In the previous part of my exploration of the impact of strong encryption on our security agencies, I described the unsophisticated days of intercepting telephony in the 1970s. With voice communications, it’s largely a case of ‘grab it or it’s gone’. Most of the history of signals intelligence is about eavesdropping on moving data. But the advent of internet communications introduced a new angle, as data ‘at rest’ in a computer or smartphone at either end of the communications channel became a potential source of intelligence.

The Apple handset that became the centre of a 2016 court case in the US last year provides an intriguing case study. Even after being presented with a court order to provide the FBI with access to the handset, Apple declined on the grounds that they would have to create an access channel that could be used to render vulnerable any iPhone using that system. It wasn’t a case of encryption being the sticking point—the problem was getting past the phone’s passcode. It’s a more complicated story than sometimes appreciated, but it brought the tension between customer privacy, information security across the wider economy, and the requirements of law enforcement and intelligence agencies very much into public view.

There’s something a little puzzling about the pushback in the iPhone case. As I pointed out last time, we all lived happily enough in the post-1979 world of legislatively-guaranteed warranted access to our telecommunications. Philosophically at least, it seems reasonable for governments to want that level of access to be preserved (or, perhaps more accurately, reinstated). In principle I’m inclined to agree, with the proviso that there’s robust and effective oversight, including the stipulation of warranted collection.

It must be said that some governments haven’t helped themselves in that respect. The public is more tolerant of focused investigations of suspicious behaviour and individuals than it is of wider ‘fishing expeditions’ into big data pools. In 1979, it was hard to do much of the latter, but more recently the US National Security Agency was caught out hoovering up large quantities of metadata under their Prism program without sufficient oversight. A UK system called Tempora went well beyond metadata, and was undiscriminating in its targeting. And the Australian government did a horrible job of explaining its own ambitions for metadata collection.

And in practice, I don’t think we can get there from here. Encryption isn’t just a tool used by bad people to plan bad things: it’s now a critical part of the rapidly growing online economy. Banking and e-commerce couldn’t function effectively without it. As we saw in part 1, the US government rolled out strong encryption for exactly that reason in the 1970s (and continues to support today). And individuals have perfectly valid reasons to implement security mechanisms such as virtual private networks—any traveller doing internet banking over someone else’s Wi-Fi network has good reason to want the additional protection. In fact, given how poor network security can be, it makes good sense for users to implement protective measures over sensitive data.

Perhaps most important are end-to-end encryption systems, used by applications like WhatsApp, Signal, iMessage, and Facebook Messenger. Only the two client users have the key to decrypt any message. Companies such as Apple and Facebook, on whose products the messages are transmitted, don’t have access to unencrypted messages or to encryption keys.

There have been calls to outlaw strong encryption so that law enforcement and intelligence agencies can crack communications between targets of interest. That begs many questions. Who decides how strong is ‘too strong’? Does ASIO or the AFP need to be able to access data in an hour, a day, or a week? Moore’s Law tells us that what the NSA can do today, others will be doing in the not too distant future. So how can we ensure the protection of innocent but sensitive communications? Or is the government going to decree that some privacy measures won’t be available to the public at large?

Finally, even if we managed to tie up all of the loose ends in the Australian telecommunications marketplace, how do we quarantine local users from apps and hardware that are compatible with Australian networks and are readily available from offshore vendors? Australia, the UK, and even the US can’t legislate for the totality of the messaging app universe, and any lawful intercept legislation would quickly move serious threats onto other platforms that could be even worse for law enforcement—or even wider society. High profile companies like Apple, Google and Facebook tend to help when it’s clearly a public duty to do so (they work with authorities to identify and eliminate child pornography, for example). But smaller firms, especially those in other countries, might feel no such obligation. And any vulnerabilities engineered into products will be available to be exploited by entities other than our own security agencies.

I think it’s an intractable problem. The horse has bolted, and the access to data through lawful intercept that our security agencies once enjoyed will never be possible again. As Bob Dylan might put it, it’s not dark yet, but it’s getting there.

