(C) Alec Muffett's DropSafe blog.
Author Name: Alec Muffett
This story was originally published on allecmuffett.com. [1]
License: CC-BY-SA 3.0.[2]


CAMPAIGN: Let’s get the Australian eSafety Office to fix the stale misinformation about #Encryption on its website

2023-12-04 10:20:38+00:00

So the Australian eSafety Commissioner is running a campaign for the #16Days of Activism for No Violence against Women and Children; to this end they are promoting a checklist/guide they’ve created for people who need to take back control over their privacy.

The categories of advice seem sensible:

Put safety first

Use safe devices

Protect access to your device

Manage your online account security

Review your social media settings

Keep your online history private

Protect your location information

Take control of your home security

More tips

Reading the actual text gives me slight pause because there’s quite a lot left “open”; this is not an opinionated document, and I wonder how many people who need it will have time to “check the privacy policy to see which third-party apps or companies might be connected to your social media accounts”. I compare this – I hope, fairly – to similar documents from the EFF:

…which are a lot more focused on recommendation of solutions; possibly as a Government agency the eSC feels unable to recommend product. I hope to seek advice from some experts in this space and will update this blogpost, later

However

Speaking as a nerd who has lived in this space since ~1988, one of the screaming gaps that I see in the document is adoption of secure, end-to-end encrypted messenger products with disappearing messages functionality to reduce opportunity for incrimination. The checklist seems to steer a broad course around the topic, leaving it unmentioned.

Because of this I did a few google searches of the form:

site:www.esafety.gov.au/key-topics/ "encryption"

And aside from some webpage boilerplate, the only significant resource is a page called “Encrypted” and it reflects a bunch of old misconceptions; it might have been arguably sort-of correct back in 2015 but the world has changed a lot since that time, and I think it would be good for the eSafety Office to update this content so that they can start making concrete recommendations to vulnerable people in Australia who are at risk of abuser – and other – surveillance.

Annotations, below:

Encrypted

Encrypted apps and services translate data into another form, or code, so that only people or entities with access to a secret key or password can read it. One of the most secure types of encryption is end-to-end encryption, which is a system that allows only users who are communicating with one another to read messages. Encryption prevents cyber criminals, online service providers and, in some cases, governments and law enforcement from reading sensitive data.

Comment: this is encryption as-described from the 1980s, and nowadays the technology is buried down in the clockwork of the messenger software so that users are not expected to manage “passwords” or “keys”, and different platforms offer different means to back-up message content in a secure way. Of course if you lose both the device and the backup keys then you lose access to the messages, but that’s prettymuch the intended purpose.

What are the benefits?

Enhanced privacy and confidentiality

Comment: true

Encryption ensures only the intended recipient or data owner can read personal information or data that it stored or shared online.

Comment: true, but it misses the possibility of bringing privacy to group chats, too.

An added level of security if a device is lost or stolen

Comment: true, but it misses also that end-to-end encryption helps prevent loss of privacy in the instance that a user’s social media account gets hacked; the hacker does not get access to old message content

Using encryption makes data stored on a device or in apps, more likely to stay secure.

Comment: true

Authentication Encryption ensures the origin of a message can be verified

Comment: this feels like filler, but it’s pointing at the potential for verifying authentic communication: if you get a pop-up warning that “Alice is on a New Device” it’s a clue that you should take care communicating with her until you’ve double-checked authenticity and that Alice is OK

Integrity Encryption provides proof that the contents of a message have not been changed since it was sent.

Comment: true, but again this promise is prettymuch a given of all encrypted messengers.

What are the risks?

Encryption provides varying levels of security: The level of security provided by encryption is directly related to the length and complexity of the key that is used and the type of encryption.

Comment: yeah, nah; this is something which we stopped worrying about when Signal launched and (Telegram aside) everyone has followed suite since; transport encryption is largely a solved problem.

Loss of ability to implement community standards: If messages and content are encrypted, then the service or platform providing the communication service cannot regulate what is shared.

Comment: this is flat-out wrong; the ability for a platform to offer a Trust and Safety (T&S) service is a function of their resource and on whether they make a promise to curate users in order to stop bad user behaviour. WhatsApp and Facebook Messenger Secret Conversations both give users the option to forward abusive messaging (with some context) to their T&S teams. This does not defeat end-to-end security. All that is necessary is that the victim dobs them in. Bogus reports are prevented by a technology (invented by Meta) called Message Franking.

Exposure to inappropriate content: As encrypted messaging services are harder to regulate, you could be exposed to inappropriate content including sexualised and violent content.

Comment: yeah, nah; this stands on the previous and takes no account of the architecture of the platform and the features that the platform or messaging app may provide. The assumption seems to be that the platform needs to be proactively overseeing all content that is exchanged, inherently undermining privacy. Better instead is to give people the ability to report abusive content, build tools which (locally) ask users whether they feel safe (“You’re being sent a link, are you sure that you want to click this?”) and use the signals from both to build a better experience.



You’re not guaranteed freedom from unwanted imagery on unencrypted platforms, either. If the essential component for safety is a user-initiated report, the presence or absence of encryption is irrelevant.

Data loss: Encryption helps to secure your data, but it also means that you could be locked out of it if the key is lost or stolen.
[END]

[1] URL: https://alecmuffett.com/article/108556
[2] URL: https://creativecommons.org/licenses/by-sa/3.0/

DropSafe Blog via Magical.Fish Gopher News Feeds:
gopher://magical.fish/1/feeds/news/alecmuffett/

You are viewing proxied material from magical.fish. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.