Issue 117

FBI plot hatched over beers

Delivered on 21 June 2021 by Justin Pyvis. About a 3 min read.

Over 800 suspected criminals were arrested across the world earlier this month "after being tricked into using an FBI-run encrypted messaging app". The plot was concocted back in 2018 while Australian authorities and the FBI were knocking back a few cold ones (no doubt celebrating Australia's new Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018), "when they hatched a plan to exploit the communications network for their own ends: by surreptitiously taking control of AN0M and using it as window into criminal activities".

"I wasn't there," Australia's federal police commissioner Reece Kershaw told reporters on Tuesday, "but as you know some of the best ideas come over a couple of beers."

The full details, for obvious reasons, are scant. But the fact that Australian authorities were heavily involved is probably because it has the worst digital privacy laws in the world. The Assistance and Access Bill 2018 cited above allows authorities to compel individuals or companies to do one or more specified 'acts or things' necessary to assist agencies, without judicial oversight.

While the Assistance and Access Bill 2018 has never been used for anything terrorism related (the original justification for the bill), the Australian Federal Police (AFP) confirmed that the global sting was only possible because of it, although it was "not in a position to elaborate further due to legislative requirements within the relevant acts".

Should we care that a bunch of criminals were busted by an elaborate honeypot? No. This isn't the first time the US government has built a product from the ground up with the aim of spying on criminals and foreign governments: Crypto AG, a Swiss communications and information security company that operated from 1970 until 2018, was created by the CIA to sell backdoored products.

Indeed, the stupidity of these so-called crime bosses is staggering:

Ayik is the founding member of the "Aussie Cartel" – a syndicate formed by some of Australia's most wanted crime bosses that smuggles an estimated $1.5 billion AUD worth of drugs into the country each year – and is currently Australia’s most wanted priority target. He recommended AN0M to criminal associates, who would purchase mobile devices that had been preloaded with the app on the black market.

These phones could not make calls or send emails, and could only send messages to another device that had the same app, according to a statement by the AFP. Criminals needed to know a criminal to get a device. They would then use the encrypted messaging software to send messages, distort messages and take videos.

High-profile organised crime figures vouched for the app’s integrity – and by the time authorities swooped more than 10,000 people were using AN0M devices across the world, including more than 1,600 in Australia.

Encryption is trustworthy. Random, invite-only closed source apps are not. You would think that given their threat model, hardened criminals might at a minimum use something that has had its source code audited by a trusted party. Better yet, a messaging app that's completely open source. Or keep it simple by using PGP with a key they themselves created and distributed. It would literally take a minute to set up.

The fact that these 'high-profile organised crime figures' vouching for the app's integrity blindly trusted a secretive, closed-source app suggests they would probably have been caught eventually anyway.

But what we should care about is Australia's involvement in all of this. The laws used to arrest a few hundred suspected criminals (the first 50 'beta testers' were already under surveillance) "have undermined international trust in Australia's digital services and their cybersecurity, increased business uncertainty, and hurt the brand image of Australian providers internationally", with costs "measurable in the multiple billions of dollars".

According to Digital Rights Watch executive director Lucie Krahulcova:

It seems the FBI would not have been able to conduct this operation without the AFP. And that's because we have essentially one of the most invasive, most broad anti-encryption legislation in the world right now.

Law Council of Australia president Jacoba Brasch QC said that under the Assistance and Access Bill 2018, there is "no judicial involvement in the issuing process for orders compelling communications providers to render assistance".

You can be sure that following the success of this honeypot (which only came to an end after a blogger did some analysis on a device and revealed it to be a scam), every country in the world will soon be knocking on the AFP's door trying to get some judicial-free, backdoor surveillance action (well maybe not China).

The message from Australia's politicians is clear: if you want to start a digital company and need any kind of data security or user privacy, do not do it in Australia, a place where individual and enterprise trust in digital services no longer exists.

Issue 117: FBI plot hatched over beers was compiled by Justin Pyvis and delivered on 21 June 2021.