Government leaders & law enforcement are trying to force tech companies to put backdoors in encryption in the name of public safety. There are 750,000 law enforcement employees & 1/2 million US intelligence agencies community employees who may use those backdoors, & likely many others worldwide. Strong encryption is available throughout the world. If businesses & general public are forced to use encryption with back doors, will cybercrooks will be the only ones using strong encryption; those the backdoors were intended to be used on to begin with? How will Australia’s new law requiring encryption backdoors impact data security & privacy? Who has oversight of that law? How will it impact other countries? Does any evidence prove encryption backdoors have improved safety/security? Rebecca discusses these and related issues with Dr. Katina Michael, Arizona State University director of the Centre for Engineering, Policy and Society. Katina is also a privacy and uberveillance pioneer.
Source: Katina Michael with Rebecca Herold, 5 February 2019, “Will Australia’s Encryption Law Kill Privacy in the Name of Safety?”, Data Security and Privacy: Voice of America, https://www.voiceamerica.com/show/episode/112884
As the Federal Government today pushes the button to create My Health Records for every Australian who wants one, the industry has stepped out asking for more transparency around security and secondary use of the records to enable people to make more informed decisions about it.
The industry has also voiced out about data de- and re-identification, a global approach to cybersecurity issues as healthcare digitises, information security requirements of the future and blockchain as a way to alleviate some of the challenges associated with the My Health Record system.
On 26 November 2018, the Federal Parliament passed legislation to strengthen privacy protections in My Health Records Act 2012 without debate or division.
The new legislation means that Australians can opt in or opt out of My Health Record at any time in their lives. Records will be created for every Australian who wants one after 31 January and after then, they have a choice to delete their record permanently at any time.
The date of 31 January follows much deliberation from the Federal Government to extend the opt-out date. Australians initially had until 15 October 2018 to opt out of the national health database, or a My Health Record was to be created for them by the end of that year.
But following the opposition calling for an extension to the opt-out period, the public outcry against the potential for the data to be shared with police and other government agencies, a leaked government document detailing the Australian Digital Health Agency’s response to concerns and a raft of changes recommended by the Senate Inquiry into My Health Record, the Federal Government pushed this date back and relaxed its stance on when Australians can opt in or opt out of the system.
Australian Academy of Technology and Engineering (ATSE) President Professor Hugh Bradlow said the collection of health data across the population will result in better health outcomes as it not only shows how effective interventions are, but also allows treatments to be personalised based on the experience of thousands of other patients.
“New forms of measurement (based on artificial intelligence) will also give patients far more significant information about institutional performance, practitioner performance, the outcomes of specific interventions, etc.” he said.
The Society of Hospital Pharmacists of Australia (SHPA) Chief Executive Kristin Michaels said the My Health Record debate highlighted the need for an integrated ehealth system, accessible only to health professionals and set up at the request of health organisations, for the benefit of all Australians.
"All Australians, regardless of any illness or condition, deserve to get the highest-quality care,” Michaels said.
“More often than many would think, patients are unable to explain the medicines they are already taking and for what conditions they are already being treated, particularly after a seizure or if unconscious. Many of these patients are unaccompanied. Sometimes this lack of information leads to errors that have serious impacts on people’s lives.
“[Hence] hospital pharmacists have long called for a shared, electronic patient data system that links up a fragmented health system and empowers patients in their own care."
The issue of security
However, University of Melbourne Department of Computing and Information Systems Cybersecurity Senior Lecturer Associate Professor Vanessa Teague expressed her concerns around the privacy implications of secondary uses of My Health Records not being accurately explained.
“Both doctors and patients can be easily and confidently identified in a dataset… In the case of patients, this means that a few points of information, such as the patient's age and dates of surgeries or childbirths, is enough to identify the person and thus, retrieve all their Medicare bills and PBS [Pharmaceutical Benefits Scheme] prescriptions for many years.
“Easy and confident re-identification has been demonstrated on numerous other datasets that were shared in the mistaken belief that they were de-identified. It is probably not possible to securely de-identify detailed individual records like My Health Records without altering the data so much that its scientific value is substantially reduced.”
Teague said patients may choose to opt out of secondary uses of their data but are unable to make a “genuinely informed decision” if they are inaccurately told that their detailed record cannot be identified.
“Even more importantly, those whose identifiable MBS [Medicare Benefits Schedule]-PBS records were already published in 2016 should be notified, because the earlier release could make re-identification of their My Health Records much easier,” she said.
Harvard Medical School International Healthcare Innovation Professor Dr John Halamka also previously criticised the system for relying on outdated technology, saying that the $2 billion My Health Record was nothing more than “digitised paper” as it uses such “out-of-date” technology that crucial patient information on test results and diseases are unable to be read or shared by computers.
