Issue 43

Don't have a Barr of it

Delivered on 30 July 2019 by Justin Pyvis. About a 5 min read.

Apologies for the horrible pun in the title but it'll make sense if you keep reading. Also please note that I'm currently in the process of moving so there may not be an issue next week.

As you may have guessed, the title for this issue is a play on US Attorney General William Barr's name. But before I get into that, let's turn the clock back a bit. Remember when Australia tried to ban encryption, with Australian businesses still paying the price (and as you'll see in The Bits below, it could yet get worse)?

Well the United States, via a William Barr speech, has effectively announced its intention to do something similar, and it's a true "hold my beer" moment. He basically argued that consumers shouldn't be allowed encryption because he doesn't understand encryption and... society.

Barr also singled out Australia and the United Kingdom alongside two other well-known protectors of free speech, China and Russia, as examples of countries "addressing the issue" of encryption. Here is a snippet from the speech but do read the whole thing, although at 4,143 words of government double-speak your time would almost certainly be better spent doing just about anything else:

"In the digital age, the bulk of evidence is becoming digital, this form of “warrant proof” encryption poses a grave threat to public safety by extinguishing the ability of law enforcement to obtain evidence essential to detecting and investigating crimes. It allows criminals to operate with impunity, hiding their activities under an impenetrable cloak of secrecy. As you know, some refer to this eclipsing of the Government’s investigative capabilities as “going dark.” While encryption protects against cyberattacks, deploying it in warrant-proof form jeopardizes public safety more generally. The net effect is to reduce the overall security of society....

At conferences like this, we talk about those costs in abstract terms. They are not abstract; they are real. The costs of irresponsible encryption that blocks legitimate law enforcement access is ultimately measured in a mounting number of victims — men, women, and children who are the victims of crimes — crimes that could have been prevented if law enforcement had been given lawful access to encrypted evidence."

I'm going to be a bit lazy here and show an image Rob Graham posted in response to the speech, namely that crime has not noticeably increased since law enforcement "went dark" with the mainstreaming of encryption.

Then there's this doozy:

"Particularly with respect to encryption marketed to consumers, the significance of the risk should be assessed based on its practical effect on consumer cybersecurity, as well as its relation to the net risks that offering the product poses for society. After all, we are not talking about protecting the Nation’s nuclear launch codes. Nor are we necessarily talking about the customized encryption used by large business enterprises to protect their operations. We are talking about consumer products and services such as messaging, smart phones, e-mail, and voice and data applications."

Customised encryption? No one uses customised encryption; there's proper encryption, and there's no encryption. How it's implemented might vary but encryption - whether it's the AES, ECC or RSA standard - is encryption.

Like Australia's former Prime Minister Malcolm Turnbull, who once quipped that while "the laws of mathematics are very commendable... the only law that applies in Australia is the law of Australia", Barr is out of his depth here. And that's a problem given he, or more likely his also out of depth advisors, are going to be drafting some form of legislation to "address the issue" of encryption.

Almost all of the data breaches that are reported here every week relate, in some form or another, to an improper (or non-existent) implementation of encryption. Undermining it by weakening/backdooring encryption on consumer products and services would assist far more criminals than it would defeat.

The consequences of the trade war roll on

The US has a delegation in China for another round of negotiations but in the meantime, jobs will be lost.

Learn more:

A number of privacy articles in the news this week

Medical records for scientific research? Apparently even those can be de-anonymised relatively easily, with researches able to de-anonymise any dataset with as few as 15 attributes (name, gender, etc.). Be careful what you agree to let companies (and governments, which often sell such data to companies) do with your data, even when it's "anonymous".

Oh and Australia is butchering its approach to big tech. Let's hope it serves as a warning, not a model, for other countries.

Learn more:

Other bits of interest

Image of the week

Campbell Harvey, who first noticed the correlation between yield curve inversions and US recessions back in 1986, was interviewed earlier this month on whether or not we're in store for a recession (the yield curve inverted recently). As he concludes:

"My economic model says growth will decrease in 2020 and perhaps 2021. Given the publicity the yield curve has received, I hope that both businesses and consumers are prudent. The ideal situation is that growth slows and we dodge an official recession – or the recession is mild. This is sometimes called the ‘soft-landing’ scenario. What we want to avoid is a replay of a hard landing associated with the 2008 global financial crisis."

The US tax cut fiscal stimulus will be wearing off soon and start detracting from growth in the coming quarters. There's every chance the yield curve is again proven correct, with a recession in 2020-21 (although as Harvey notes, it doesn't necessarily have to be a hard landing).

This week's data breaches

IBM Security released its annual study last week, the Cost of a Data Breach Report, to estimate both the immediate and ongoing expense of a data breach. According to the company, the cost of a data breach has risen by 12 percent over the course of five years, and organisations can expect to pay an average of $3.92 million per breach.

The breaches:

Issue 43: Don't have a Barr of it was compiled by Justin Pyvis and delivered on 30 July 2019.