With hackers becoming increasingly savvy, many Australians have turned to encrypted messaging apps to cloak messages between friends, colleagues and whoever else they’re speaking to. But beyond knowing it’s one of the safest ways to communicate digitally, end-to-end encryption remains a bit of a mystery. Here’s how it works and why Australia’s spy agencies are trying to find a way in.
The short message service, or SMS, has been popular since the start of the 2000s and has prevailed for the two decades that followed. While it’s a reliable service and many of us still use it daily, it’s not an encrypted service. This obviously wasn’t as big a deal in its early stages, as the technology was still being understood and people were less concerned with unknown actors peeking in on their communications. 20 years on, encryption is a primary concern for many.
As more people have come to understand that messaging services such as Facebook’s Messenger, Twitter and Instagram are not encrypted, it has led to the rise of more secure services such as WhatsApp and Signal.
Gizmodo Australia spoke to Dr Allan Orr, an international security expert, to understand what makes a message encrypted and how these platforms work.
“It’s a form of code that ensures that even if a message is intercepted in transit by unintended recipients, it can’t be read,” Dr Orr said to Gizmodo Australia over email.
In layman’s terms, when someone creates an account on a messaging service a unique private and public key are created. A private key stays wholly within the device while a public key helps to send the encrypted messages to other people.
Say someone wants to send an encrypted message to someone else, the contents are then cloaked with the recipient’s unique public key. The recipient opens the message using their private key meaning only they can see the message’s contents. The only other place the message passes through is the service provider’s server but unlike an SMS, for example, it never sees the message because its locked by the recipient’s private key — it’s more or less just a series of unintelligible characters.
A popular explanation is that Bob sends an encrypted message to his friend, Alice. Bob’s message is encrypted with Alice’s public key and only Alice’s private key can decrypt it. So when it passes through the server, the server sees none of the actual contents of the message because it doesn’t have Alice’s private key.
“The ‘key’ on the final destination end is random, private and one off and the only way to access it is to have physical access to the device or computer its on or the password to the account,” Orr said.
“However, apparently there are still vulnerabilities even in WhatsApp, they hit the news fairly regularly, and regularity of any kind of security vulnerabilities, or one offs for that matter, are extremely worrying if not self-defeating.”
Powerful spyware developed by Israeli cyber-intelligence company NSO Group exploited a vulnerability in encrypted messaging app WhatsApp to transfer itself to targeted devices, the Financial Times reported on Monday.Read more
Not all encryption messaging services are created equal, however. WhatApp, Wickr, Signal and Telegram all offer encrypted messaging services but how they encrypt messages varies.
“Some have more sophisticated algorithms than others,” Orr said.
“I understand WhatsApp and Signal protocols are now the same. Wikr differs in that its messages are automatically deleted after a certain amount of time and therefore are ephemeral.”
Other services, like Signal, also offer a self-destruct mechanism, which deletes messages sent on both users’ ends.
ASIO's head has admitted the agency's pretty pleased about legislation enacted in 2018 compelling encrypted communication providers, like WhatsApp, to hand over messages if users are under investigation for serious crimes. In a speech detailing the agency's threat assessments, he told the audience he was "happy to report that the internet did not break as a result!"Read more
So, how can ASIO and other spy agencies view encrypted messages?
It’s the question everyone’s wanting to know but it’s one, according to Orr, that’s mostly guess work at the moment.
Under the controversial Assistance and Access Act 2018, there are three ways agencies can request assistance from messaging service providers. These are known as The Technical Assistance Request (TAR), Technical Assistance Notice (TAN) and Technical Capability Notice (TCN).
The Australian Home Affairs website offers a vague and complex summary of each one but Orr attempted to give an idea of what they enable law enforcement agencies to do. The TAR, as Orr understands it, is to let them know who downloaded it and uses it. Orr’s understanding of the remaining two aspects — the TAN and the TCN — is limited and this is by design.
“I think [the TAN] is to advise who on the other end is being communicated with or to provide access to unencrypted messages,” Orr said. “[The] TCN is vague because they’re trying not to expressly tell the… criminals what they are doing here.”
Because of the way end-to-end encryption works, a law enforcement or spy agency can’t simply read an encrypted message. Orr suspects agencies will gain access to encrypted messages by one of two ways if they haven’t already — forcing providers to decode messages or receiving a key so they can unlock the contents of a message themselves.
In these cases, WhatsApp says it will notify users unless it’s illegal or exceptional.
“WhatsApp reserves the right to notify people who use our service of requests for their information prior to disclosure unless we are prohibited by law from doing so or in exceptional circumstances, such as child exploitation cases, emergencies or when notice would be counterproductive,” the service says on its FAQ page.
The legislation is limited, Orr admits, and it’s due to the furore it created at the time.
“It won’t allow the government to access the messages of users who reside in any other country other than Australia so the government’s not going to be able to read the messages of foreign citizens,” Orr said.
“It won’t be able to decode the messages sent from those people overseas, it will in fact only be able to read the messages that Australians create. So it’s extremely limited use for the Five Eyes alliance.”
A bill introduced to parliament on March 5, however, would change this.
The bill paves the way for Australian agencies to easier share communications data from its citizens as well as request information from foreign citizens too. It, too, would fall under the Home Affairs portfolio headed by Minister Peter Dutton.
It forms another aspect helping to round out the powers provided by the Access and Assistance Act 2018 as well as the proposed changes to the Australian Signals Directorate‘s reach — an intelligence agency focusing on foreign communications interceptions that Minister Dutton would like to be given more power domestically.
This article was originally published on March 6, 2020.
A new amendment has been introduced in parliament looking to allow for the easier sharing of communications data between Australia's law enforcement and spy agencies and foreign governments. It comes in response to calls that spy agencies are being left behind without timely access to messaging apps with cloud servers in foreign jurisdictions.Read more