University of Wollongong School of Computing and Information Technology Professor Katina Michael said health data breaches, for some, could have a huge impact.
She used the recent example from Singapore, where 1.5 million Singapore health records were breached in a highly targeted effort on SingHealth. Among the breached health records was Singapore Prime Minister Lee Hsien Loong's personal records.
“What does this tell us when one of the world's most advanced cybersecurity nations suffers such a large-scale attack? Plainly, that no one's personal information is safe, no matter the measures in place,” she said.
"If we have learnt anything over the last four months, it is that electronic health records are hackable. We need not have to look too far to see that no system is impenetrable.”
Michael also speculated that there is the possibility of a ramp up of blockchain initiatives to beef up on My Health Record security.
“We will likely be told in the not too distant future that we wildly underestimated our security requirements and as such, must go one step further and protect our credentials,” she said.
According to Professor Michael, this involves the implant of a 16-digit Personal Health Record (PHR) ID number into people that also reads vital signs while embedded. This technology then alerts first responders of ailments and medications without the need for the person to provide any information.
ATSE’s Bradlow said the industry needs to be “realistic” about it as the danger of data leaking due to cyber hacking is as true as hacking any other data system.
“Let’s remember that many [healthcare professionals] have easy access to today’s paper-based health records – an electronic record is actually a step up in privacy. Within My Health Record, we can make it the default to require a patient access code,” he said.
“A well-designed record system which is managed by a professional security organisation and has a clear audit trail, for example, provided by blockchain, can mitigate this risk significantly."
Source: Hafizah Osman, 31 January 2019, “Industry calls for more caution over MHR system”, https://www.healthcareit.com.au/article/industry-calls-more-caution-over-mhr-system
Note: Thank you Hafizah Osman— interestingly I was referring to the VeriChip experiment of the PHR that Dr John Halamka trialled for a short time and wrote about in 2006 here: https://www.ncbi.nlm.nih.gov/pmc/articles/PMC1656959/
Today is the final day to opt out of the controversial My Health Record. So should you?
Here are the major arguments for and against the national medical database.
In the pro-MyHealth camp is a range of doctors and scientists, including most of the peak health bodies.
They say having a national, digital record of individual health “journeys” will stop medication errors (and doctor shopping), give health specialists a heads-up on a patient when they see them for the first time, and help patients track their own treatment.
They argue the patient will control what goes on file, and stays on file. Parents will have control over young children’s files. There will also be a stream of data that will help researchers get better outcomes.
The Federal Government recently added extra safeguards, including stopping insurers from accessing data, further restricting access by law enforcement and government agencies, and doling out bigger penalties for improper use. A person can now permanently delete their record.
Individual doctors have concerns they might be liable for other doctors’ mistakes, but the main industry authorities are all gung-ho.
SPECIAL SUBSCRIPTION OFFER: $1 FOR FIRST 28 DAYS
Every story + App access + Digital print edition + Exclusive rewards
No lock-in contract. Limited time offer. Find out more and sign up here
The Australian Medical Association argues MyHealth has improved. President Tony Bartone says it is now a “far better product” than it was.
“Australians can be assured that it’s as good as possible,” he says. “It is going to aid in the clinical outcomes of a vast number of Australians, and prevent unnecessary medication errors, unnecessary hospital readmissions.
“It’s going to help with mapping out the journey that is very complex through the whole health system, and hopefully become that backbone that improves the communications and connectivity that is sadly lacking in our health system at the moment.”
Pharmacists say often patients don’t know the medicines they’re on – or they might be unconscious – and this can lead to errors.
The Society of Hospital Pharmacists of Australia says it’s critical to make sure patients get the right drugs, particularly in emergencies.
“All Australians, regardless of any illness or condition, deserve to get the highest-quality care,” chief executive Kristin Michaels says.
Professor Hugh Bradlow, president of the Australian Academy of Technology and Engineering, says plenty of people already have access to paper records, so MyHealth is actually a “step up” in privacy.
The Federal Government says the data will be secure and will only be accessed by healthcare workers who legitimately need it.
People can also elect to be notified when an organisation accesses their record and see a log of every access.
PlayMute0:00/2:00Loaded: 0%Progress: 0%Fullscreen
Greg Hunt guarantees My Health security
In the anti-MyHealth camp are many digital privacy experts who say the system is flawed and that any system that collects that much data on people is a tantalising prospect for hackers. Some groups are worried it could be misused to stalk someone.
Unless people take action, from today records containing vital health information including any records of sexually transmitted diseases or mental health issues will be kept.
