Published by The Lawfare Institute
in Cooperation With
According to published news reports, the Australian government plans to “introduce draft legislation that will attempt to force technology companies to break into end-to-end encrypted messages.”
Of course, there’s an irony in attempting to compel tech companies to compromise end-to-end encryption, which is designed to ensure that messages are encrypted at the sender’s device and remain in that state until they are decrypted at the recipient’s device. This means that even if a message is intercepted as it travels through servers controlled by the tech company that designed the messaging system, it is gibberish unless the interceptor can come up with the decryption key.
Modern encryption is extremely strong, so brute force attempts to find a decryption key by random guessing don’t work. The number of possible keys vastly exceeds the number of guesses that even today’s fastest computers can make in a reasonable time frame. As a result, intercepting an encrypted message and then trying thousands, millions, or billions of random keys to try to decrypt it is, mathematically speaking, an exercise in futility.
When a reporter asked Australian Prime Minister Malcolm Turnbull, “Won’t the laws of mathematics trump the laws of Australia?,” Mr. Turnbull reportedly responded “Well the laws of Australia prevail in Australia, I can assure you of that. The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia.”
Actually, the laws of mathematics, including the mathematical framework that enables strong cryptography, apply in Australia and in every other country. The laws of mathematics can’t be undone by wishing they didn’t exist, or by legislating them away.
This calls to mind a bill introduced to the Indiana General Assembly in 1897 relating to the relationship between the circumference and diameter of a circle, which is characterized by pi, an irrational number frequently expressed in rounded form as 3.14. The 1897 “Pi Bill” asserted that it was “introducing a new mathematical truth” and that “the ratio of the diameter and circumference is as five-fourths to four.” This ratio corresponds to a value of pi of 3.2 as opposed to the correct value of (in rounded form) 3.14. While the Pi Bill unanimously passed the Indiana House, fortunately for everything circular in the world, it never passed the Indiana Senate and therefore never became law.
Well over a century later, legislators are once again grappling with mathematics, this time in the context of encryption. Governments, including Australia’s, are properly concerned that encryption can be used to mask criminal activities. For years—decades in fact—governments have been trying to figure out how to come to grips with this issue. Over that time span, encryption technology has advanced significantly, and the proliferation of messaging apps with end-to-end encryption has put strong encryption within easy reach of anyone with a smartphone. When these apps are used in furtherance of unlawful activity, governments have a right to be concerned.
But any policy solutions need to be developed with a clear understanding of the realities, mathematical and otherwise, that relate to encryption. Brute force decryption of intercepted messages won’t work because the number of possible keys is too large. Technologically speaking, a government could try to mandate the creation of a “back door” enabling it to either access decryption keys or to access messages at the endpoints in their unencrypted form. But as the 1990s Clipper Chip debate made clear, this would raise important civil liberties concerns, and in any case the market would quickly respond. The apps with back doors would be discovered, and many people would migrate to apps with no known back doors, and to apps designed to operate in a decentralized manner so that messages don’t all pass through servers controlled by a single entity.
There is also the challenge of extraterritoriality. How, for example, would a government stop people from using apps designed in countries where it has no jurisdiction? Finally, there’s the key point that, viewed from the standpoint of cybersecurity, encryption is enormously beneficial. Government attempts to undermine encryption would also undermine cybersecurity.
The intersection of encryption and law enforcement, in short, is very complex and getting more so as more people communicate using systems that use end-to-end encryption by default. The solutions won’t be easy, and they certainly won’t work if they are premised on the belief that legislation can overrule mathematics.