Thursday, August 30, 2018

The opposite of security

The GCSB's current motto on its website is "If New Zealand has secrets worth stealing, then they're worth protecting". Now, the GCSB and their Five Eyes masters wants to make it radically easier for people to steal those very secrets they claim to exist to protect. How? By backdooring the encryption which protects our networks, our filesystems, our financial transactions, everything:
Ministers from the Five Eyes grouping of New Zealand, Australia, Canada, the United States and the United Kingdom have agreed to new measures to combat global threats, including seeking access to encrypted data and communications.

[...]

Among them was agreement that there was an urgent need for law enforcement agencies to gain access to encrypted data and communications, subject to conditions.

"The inability of intelligence and law enforcement agencies to lawfully access encrypted data and communications poses challenges to law enforcement agencies' efforts to protect our communities.

"Therefore, we agreed to the urgent need for law enforcement to gain targeted access to data, subject to strict safeguards, legal limitations, and respective domestic consultations.

"We have agreed to a Statement of Principles on Access to Evidence and Encryption that sets out a framework for discussion with industry on resolving the challenges to lawful access posed by encryption, while respecting human rights and fundamental freedoms," the communique said.


But while that statement uses the language of "lawful access" and makes much of judicial oversight, fundamentally such access requires that those systems contain vulnerabilities. But as we've already seen, security agencies don't seem to care much for the law when they can hide behind secrecy, and vulnerabilities don't just get used by the (self-proclaimed) "good guys". There are already cases of security flaws kept secret by spy agencies being exploited by criminals, and that's just an ordinary operating system vulnerability. And secrecy is no defence: there's an entire ecosystem of people out there searching for holes in our systems to use. If a vulnerability exists, they will eventually find it, and when they find it, they will exploit it. And where the vulnerability is in something critical, like say the encryption which protects your online credit card transactions or the algorithm which identifies you as the author of a digital contract and makes it binding, then the consequences could be devastating.

Organisations like GCSB ostensibly exist to protect us from that. Instead, they seem to be more interested in building themselves a global surveillance state. And that is not protecting us. Deliberately introducing security vulnerabilities into critical systems is not "security" - instead its the opposite.