Computing expert Katina Michael, from the University of Wollongong, pointed to a large-scale attack on Singapore’s health records, where 1.5 million records were breached.
“If we have learnt anything over the last four months, it is that electronic health records are hackable,” she said.
“Plainly … no one’s personal information is safe, no matter the measures in place.”
As well as the possibility of someone illicitly accessing your records, some experts worry about secondary uses of data. Information that has theoretically been “de-identified” – had the personal details removed – will be given to researchers.
Cybersecurity senior lecturer Associate Professor Vanessa Teague, from the University of Melbourne, said “de-identifying” the data had been shown not to work because other information such as surgery dates could be used to “re-identify” the person.
“It is probably not possible to securely de-identify detailed individual records like MyHealth records without altering the data so much that its scientific value is substantially reduced,” she said.
The Federal Opposition is not entirely against MyHealth – it established the electronic health record system that preceded it. But they’re taking the opportunity to have a crack at the Government. Yesterday Opposition health spokeswoman Catherine King said the already extended deadline should be extended further.
Labor also wants an independent Privacy Commissioner review and have pledged to start one if they win this year’s election.
Meanwhile, The Advertiser has revealed today that ambulance paramedics can’t access the record – and they’re the people most likely to need to know if you have a pre-existing issue or deadly allergy.
The Australian Digital Health Agency, which runs MyHealth, says that access has not been activated yet. On top of that, there are complaints that bad IT setups in public hospitals mean doctors in emergency departments can’t access the records anyway.
In the end – as Health Minister Greg Hunt said yesterday – “it’s every Australian’s choice”.
Source: Tory Shepherd, January 31, 2019, “My Health Record: To opt in or out? The case for both sides”, news.com.au The Advertiser, https://www.news.com.au/national/south-australia/my-health-record-to-opt-in-or-out-the-case-for-both-sides/news-story/a5a4ac4b6d1999eea9dcf057de1d04e9
The Human Rights Commission has raised serious concerns about significant threats to human rights with the Federal Government's new encryption laws.
A last-minute deal between Labor and the Coalition saw the laws pass late yesterday.
But there are now calls for critical amendments to be made as soon as possible.
Duration: 2min 51sec
Broadcast: Fri 7 Dec 2018, 12:14pm
Ed Santow, Human Rights Commissioner
Professor Katina Michael, technology expert, University of Wollongong
Citation: Ed Santow and Katina Michael with Nancy Notzon, December 7, 2018, “Human Rights Commission raises serious concerns with new encryption laws”, The World Today: ABC Radio, https://www.abc.net.au/radio/melbourne/programs/worldtoday/human-rights-commission-raises-concerns-new-encryption-laws/10594166
Citation: Katina Michael with Nancy Notzon, December 7, 2018, “Rushing Through the Encryption Bill Means Watering Down National Security”, ABC Radio: The World Today, https://www.abc.net.au/radio/adelaide/programs/worldtoday/the-world-today/10573620 8.30-11.30min
Stories about the Assistance and Access Amendments to the Telecommunications laws in Australia were syndicated across ABC regions using one of two stories I recorded- the first with ABC Illawarra, and the second with ABC’s The World Today. Here was a record of syndication until about 11am this morning, December 7 2018. This passing of the Bill by Australian Parliament has many alarmed. How could this law have been passed in the last “sitting” week of Parliament?
Triple J Radio • AUS • Dec 7 • 10:00 am
Triple J Radio at December 7th 2018 10:00 AM
agencies access encrypted messages Professor Katina Michael from the University of Wollongong says powers are unprecedented and they have no
ABC Broken Hill AM • AUS • Dec 7 • 10:00 am
ABC Broken Hill AM at December 7th 2018 9:30 AM
Sarah to master good morning Becker it's rest come here a University of Wollongong data expert has labelled the Federal government's new
ABC Northern Tasmania • AUS • Dec 7 • 10:00 am
ABC Northern Tasmania at December 7th 2018 10:00 AM
driving erratically the Launceston CBD to contact Crimestoppers University of Wollongong data expert has labelled the Federal government's
666 ABC Canberra • AUS • Dec 7 • 07:47 am
A University of Wollongong data expert has labelled the Federal Government's encryption laws delusional and warns they could have
105.7 ABC Darwin • AUS • Dec 7 • 07:01 am
laws delusional an could result in catastrophic consequences. Professor Katina Michael, University of Wollongong (UOW), who says that it is
702 ABC Sydney • AUS • Dec 4 • 12:03 pm
Newcastle, Goulburn to Canberra, Lithgow to Orange and Wollongong to Nowra to Sydney. Professor Andrew McNaughton, who says that it is about
702 ABC Sydney • AUS • Dec 4 • 10:02 am
Newcastle, Goulburn to Canberra, Lithgow to Orange and Wollongong to Nowra to Sydney. Professor Andrew McNaughton, who says that it is about
ABC Illawarra • AUS • Dec 7 • 07:30 am
ABC Illawarra at December 7th 2018 7:30 AM