 

Note: I had a lot of useful feedback from my ASPI colleagues on these two posts. I thank them, but don’t blame them for anything here.

With Chelsea Manning’s release from prison imminent, following the surprise commutation of her sentence in January by former President Obama, the issue of what happens to Edward Snowden will resurface.

Manning was sentenced to jail for 35 years for the largest unauthorised release of classified information in US history at that time and Obama’s act of clemency took her supporters and detractors alike by surprise. Both remain unsettled about what it means.

For those who condemn Obama’s action, including the weighty opinion of House Speaker, Paul Ryan, Manning is one of the worst traitors in US history, and deserved her sentence. Supporters, the highest-profile being Wikileaks and the American Civil Liberties Union which represented Manning, saw it as too long in coming and a precedent for Snowden and Assange.

But there is little comparison. A pillar of the criminal justice system is mens rea or intent which provides, for example, the difference between murder and manslaughter. Manning did consciously and deliberately elect to break the law in 2010 by releasing to Wikileaks around three quarters of a million sensitive government documents, causing immeasurable harm to US and coalition interests. But this was not her purpose in 2007 when, as Bradley Manning, she joined the United States Army, or even when she later deployed to Iraq.

Like many military personnel, Manning enlisted in the hope of a better life including a good education. Her personal issues, including gender identity and bullying, saw her career see-saw from being slated for discharge on mental health grounds through to becoming an intelligence analyst with a high-level security clearance deployed to Iraq.

Snowden, by his own admission, sought out a contractor position with Booz Allen working for the NSA in Hawaii. He took a pay cut to access classified data for release, although most of the data he released he’d already downloaded during his previous job as a contractor for Dell. Snowden didn’t find himself stranded in a job he’d been posted into while in a difficult personal situation: this was a conscious plan implemented over years to steal and publicly release information.

Another element of the justice system is acknowledging guilt and facing the consequences. Manning pleaded guilty to 10 of 22 charges, with the most serious charge of aiding the enemy later dropped. She was found guilty on 17 charges and amended versions of the remaining four, and sentenced to prison. With her now-commuted sentence she will have served seven years when she is released. This is far greater than any other recent US espionage case.

Snowden, by contrast, has never faced justice for his crimes. His carefully planned getaway, captured in documentary form after he contacted a filmmaker, ensured the information was released when he was outside the US. Hong Kong authorities denied a US request for his extradition, and he flew to Russia, where he reportedly remains. Snowden says he won’t return to the US as the charges don’t allow him to defend himself in open court; this is the argument of a conspiracy theorist who doesn’t recognise US law or responsibility to justice.

The third issue is the much-discussed matter of the whistleblower. And here we focus starkly on Snowden. For in the three years between Manning’s revelations and Snowden’s, the US intelligence community and its global partners had turned themselves inside out to understand what had happened and why. A key initiative from this was whistleblower protection.

The US, Australia and others have institutionalised mechanisms for employees to raise concerns through internal arrangements or through an external independent body, although in 2013 there were issues about how accessible these were for contractors in the US. Snowden says he tried to raise concerns internally, though the NSA says there is no record; and Snowden has not yet been able to produce evidence to support his claim, despite secreting hundreds of thousands of documents from the NSA for public release.

It is easy to allege secrecy about the machinations of intelligence agencies. But the reality of probity and rule of law in democracies—particularly after Manning—is that there are many lawful ways to deal with a perceived legal or ethical issue other than plotting to commit a crime by recklessly releasing information on capabilities and individuals to the entire world. There are also residual issues that face any organisation of how likely these are to change approved government policies and programs.

As President Obama stated, the manner of Snowden’s sensational disclosures had often ‘shed more heat than light’, and revealed US capabilities to adversaries rather than seeking to improve US government ethics and accountability.

Manning committed the largest release of government information in the history of the US to that date. But Manning was a deeply troubled individual who faced up to her crimes and served punishment. The President elected to apply clemency for time served and took into account her situation, including troubled mental health and good behaviour in custody.

