Issue 43

Don't have a Barr of it

Apologies for the horrible pun in the title but  it'll make sense if you keep reading. Also please note that I'm  currently in the process of moving so there may not be an issue next  week.

As you may have guessed, the title for this issue is a play  on US Attorney General William Barr's name. But before I get into that,  let's turn the clock back a bit. Remember when Australia tried to ban encryption, with Australian businesses still paying the price (and as you'll see in The Bits below, it could yet get worse)?

Well  the United States, via a William Barr speech, has effectively announced  its intention to do something similar, and it's a true "hold my beer"  moment. He basically argued that consumers shouldn't be allowed  encryption because he doesn't understand encryption and... society.

Barr  also singled out Australia and the United Kingdom alongside two other  well-known protectors of free speech, China and Russia, as examples of  countries "addressing the issue" of encryption. Here is a snippet from  the speech but do read the whole thing,  although at 4,143 words of government double-speak your time would  almost certainly be better spent doing just about anything else:

"In  the digital age, the bulk of evidence is becoming digital, this form of  “warrant proof” encryption poses a grave threat to public safety by  extinguishing the ability of law enforcement to obtain evidence  essential to detecting and investigating crimes. It allows criminals to  operate with impunity, hiding their activities under an impenetrable  cloak of secrecy. As you know, some refer to this eclipsing of the  Government’s investigative capabilities as “going dark.” While  encryption protects against cyberattacks, deploying it in warrant-proof  form jeopardizes public safety more generally. The net effect is to  reduce the overall security of society....

At conferences like  this, we talk about those costs in abstract terms. They are not  abstract; they are real. The costs of irresponsible encryption that  blocks legitimate law enforcement access is ultimately measured in a  mounting number of victims — men, women, and children who are the  victims of crimes — crimes that could have been prevented if law  enforcement had been given lawful access to encrypted evidence."

I'm going to be a bit lazy here and show an image Rob Graham posted in response to the speech, namely that crime has not noticeably  increased since law enforcement "went dark" with the mainstreaming of  encryption.

Then there's this doozy:

"Particularly  with respect to encryption marketed to consumers, the significance of  the risk should be assessed based on its practical effect on consumer  cybersecurity, as well as its relation to the net risks that offering  the product poses for society. After all, we are not talking about  protecting the Nation’s nuclear launch codes. Nor are we necessarily  talking about the customized encryption used by large business  enterprises to protect their operations. We are talking about consumer  products and services such as messaging, smart phones, e-mail, and voice  and data applications."

Customised encryption?  No one uses customised encryption; there's proper encryption, and  there's no encryption. How it's implemented might vary but encryption -  whether it's the AES, ECC or RSA standard - is encryption.

Like Australia's former Prime Minister Malcolm Turnbull, who once quipped that while "the laws of mathematics are very commendable... the only  law that applies in Australia is the law of Australia", Barr is out of  his depth here. And that's a problem given he, or more likely his also  out of depth advisors, are going to be drafting some form of legislation  to "address the issue" of encryption.

Almost all of the data  breaches that are reported here every week relate, in some form or  another, to an improper (or non-existent) implementation of encryption.  Undermining it by weakening/backdooring encryption on consumer products  and services would assist far more criminals than it would defeat.

Enjoy the rest of this week's issue. Cheers,

— Justin


The bits

The consequences of the trade war roll on

The US has a delegation in China for another round of negotiations but in the meantime, jobs will be lost.

Learn more:

A number of privacy articles in the news this week

Medical  records for scientific research? Apparently even those can be  de-anonymised relatively easily, with researches able to de-anonymise any dataset with as few as 15 attributes (name, gender, etc.). Be careful  what you agree to let companies (and governments, which often sell such  data to companies) do with your data, even when it's "anonymous".

Oh and Australia is butchering its approach to big tech. Let's hope it serves as a warning, not a model, for other countries.

Learn more:


Other bits of interest


Image of the week

Campbell  Harvey, who first noticed the correlation between yield curve  inversions and US recessions back in 1986, was interviewed earlier this  month on whether or not we're in store for a recession (the yield curve  inverted recently). As he concludes:

"My  economic model says growth will decrease in 2020 and perhaps 2021.  Given the publicity the yield curve has received, I hope that both  businesses and consumers are prudent. The ideal situation is that growth  slows and we dodge an official recession – or the recession is mild.  This is sometimes called the ‘soft-landing’ scenario. What we want to  avoid is a replay of a hard landing associated with the 2008 global  financial crisis."

The  US tax cut fiscal stimulus will be wearing off soon and start  detracting from growth in the coming quarters. There's every chance the  yield curve is again proven correct, with a recession in 2020-21  (although as Harvey notes, it doesn't necessarily have to be a hard  landing).


This week's data breaches

IBM Security released its annual study last week, the Cost of a Data Breach Report,  to estimate both the immediate and ongoing expense of a data breach.  According to the company, the cost of a data breach has risen by 12  percent over the course of five years, and organisations can expect to  pay an average of $3.92 million per breach.

The breaches:

That's all for now. If you enjoyed this issue, feel free to share it via email


Issue 43: Don't have a Barr of it was compiled by Justin Pyvis and delivered on 30 July 2019. Feel free to send feedback, suggestions for future issues, ideas, insults, or pretty much anything that crosses your mind to their Keybase or Riot.im account.