A Matter of Security, Privacy and Trust
Total Page:16
File Type:pdf, Size:1020Kb
A matter of security, privacy and trust: A study of the principles and values of encryption in New Zealand Michael Dizon Ryan Ko Wayne Rumbles Patricia Gonzalez Philip McHugh Anthony Meehan Acknowledgements This study was funded by grants from the New Zealand Law Foundation and the University of Waikato. We would like to express our gratitude to our project collaborators and members of the Advisory Board – Prof Bert-Jaap Koops (Tilburg University), Prof Lyria Bennett Moses (UNSW Sydney), Prof Alana Maurushat (Western Sydney University), and Associate Professor Alex Sims (University of Auckland) – for their support as well as feedback on specific parts of this report. We would also like to thank Patricia Gonzalez, Joseph Graddy, Philip McHugh, Anthony Meehan, Jean Murray and Peter Upson for their valuable research assistance and other contributions to this study. Michael Dizon, Ryan Ko and Wayne Rumbles Principal investigators December 2019 Executive summary Cybersecurity is crucial for ensuring the safety and well-being of the general public, businesses, government, and the country as a whole. New Zealand has a reasonably comprehensive and well-grounded legal regime and strategy for dealing with cybersecurity matters. However, there is one area that deserves further attention and discussion – encryption. Encryption is at the heart of and underpins many of the technologies and technical processes used for computer and network security, but current laws and policies do not expressly cover this significant technology. The principal objective of this study is to identify the principles and values of encryption in New Zealand with a view to informing future developments of encryption- related laws and policies. The overarching question is: What are the fundamental principles and values that apply to encryption? In order to answer this question, the study adopts an interdisciplinary approach that examines the technical, legal and social dimensions of encryption. With regard to the technical dimensions, this requires exploring the technical elements and aspects of encryption and how they can impact law and society. In relation to law, existing and proposed encryption law and policies in New Zealand and other jurisdictions are examined in terms of how they affect and are affected by encryption. On the social dimension, the perceptions, opinions and beliefs of three groups of stakeholders most concerned about encryption (i.e., the general public, businesses and government) are recognised and considered. Technologies of encryption From a technical perspective, encryption is a relatively complex technology both in theory and in practice. It can be viewed as a science, a technology or a process. Despite its innate complexity, encryption can be defined as a technology that transforms information or data into ciphers or code for purposes of ensuring the confidentiality, integrity and authenticity of such data. There are various kinds of encryption (e.g., symmetric, asymmetric, homomorphic, etc.) and it can be used with different types and states of data (i.e., data at rest, data in motion, and data in use). In terms of implementation and use, encryption can range from the use of a simple encryption algorithm to a full-blown cryptosystem. Depending on its level of complexity, encryption can be or take the form of: (1) a cryptographic primitive (including an encryption algorithm); (2) a cryptographic protocol; or (3) a cryptosystem. From an examination of the architecture and technical aspects of encryption, certain key, underlying principles and rules are readily apparent. First, encryption is integral to preserving information security. It is purposefully designed and used to realise the crucial information security objectives of confidentiality, integrity and authenticity. Second, there is the principle of the primacy of encryption keys. Since encryption keys are the lynchpin of the security of encryption and any related system that implements it, the secrecy and inviolability of these keys are paramount. Third, the principle of openness requires that the underlying source code and architecture of encryption would ideally be publicly accessible, transparent and auditable. Openness ensures that the encryption is actually safe and secure to use and it inspires the all-important trust among developers and users. Fourth, encryption is inherently adversarial in nature. This means that innovation in cybersecurity should be prioritised and continuous improvements to strengthen encryption should be encouraged. Fifth, due to the adversarial nature of encryption, it must be able to resist various forms of attacks. Sixth, the ability of encryption to resist attacks is dependent on having and achieving the appropriate level of security. These technical principles and rules play a significant role in determining and shaping not just what encryption is and how it is used, but also how it affects law and society. From the perspective of law and policy, this means that encryption is not a simple and easy target of regulation because it involves a complex and dynamic network of diverse actors using specific technologies. Encryption is integral to preserving information security and many common and widely used technologies and systems rely on it. This means that any attempt to completely ban the development and use of encryption would be impracticable and impossible to justify whether from a cybersecurity or a law and policy standpoint. Furthermore, encryption is meant to preserve and protect information security. Therefore, a legislative proposal for mandatory backdoors for law enforcement and other purportedly legitimate purposes would be extremely problematic since it would intentionally compromise the security of encryption. Laws of encryption It is generally believed that encryption is largely unregulated in New Zealand and in other jurisdictions. On the face of it, this appears to be true since export control rules on dual-use goods and technologies are the main category of law that expressly addresses encryption. Export control rules generally require the developer of specific kinds of encryption or technologies that use encryption to seek prior government or regulatory approval before exporting the technology due to their potential military uses. However, export control rules actually form part of a broader, existing network of laws, regulations and rules that apply to and determine how encryption is accessed and used in the country. These laws and policies and their resulting effects and outcomes constitute a tacit and implicit framework that to a large degree controls and governs encryption. This network of laws of encryption includes export control rules, cybercrime laws, laws pertaining to law enforcement powers and measures (including search and surveillance laws and customs and border searches), and human rights laws. With regard to cybercrime laws, section 251 of the Crimes Act 1961 makes it illegal for a person to make, sell, distribute or possess software or other information for committing a crime. This prohibition can apply to the development and distribution of encryption technologies if they are used to facilitate or hide criminal activities. However, it is only a crime if the sole or principal purpose of encryption is to commit an offence. Since the primary purposes of encryption are to preserve the confidentiality, integrity and authenticity of data, then the development, possession and use encryption should be deemed by default or at least prima facie legitimate. With regard to law enforcement powers and measures, they are the most significant type of legal rules that apply to encryption. They are extremely pertinent to encryption because they provide the authority and means by which law enforcement officers can attempt to gain access to encrypted data, communications and devices. Encryption is generally impacted by the principle of lawful access. The general powers of search and seizure can and do apply to encryption and its various implementations and uses. Encrypted computers and devices can be physically seized and inspected, and encrypted data can be subject to a search and copied. However, being able to access and understand the encrypted data is another matter altogether. This is why law enforcement officers are granted additional powers to request reasonable assistance and require the forced disclosure of passwords and other access information from third parties and possibly even from persons suspected of or charged with a crime. Under the law, a person who refuses to render reasonable assistance or disclose passwords or access information, without reasonable excuse and/or subject to the privilege against self-incrimination, can face imprisonment for a term not exceeding three months. With regard to the interception and collection of communications, the surveillance powers and associated duties under the Search and Surveillance Act 2012, the Telecommunications (Interception Capability and Security) Act 2013 (TICSA) and other laws apply to encryption and encrypted communications. Law enforcement officers generally have the power to use interception devices to intercept and collect communications, telecommunications and call associated data to investigate a crime pursuant to the surveillance device regime of the Search and Surveillance Act 2012. The interception may be done by the law enforcement officers themselves and/or with the assistance of the network operator or service provider. Under the TICSA, networks operators