Event recap: Encryption and Privacy public forum
The topic of encryption has been fiercely debated in the Australian public following the Commonwealth Government announcing its intention to introduce legislation that would compel telecommunications services and platforms to give access to encrypted communications for intelligence or law enforcement purposes. This debate sparked a national conversation about balancing individuals’ interests in using encryption to keep their communications private, and the Government’s interest in accessing encrypted communications for security purposes.
Information privacy and encryption intersect in a number of ways; from keeping personal communications private, to securing government information, or enabling datasets to be shared or released to the public. However, we have seen in the past that privacy breaches can occur where encryption standards are not up to scratch.
Within this context, the Office of the Victorian Information Commissioner (OVIC) held a public forum on the 7th of March 2018, to explore encryption and its relationship with information privacy and data security.
Information Commissioner, Sven Bluemmel, opened the session by welcoming two guest speakers for this event:
- Dr Vanessa Teague – Senior Lecturer in the Department of Computing and Information Systems at The University of Melbourne, with extensive background the field of cryptography, and
- Mr John O’Driscoll – Victoria’s first Chief Information Security Officer, with 20 years experience in information technology, with a focus on cyber security in financial services and the public sector.
Vanessa started the discussion with an introductory technical overview of what encryption is, and what it is not. Notably, Vanessa emphasised that protecting privacy, encrypting data, and controlling access to that data are three separate elements that often get conflated into one. A common theme throughout the session was that encryption, while a useful and powerful tool, should not be seen as a panacea to all modern privacy and data security issues.
When many people imagine encryption, what they think of is ‘end-to-end’ encryption. Vanessa described this as “the way encryption was intended to be”, where the only person who can decrypt the information is the intended recipient. More commonly though, encryption is not truly end-to-end, as there is an intermediary between the sender and the recipient, most often a big company such as Google or Skype. In this instance, individuals may get the impression that their message is encrypted, however in reality, the content is being sent to the company where it is decrypted and then re-encrypted, before being sent on to the intended recipient. Vanessa cautioned attendees to be aware of these intermediaries when sending supposedly encrypted messages, and recommended using true end-to-end encryption wherever possible.
Following Vanessa, John provided the audience with an overview of how encryption is placed as a tool for enhancing information security within the public sector, and assisting organisations to meet their information privacy obligations. John noted that while the Victorian Government’s Cyber Security Strategy does not make explicit reference to encryption, it does require government organisations to consider the most appropriate security measures for their particular context. John emphasised that encryption is just one factor that organisations can consider when implementing security measures, and while it can be a powerful tool, it needs to be complemented by appropriate governance, policies and procedures in order to be effective. For example, John highlighted that you may be able to encrypt your information in transit, but without adequate policies or agreements, encryption alone cannot control the security of that information once received.
Vanessa and John were then joined by Privacy and Data Protection Deputy Commissioner, Rachel Dixon, for a panel discussion lead by Sven. The panel immediately dove into the substantial topic of how to mediate the underlying technological incompatibility between introducing ‘back doors’ to encrypted services for government agencies, while still endeavouring to maintain secure communications for individuals. This was followed by several questions from the audience, ranging from how encryption relates to cloud access security brokers, the potential for blockchain technology to solve information privacy and data security issues, and whether reliance on tools such an encryption creates a risk of being reliant on technologies at the expense of basic security protocols in government.
OVIC would like to extend its thanks to speakers John and Vanessa, and to all those who came along on the day. To hear the discussion in full, a recording of the forum is available to view on OVIC’s Periscope Channel.