news ABC Illawarra news good morning I'm Ainslie drew Smith University of Wollongong data expert is warning the government's new encryption
Triple J Radio • AUS • Dec 7 • 07:00 am
Triple J Radio at December 7th 2018 7:00 AM
safari suit protest Yammer as Brooke Boney with triple j news University of Wollongong data expert has labelled the Federal government's new
ABC Alice Springs • AUS • Dec 7 • 07:00 am
ABC Alice Springs at December 7th 2018 5:30 AM
not believe the Labour Party would ultimately stand into by a University of Wollongong data expert has labelled the Federal government's new
ABC NewsRadio • AUS • Dec 7 • 07:00 am
ABC NewsRadio at December 7th 2018 7:00 AM
led to his encryption laws would pars unmanned Meanwhile University of Wollongong data expert has labelled the Federal government's new
ABC Illawarra • AUS • Dec 7 • 06:30 am
ABC Illawarra at December 7th 2018 6:30 AM
's news time ABC Illawarra news good morning I Ainslie Drewett Smith University of Wollongong data expert has labelled the government's new
ABC Illawarra • AUS • Dec 7 • 06:20 am
ABC Illawarra at December 7th 2018 6:20 AM
't give away note to alright making news this morning a University of Wollongong data expert is warning the government new encryption laws
A University of Wollongong data expert has labeled the government's proposed encryption laws delusional and warns they could have catastrophic consequences.
The changes would force technology companies to help police access encrypted messages.
Professor Katina Michael, from the School of Computing and Information Technology says the powers are unprecedented and have no oversight.
She is speaking to ABC reporter Kelly Fuller.
Citation: Katina Michael with Kelly Fuller, “Rushed Encryption Laws Herald a Watering Down in National Security”, ABC Illawarra: Radio, 6 December 2018, https://soundcloud.com/kelfuller/data-expert-warns-encryption-laws-could-have-catastrophic-outcomes
British companies are planning to implant staff with microchips to improve security. Sputnik spoke about it to Katina Michael, professor of the Faculty of Engineering and Information Sciences at the University of Wollongong.
Sputnik: Could companies sell employees' personal data to third parties?
Katina Michael: The first thing to know is that before an employer considers selling implant discrete data to a third party, they would likely use it to monitor their staff. For example, for physical access control, the way staff congregate to exchange ideas, how often they use the restroom, how fast they may be finishing and completing some tasks. It is not to say that that would occur, but quite possibly it would be used as a timestamp device. In comparison, today we commonly find facial recognition or fingerprint recognition allows employees to log their time at work.
But a company now can use this technology to introspectively look at what employees are doing. I mean, we can consider employers today gathering data on their employees by using smartphones: I know a lot of companies sign off an agreement when they do offer their employees a company-sponsored smartphone, identifying that they may well log their locations and time based on the company smartphone. Otherwise, I don't believe that a corporation would sell that information.
Sputnik: But if companies were to sell personal data to third parties, what could employees do to prevent that from happening?
Katina Michael: Employees would not be able to block the distribution of data gathered from their implantable devices, unless they've signed some legal agreement not allowing consent to occur or through local workplace surveillance laws. And so they can block the corporation from sharing that information with other companies, such as health insurance providers.
Sputnik: Could employers know if staff contacted a competitor about a job?
Katina Michael: You have to consider that the diffusion of the implants is only a couple hundred people, for example, in the UK, and many of them are not in the employment context. In one case there was an implant device granted to someone with a systematic technology need, an amputee; and when we look at these more widely in the world we could say that probably a few thousand people at most, who are hobbyists to get an implant because they are infused by technology and progress, and being able to automate certain aspects of their life.
I don't believe that, for the time being, information would be provided when one implantee meets another implantee, because of the limitations of the mutual communication and the radio frequency identification being used in that technology. These technologies don't act like smartphones; for the time being the devices are proximity devices that require you to be no more than ten centimeters away from a reader.
Citation: Katina Michael and Laurie Timmers, 2018, “Businesses to Microchip Employees 'to Monitor' Staff”, Sputnik International News, https://sputniknews.com/analysis/201811121069747561-business-microchip--monitor-staff/
Identifying cyber-trolls can be a difficult task. They come in all shapes and sizes, with real names or pseudonyms, may be young or old, male or female, admins, moderators, or everyday people who post online.
Sometimes trolling can be obvious, other times covert, at times happen through sheer ignorance and still at other times be deliberate.