While Snowden’s case demonstrates some psychological issues, these manifest in different ways. Far from being bullied, Snowden exaggerated his educational qualifications and experience, engaged confidently in the workplace and ultimately betrayed his colleagues without empathy. Despite his protestations that this was not about him, engaging journalists and filmmakers suggests the opposite, as does his insistence that only his view of the world is right and that his conduct was above reproach.

President Obama broke the record books with his use of the Presidential pardon and commutation power during his time in office, but it was never likely he would absolve Snowden of his crimes. Indeed, in 2015 the White House confirmed it wouldn’t pardon Snowden. Under the Trump administration, a pardon would be unthinkable.

The decision last week to award a Pulitzer Prize to the Guardian and Washington Post newspapers for their coverage of classified material leaked by Edward Snowden has refocused attention on the pros and cons of both Snowden’s and the newspapers’ actions.

Some have praised the decision and have hailed the newspapers for being both ‘judicious and brave’ in their handling of the material. Others, including one of my ASPI colleagues, see little value in awarding the prize for what amounts to an unauthorised release of state secrets.

In truth, there’s merit in both positions. Unlike Wikileaks before it, which largely released material that was embarrassing to governments and militaries but has been of little lasting security harm, the Snowden case involves extremely sensitive material that has the potential to cause deep and lasting harm to the ability of America’s intelligence agencies—and, because of the five eyes relationship, Australia’s—to perform their roles. Making public some of the access points for interception of material, and the technological tricks required to exploit it, will play to the advantage of those trying to keep their communications out of the hands of American and allied agencies. And the nature of the intelligence business is that it’ll be difficult to know what’s been lost—it’s hard to quantify intercepts that don’t happen. Read more

A belated Happy Safer Internet Day, readers! 11 February 2014 marked the 11th iteration of the event. Supported by the European Commission, HSID seeks to promote safe and responsible use of internet-based technologies, with a focus on children and young people the world over. The 11th was also The Day We Fight Back, commemorating Aaron Swartz and the Stop Online Piracy Act (SOPA) blackout as a day of activism against the NSA’s mass surveillance. It appears Australian Senators got into the groove with a stoush over Snowden.

Still in Australia, a local firm has announced plans to roll out Bitcoin ATMs across the country. The news comes as the digital currency took a significant hit after a software bug was reported by the main Bitcoin exchange in Tokyo, and as Russia’s Solicitor General concluded that cryptocurrencies are illegal in the state.

Just in time to ratchet up the fear amongst Americans setting off for Sochi, NBC aired a sensationalist piece on the inevitability of being hacked during the Olympic Games. The cyber security buff who loaned his services for the segment was quick to distance himself from the piece as well as any flawed understanding imparted to viewers due to editing. While there was no shortage of commentators taking shots at the reportage, NBC have continued to stand by their man. Read more

Netizens are in an uproar as a DC Federal Court has come down against the Federal Communications Commission’s (FCC) net neutrality rules. Verizon, the lead plaintiff in the case, petitioned for its right to ‘manage’ its infrastructure, potentially offering fast access ‘express lanes’ for a premium or charging high bandwidth services such as Youtube or Netflix fees for access. With the FCC stripped of its Open Internet rules, many advocates worry that business interest will run roughshod over the common citizen, with fees stifling innovation and big business essentially dictating content. However there’s also some optimism as the court has left plenty of room for the FCC to shift the Internet from an information service into the regulated telecommunications world.

On the other hand, the MIT Technology Review turns net neutrality upside down when looking at the issue from the perspective of emerging economies. With Internet accessibility limited, concerns over cost trump the ideals of net neutrality and free services like FacebookZero and Google Free Zone are largely the tools of choice. As these ‘seeker’ countries strive to improve ICT, they also face a growing rate of malware and other security threats. But there’s hope as Microsoft Security has found a tipping point in cyber maturity, where developments in ICT cease to incubate cyber malfeasance and malware rates begin to drop.

Read more