Juha Saarinen: Encryption is not a criminals-only tool


On Friday last week, a quote from a submission to a parliamentary inquiry into surveillance laws by the Australian Criminal Intelligence Commission (ACIC) made me do a double-take:

“ACIC observation shows there is no legitimate reason for a law-abiding member of the community to own or use an encrypted communications platform.”

That’s one hell of a broad and sweeping statement for ACIC to make at a time when ransomware attacks and aggressive hacking campaigns and privacy violations proliferate.

It turns out that ACIC was referring to specific services like Phantom Secure, Sky ECC and EncroChat which provide encrypted communications, and which have been used in the commission of nasty crimes worldwide, including murder, human trafficking, torture and more.

The above statement notwithstanding, ACIC appears not to be having a go at you and I using communications programs and devices protected by strong encryption.

Instead, the government crime intelligence says it “fully supports and recognises the legitimacy of readily available encrypted communications applications”.

Law enforcement agencies worldwide have long protested that widely available strong encryption could make it harder for them to intercept criminals talking about doing dirty deeds.

This is referred to as “going dark”, and criminals really are making a fist of doing just that.

Phantom Secure, for example, was set up with specially configured smartphones with functions that could leak information about communications and locations, like voice calls and texting over telco networks, and global positioning system (GPS) access removed.

The phones came with an encrypted email service, which the United States Federal Bureau of Investigation said mysteriously enough worked without Internet access and meant the devices could only communicate with each other.

EncroChat devices used hardware from Blackberry and Samsung, and could even feign a fake Google Android home screen. Press the power and volume button simultaneously, and the Encrochat phones booted up from an encrypted hidden storage partition, for secret, nefarious communications.

Sky ECC is a somewhat different kettle of fish. In March this year, Dutch police said they took out Sky ECC by hacking into servers and were able to listen in on live traffic. That resulted in raids on 75 properties, almost 100 arrests, millions in cash, diamonds and jewellery seized, along with 17 tonnes of cocaine (!).

The encrypted communications provider protested that a disgruntled reseller in Europe had been passing themselves off as official Sky ECC representative, flogging fake and insecure software and devices to criminals who in turn got busted by the police.

A delicious irony if true. For Sky ECC it’s probably too late no matter what: it’s domain now carries a big “THIS WEBSITE HAS BEEN SEIZED” banner, festooned with several US law enforcement agency logos.

That’s the thing though: Canada based Phantom Secure was said to have up to 20,000 users and was taken down in 2018 by the FBI, Australian and Canadian police with the founder arrested.

Encrochat got done last year, with more than 1000 of its 60,000 users being arrested in several police operations in Europe and the UK mainly. Here’s hoping police collected a good chunk of data on illegal activities and that those arrested will sing freely.

There’s only so much encryption can protect anyone from. At some point, user carelessness or stupidity, weak or buggy implementations or the sheer malevolence that comes with the territory for criminals whose activities are closely monitored by police will make things unravel.

Encryption isn’t going away, and there will be more dedicated communications platforms for criminals. The incentive to develop them is too strong, unfortunately.

That doesn’t make encryption a criminals-only tool however. With weak or no encryption, legitimate users would be running an Internet gauntlet between criminals, nation/state hackers and predatory surveillance capitalists if they dared to use their broadband connections.

People’s only defence would be trying to keep a low profile and hope nobody noticed them. I’m sure that’s not what governments wanting to break or weaken encryption intend, but literally, that is what will happen.

Former Australian Prime Minister Malcolm Turnbull famously claimed that the laws of the land trump the laws of mathematics as he insisted that it was possible to break encryption; let us hope that nobody will believe him.

There’s not an easy answer here, but providers having strong and robust policies on what constitutes legitimate use, what doesn’t, and enforcing these seems a necessary start.

The message should be that if you use a service for bad things, no amount of encryption will save you. You will be reported to the authorities.

Next, ensuring that the appropriate authorities have the resources and ability to act on providers’ reports would be a great step and an important discussion to have.

Source: Read Full Article