Online communities create rules to be followed, so that those posting can conform to some standard, allowing for a community to flourish. But what happens when the interpretation of those rules are misconstrued or taken is a means to an end?
One of the key attributes to open online communities, is that all people are welcome to observe, contribute, consider and reply, to ongoing commentary as they see fit, so long as they are in coherence with the theme of the venue.
We all know what spam is. Spam posted detracts from the main issues of an online community. Moderators can choose to remove those individuals who are spamming the ether, taking away from the main cause(s) of their community.
But what happens when an innocent contributor is blocked or removed from participating because they have seemingly broken the rules. In this case someone likely using their official company identity, posted more than one post per week, despite that the theme of the posts was photography, bringing more attention to the online community at hand.
Business have been known to use soft selling techniques to create networks of value for the goods and services they sell. However, in this instance, it seems the administrator(s) acted harshly in their interpretation of the rules of the online community. Possibly wrongly, given other members of the community spoke up. Power to the people, obviously, in this instance.
But what happens in bigger online community venues like Wikipedia? Is Wikipedia and its administrators free of creating a history unto themselves? Who can speak up after a deletion of content, or indeed a deletion of a person known to the community? The power is indeed with the administrators and moderators, not with the general online community.
Disinformation is a difficult issue to face at hand. That is because more than 98% of the content may be factual, or at least contain "most of the truth". The style of writing may also seem impartial but in fact is weighted to support a view that is not "centrist".
We need to re-evaluate online communities in terms of these very tricky parameters, that are not straightforward. The role of administrator, moderator and community participant are not equal, although the voice of each can be heard online, if enough people care to take up the point in question.
Citation: Katina Michael and Kendall Hutt, October 29, 2018, “When Members of an Online Community Challenge Admin and Moderators”, stuff.co.
It was a sunny day in December 2015 and 14 people lay dead in San Bernardino, California after a mass shooting at the North Park Elementary School.
I still remember the news footage taken from a helicopter hovering over a bullet-ridden black Ford Expedition, in which the perpetrators Syed Rizwan Farook and Tashfeen Malik had fled and were killed in, during a shootout with police.
There have been so many mass shootings in America since, including last year’s horrific killing of 58 concertgoers in Las Vegas, that the grim memory of San Bernardino has faded.
But the tragedy has had a lasting legacy in unexpected ways. In the months after the shootings, the FBI attempted to enlist the support of phone-maker Apple to gain access to Syed Rizwan Farook’s iPhone 5C as part of their investigation into what was being labeled a terrorist attack. The FBI wanted Apple to create a new operating system they could install on the dead shooter’s phone that would bypass security features. It would also serve to give the FBI access to iPhones in future criminal investigations too.
Apple famously refused, telling the FBI that giving in to a demand to “hack our own users” would set a precedent undermining the privacy of all iPhone users.
“While we believe the FBI’s intentions are good, it would be wrong for the government to force us to build a backdoor into our products. And ultimately, we fear that this demand would undermine the very freedoms and liberty our government is meant to protect,” he wrote in an open letter to customers at the time.
This was just a couple of years after the Edward Snowden leaks, which revealed the extent to which government security agencies were secretly gathering masses of internet data. The big tech companies, keen to shore up trust, rushed to introduce end-to-end encryption to services like WhatsApp, Gmail and iMessage, making the argument that if their customers’ data was invisible to them, they couldn’t hand it over to the authorities.
FBI vs Apple
There were tense meetings between then-president Barack Obama and Apple chief executive Tim Cook, who didn’t resile from his position. Eventually, the FBI found a company that could break the phone’s encryption, paying them nearly US$1 million to do so. The issue died down as a technical fix broke the impasse. But politicians have continued to push the issue calling for new legislation that would force tech companies to allow law enforcement agencies access to encrypted systems.
In the wake of the San Bernardino massacre, President Trump made his feelings on the issue plain, calling for a boycott of Apple products.
“Who do they think they are?" He complained to the hosts of Fox & Friends.
Since then, he has been relatively silent on encryption, but his officials and US senators have been quietly working on the issue with a view to drafting encryption circumvention legislation that they know will face stiff resistance from the tech sector and its K Street lobbyists in Washington D.C.
Governments elsewhere have the same goal in mind as they struggle to track the online communication of suspected criminals and terrorists. An attack in London last May that saw a man drive his car into pedestrians, killing four people, opened the encryption debate in Britain.
The killer had apparently sent a message on the encrypted WhatsApp platform hinting at what he was about to do, moments before he ploughed into unsuspecting pedestrians. It led Theresa May to call for her security services to be given the ability to circumvent encryption systems.
