IPv6 and 5G will make life hell for spooks and cops say Australia's spooks and cops
Both make it harder to connect you to your connections
The Australian government has fingered the next threat in the country's cryptography vs. policing debate: the IPv6 protocol.
The nation's Department of Home Affairs (a super-department created last year to bring immigration, border protection, and security services under a single minister) aired its fears in a submission to the Joint Parliamentary Committee on Intelligence and Security, filed last week.
In the submission (PDF), the Department identifies two aspects of IPv6 as problematic: its huge address space, and its “native IP security system” (we presume it means IPSEC).
The submission says encryption technologies are already available, but “users require detailed knowledge of networks and configuring these systems is relatively complex”. In IPv6, encryption becomes “easily accessible and transparent to consumers” (nobody tell the department about HTTPS).
Crypto-gurus: Which idiots told the FBI that Feds-only backdoors in encryption are possible?READ MORE
The Department's other fear is that the address space will make it hard to tie an IP address to an individual (something considered only weak evidence of individual wrongdoing in some jurisdictions).
Constraints on the number of IPv4 addresses mean an ordinary Internet account-holder (for example, a household) is never assigned more than one IP address. The magic of network address translation (NAT) allows multiple computers, phones, TVs, baby monitors, refrigerators, sex toys and so on to share a connection behind a single IP address.
Home Affairs likes it that way, because it can record a one-to-one relationship between the ISP-assigned address and the account-holder's edge router.
The submission stated that in IPv6, the address space “will degrade law enforcement’s ability to attribute information to a particular person”, adding that “a person communicating on one social media platform may not necessarily use the same IPv6 address when browsing the internet, or when communicating on another social media platform” (as already happens if someone uses devices on multiple networks for the same activities on IPv4 networks).
IPv6 addresses won't just be available to the ISP and the customer, the submission says, but also “other foreign and domestic entities, such as social media providers”, and “IPv6 will potentially make record keeping more complex particularly in cases involving offshore providers”.
5G networks pose a similar threat, apparently, because they also destroy a different one-on-one relationship. In the case of 5G, the submission says, the relationship between subscriber and cell tower is at risk.
From the submission: “Identifiers allow devices to establish a connection with different network towers. 5G will replace the permanent identifier with one which is temporary, destructing after connection to a tower is made.”
[El Reg is certain that our erstwhile commenters will have something to say about this; for our part, we'll only observe that carriers aren't going to implement a technology that stops them billing users.]
In a passage that made Vulture South nostalgic for the days of 3G, the department's submission says:
Traditionally, a device transfers data through a single medium such as Wi-Fi or a mobile network tower. However, under 5G it will be possible for a device to obtain some data from a network tower and some through another means, such as connecting to a Wi-Fi hotspot, satellite, or internet service provider.
The problem here is interception: if a session spends some of its time on the 5G network and some of its time on WiFi, what the spooks will snoop might be incomplete.
Further: “5G networks may allow a person to restrict data transfers to local networks and bypass telecommunications providers entirely” (no, we don't know either).
By the way, it's not a backdoor
Australia's government yesterday, in the person of Immigration and Border Protection Secretary Michael Pezzullo, reiterated that it doesn't want a “backdoor” to encrypted communications.
If you're willing to let your browser run Flash Player, the relevant exchange, between Pezzullo and Australian Greens senator Jordan Steele-John starts around 1:40:00 in this video.
Steele-John's questions came first, about when the government intended to legislate for access to encryption; and second, how to resolve protection for communications like banking with the ability to decrypt communications.
On the first, Pezzullo said the government's preference is to avoid legislation, saying that home affairs minister Peter Dutton would prefer “to work with industry to make sure that industry understands its obligations … through dialogue and consultation with industry”.
Only if legislation is “required” would it be introduced, he added; at the moment, the government doesn't have a timeline for legislation.
When Steele-John raised the apparent contradiction between “strengthening our technical resilience” for sensitive personal information and access to encrypted communications, Pezzullo responded that “encryption is an important part of safeguarding our personal affairs.”
He continued: “The question in the government's mind, and this is vexing governments, is what happens when that social good, that is to say encrypted communication, is exploited by those who already have got a predilection to hide their communication, because they're terrorists, they're transnational criminals, they're involved in child exploitation and the like – what happens when they are put beyond the reach of our agencies in terms of highly advanced encryption. That is the balance to be struck.”
Steele-John said he failed to see “how you intend to decrypt” without a backdoor, a characterisation Pezzullo called “cartoonish”.
“That's the shorthand, colloquial and in many respects highly ill-informed shorthand”, Pezzullo said.
“There's no intention that we have … to undermine legitimate encryption,” he added, and said the assumption that “a backdoor has to be created” is “cartoon-like”.
So, we're clear of what the backdoor is not. To find out what it is, Pezzullo told the committee, we'll have to wait for the government to present legislation (which it may never do). ®
Sponsored: Becoming a Pragmatic Security Leader