intercepted messages, even if companies handling the communication do their best to help. One day lawful interception could become completely useless because none of the information will be readable, and that could be devasting for police investigations.

However it is also reality. Lawful interception is dying, and Turnbull forcing companies to break into end-to-end encryption is not going to bring it back.

The laws won’t work because they’re intended for use in serious crime, and serious criminals aren’t going to be worried about using an encryption method banned by the law. It is inconceivable that keeping a message secret would ever be a more serious crime than terrorism or paedophilia. Criminals will keep their messages secret.

That’s probably why Turnbull is talking about going after Facebook and Google rather than the criminals. If tech companies replace secure encryption with an alternative that they can break into for police, perhaps a few criminals who don’t understand tech will get caught… until the word gets out that you can’t trust Facebook or Google any more, and everyone learns to use something secure. There are heaps of alternatives that will endure because they are decentralised and not dependant on any one company, for example OpenPGP or OTR.

But there are real risks to companies being forced to make people’s private data readable. Companies can have rogue employees who abuse that access. In the past Google fired staff who read private messages and stalked teenagers. Then of course there are hackers. In recent years hackers have stolen data on 500 million Yahoo users, 167 million people on LinkedIn and 150 million Adobe customers. Hackers held to ransom millions of messages between kids and parents in a CloudPets breach earlier this year. End-to-end encryption prevents hackers from gaining access to millions of private messages: if the company cannot read messages then their hackers cannot either.

What’s the point of undermining the security of things most people use, when anyone with an incentive to avoid interception can easily use something else to stay out of reach from the authorities?

We should not introduce this law if it stops few serious criminals but allows other cybercrime to flourish.

Charles Gutjahr

I'm a web application developer, occasional photographer and full-time nerd. This is my blog.