Five Eyes stand together
The UK’s Investigatory Powers Act or ‘Snooper’s Charter’ introduced in 2016 gives British law enforcement agencies some powers to require network operators to remove “electronic protection” from communications and data. But it isn’t seen as strong enough to demand backdoors to encryption services, particularly for services delivered from outside the UK.
New Zealand introduced similar legislation in 2013, with the Telecommunications (Interception Capability and Security) Act. That requires internet providers to make their networks interception available to government agencies armed with a warrant. But it only applies to “network operators” - it is unlikely that the law could be used to demand Apple or Microsoft retrieve encrypted data for the New Zealand Police or the GCSB.
The issue hasn’t flared up in New Zealand in recent years, but our membership of the ‘Five Eyes’ security partnership with Australia, the United Kingdom, the US and Canada could propel us towards the legal changes other countries are pursuing.
Meeting earlier this year, the Five Eyes issued a joint statement stating their preference for technology service providers to “voluntarily establish lawful access solutions to their products and services that they create or operate in our countries”.
Then came the veiled threat:
“Should governments continue to encounter impediments to lawful access to information necessary to aid the protection of the citizens of our countries, we may pursue technological, enforcement, legislative or other measures to achieve lawful access solutions.”
Backlash in Australia
Across the Tasman, the Liberal Government is pushing ahead with mandatory measures.
The so-called Assistance and Access Bill proposes three levels of assistance that tech companies and internet providers could be required to lend law enforcement agencies. At the lowest level, voluntary assistance could be offered, with the highest level of assistance seeing the country’s attorney general requiring tech companies to “build a new capability” into their systems to allow access to encrypted information.
The Bill has been slammed by Apple and other multinational tech companies as being too ambiguous and wide-ranging as well as by privacy and encryption experts.
“This is not a solution to the problem of just-in-time policing and border force security but an override on the freedoms of everyday Australians and Australian companies, or even those doing business in Australia,” says Professor Katina Michael, a technology and innovation expert at the University of Wollongong and Arizona State University.
“Privacy is a human right, and one way that right can be maintained in today's digital transactions is through encryption.”
Apple reiterated its call that breaking encryption systems will undermine security for everyone.
“This is no time to weaken encryption,” it wrote in a submission on the Bill.
“There is a profound risk of making criminals’ jobs easier, not harder. Increasingly stronger — not weaker — encryption is the best way to protect against these threats.”
The Australian Computer Society saw no reason to expedite the legislation which it described as “problematic”.
Technically, it can be done
But Dr Richard Adams, Adjunct Fellow in the School of Information Systems at Curtin University, said that while tech companies had an obligation to protect their customers’ data, they also had obligations to the “wider community”.
“The challenge is for manufacturers to meet the needs of both groups rather than adopt the best stance from a marketing/cost perspective,” he says.
With that in mind and the legislation putting the onus on the tech companies to come up with ways to grant security services access to encrypted services, it was time to consider what technical solutions could be offered to meet the government half-way.
“A simplistic solution on phone devices would be to store the data twice, once with the ‘user key’ and once with the ‘manufacturer key’ so the strength of the encryption itself would not be affected and the risk of having two ‘keys’ could be mitigated by the use of a very complex manufacturer key requiring physical access to the device,” he says.
“Obviously there would be push-back on the additional storage required and reduced battery life but the point is that from a purely technical standpoint it could be done relatively easily."
With the Five Eyes member countries all at different stages in pushing for stronger laws to deal with encrypted services, such technical efforts to assist governments will need more serious consideration.
The alternative is heavy-handed legislation that is not fit for purpose, rammed through by governments with a larger law enforcement agenda.
But Michael says we also need to consider the threat to privacy posed by the companies that are opposing efforts to circumvent encryption, which are wielding immense power themselves through their access to masses of our data.
“The complexity here is in the fact that private corporations like Apple, Google, Facebook, Amazon and Microsoft are amassing so much personal data that citizen data rights are being equally eroded by corporations themselves who share the data with third parties,” she says.
“We need to take a step back as Australians and ask ourselves why these private corporations are fighting this government bill together?”
Technology experts from academia are divided over the threat Australia’s proposed decryption Bill poses to citizen privacy and the integrity of digital services.
The draft Telecommunications Assistance and Access Bill 2018 has been strongly opposed by representatives of the global technology sector, with Apple calling the draft Bill “dangerously ambiguous” and stating that the powers proposed should “alarm every Australian”.
In a submission to the public consultation on the proposed legislation, Apple said the Bill could require device makers to create a tool to unlock a particular device regardless of whether the tool could be used to unlock every other user’s device.
The legislation could even allow the government to order smart home speaker manufacturers to install persistent eavesdropping capabilities into a person’s home, or to force providers to provide real-time interception of messages or internet-based audio or video calls, Apple warned.
Katina Michael, professor at the Arizona State University School for the Future of Innovation in Society and the School of Computing, Informatics and Decision Systems Engineering, agreed that the legislation could have serious consequences.
“What politicians and law enforcement agencies have not realised is that by creating rules that allegedly minimise the risk of cyberterrorism via encrypted messaging, that they are encroaching on organisational security, and on every individual citizen’s right to privacy,” she said.
“Privacy is a human right, and one way that right can be maintained in today’s digital transactions is through encryption.”
But she hinted that big tech companies such as Apple’s motives for opposing such legislation may not be as pure as they present them to be.
“The complexity here is in the fact that private corporations like Apple, Google, Facebook, Amazon and Microsoft are amassing so much personal data that citizen data rights are being equally eroded by corporations themselves who share the data with third parties,” she said.
“We need to take a step back as Australians and ask ourselves why are these private corporations fighting this government Bill together? One answer has to do with products and services that offer encryption in their operating systems and platforms as a competitive advantage, but another might be that private corporations want to maintain their power on governments.”
Monash University Faculty of IT Associate Professor and Director of Oceania Cyber Security Centre Dr Carsten Rudolph warned that the legislation threatens to undermine the security of a wide range of digital processes.
“Cryptography and security protocols are fundamental for many digital processes from e-commerce, banking, payments, to supply chains, control of critical infrastructures and others. Thus, it mainly protects our data, prevents crime and enables digitisation of our economies in the first place,” he said.
“Building any kind of third-party access into our systems undermines this security. Even worse, it might push criminals into other less visible and actually secure communication channels.”
But Curtin University School of Information Systems Adjunct Professor Dr Richard Adams said that while technology vendors have an obligation to protect their customers’ data from unauthorised access, they also have an obligation not to hinder law enforcement and intelligence services investigations.
“The challenge is for manufacturers to meet the needs of both groups rather than adopt the best stance from a marketing/cost perspective,” he said.
“The proposed legislation leaves the technical decisions to the manufacturers and service providers for how they implement strong encryption for data protection while allowing ‘special case’ access. The onus is therefore on them to develop a viable solution rather than to fall back on claims that it is ‘too difficult’ or that it will open up everyone’s data to ‘snooping’ by the security services, presumably on the assumption that they don’t have anything better to do.”
One solution could be to store all data on a device twice, and to individually encrypt each set of data, protecting one with a user key and one with a complicated manufacturer key that could nevertheless be used by the manufacturer to provide access for investigators as required.
“Obviously there would be push-back on the additional storage required and reduced battery life but the point is that from a purely technical standpoint it could be done relatively easily,” he said.
Citation: Dylan Bushell-Embling, 17 October, 2018, “Academics weigh in on decryption Bill”, Technology Decisions, https://www.technologydecisions.com.au/content/security/article/academics-weigh-in-on-decryption-bill-439724261
This news article was also syndicated here: http://www.australasianscience.com.au/article/issue-novdec-2018/australias-proposed-encryption-laws.html
我们的智能手机可能含有亲密信息、个人照片，甚至敏感的工作文件。 (ABC Local: Damien Larkins)
在很多国家，边境人员有权检查你的设备。 (Supplied: Immigration Department)
你也应该聪明地管理自己的数据信息。你可能希望打开双重认证，除了密码之外，还需另一层验证码。旅行的时候，将敏感信息存储在安全的欧洲服务器的云存储上，只在需要的时候进行访问。由于近期颁布的欧盟《通用数据保护条例》（General Data Protection Regulation），欧盟对数据的保护更加重视。
卡蒂娜·迈克尔（Katina Michael）是亚利桑那州立大学（Arizona State University）未来社会创新学院和计算机、信息学和决策系统工程学院（School for the Future of Innovation in Society and School of Computing, Informatics and Decision Systems Engineering）的教授。本文最初刊登在《对话》（Conversation）上。
Citation: Damien Larkins, 15 October 2018, “科普｜入境澳洲新西兰时若海关要求交出手机和密码, 你该怎么办?”, Sohu, http://www.sohu.com/a/259577219_99899108
Jackie and He Luman, October 12, 2018, “专家解读:入境新西兰被要求交手机和密码该怎么做?”, China News, http://www.chinanews.com/hr/2018/10-12/8648054.shtml
In the first week of October I was asked to write a piece on new laws in New Zealand giving Customs Border Police the write to search citizen smartphones without a warrant. This topic as well as telecommunications interception is something that I have been studying for close to two decades. I put everything aside to ham out a 1500 word piece. The Conversation’s editor, Shelley Hepworth provided a critical restructuring of the piece, introduced headings, and performed major incisions to get the piece down to a readable length.
Within 24 hours of its release on 7 October 2018, the piece had 40,000 or so impressions. Five days later, the piece has been syndicated by so many news outlets that I’ve literally lost count. It has received over 516,000 impressions. The most important of these were in the Australian, New Zealand and Singaporean markets, with a significant footprint in the United States. Interestingly, despite that Canada has hefty laws up to $50,000CND not much interest in the article has occurred there.
October 8, “What To Do If Airport Security Demands Access To Your Phone Or Laptop”, Gizmodo, https://www.gizmodo.com.au/2018/10/what-to-do-if-airport-security-demands-access-to-your-phone-or-laptop/
October 8, “Travelling overseas? What to do if a border agent demands access to your digital device”, Reddit, https://www.reddit.com/r/privacy/comments/9mctq6/travelling_overseas_what_to_do_if_a_border_agent/
October 10, “Travelling overseas? What to do if a customs officer demands access to your digital device“, Stuff.nz, https://www.stuff.co.nz/travel/news/107727171/travelling-overseas-what-to-do-if-a-customs-officer-demands-access-to-your-digital-device
University of Wollongong professor Katina Michael discusses what to do if a border agent demands access to your digital device. It comes after Customs NZ clarified rules in which officers can demand a 'digital strip-search'.
Citation: Katina Michael with Wendyl Nissen, October 11, 2018, “What to do if a border agent demands access to your device”, RadioNZLive: The Long Lunch https://www.radiolive.co.nz/home/on-demand/long-lunch/2018/10/the-long-lunch--in-case-you-missed-thursday--111018.html
Les voyageurs arrivant en Nouvelle-Zélande vont devoir faire face à un choix difficile: donner le mot de passe de leurs équipements électroniques aux agents de la douane ou payer une amende élevée...
Le New York Times indique dans son édition du 2 octobre 2018 que la loi néo-zélandaise permet aux agents des douanes de procéder à des investigations au niveau des téléphones mobiles, des ordinateurs portables et d'autres équipements emportés par les visiteurs et citoyens dans le pays.
Les voyageurs qui refuseront de débloquer leurs appareils pourraient avoir à payer une amende de 3000 dollars.
Aucun autre pays n'impose une pénalité financière dans ce cas bien que certains pays, comme les Etats-Unis, permettent aux agents de rechercher dans les appareils électroniques
pour suspicion d'acte terroristes ou autres.
Les avocats des libertés civiles estiment que ces législation sont intrusives.
« Beaucoup d'entre nous voyagent avec des données concurrentielles, industrielles, des informations confidentielles ou de propriété intellectuelle ainsi que des données personnelles dans nos téléphones. Les smartphones sont devenus des extensions de nous-même » estime Katina Michael, professeur à l'université de Wollongong en Australie qui s'est spécialisés dans les problèmes de surveillance.
Les officiels néo-zélandais indiquent que ces recherches sont limitées aux fichiers téléchargés dans les équipements et non à l'historique Internet aux documents ou aux données enregistrés sur des serveurs cloud et que les agents ont besoin d'avoir des motifs de suspicion de possibles actes criminels pour effectuer ces recherches.
Citations: “Les douaniers néo-zélandais peuvent demander un mot de passe”, Business Travel, https://www.businesstravel.fr/les-douaniers-neo-zelandais-peuvent-demander-un-mot-de-passe.html
Travellers arriving in New Zealand could face a stark choice at the airport: turn over the passwords to their mobile electronic devices to customs officials or pay a hefty fine.
The New York Times reported October 2, 2018 that New Zealand law allows border agents to search cellphones, laptops, and other devices carried into the country by visitors and citizens alike. Travellers who refuse to unlock their devices for inspection or divulge their passwords face fines of more than $3,000.
No other country is known to impose a financial penalty for such noncompliance, although many — including the United States — assert the right to search electronic devices carried over borders for evidence of terrorism or other banned activities.
Civil liberties and privacy advocates call such searches invasive. “Many of us are carrying competitive data, industry data, intelligence information or intellectual property, as well as personal items, on our phones,” said Katina Michael, a professor at the University of Wollongong in Australia who specializes in surveillance issues. “Smartphones have become an extension of our very selves.”
New Zealand officials said searches are limited to files downloaded on devices, not Internet search histories or documents and data saved on cloud-based servers, and that border agents would need to have reasonable suspicion of possible criminal activity in order to conduct a search.
Citation: Robert Curley, October 6, 2018, Business Traveller, https://www.businesstraveller.com/business-travel/2018/10/06/new-zealand-customs-demands-your-mobile-device-passwords/