Giving Public Comments to the SECU

Today I was lucky to be able to attend a public consultation by The Standing Committee on Public Safety and National Security, a multi-partisan parliamentary committee tasked with examining Canada's national security apparatuses, and related issues such as oversight. I prepared a short spiel on encryption which, I hoped, would pack as much rhetorical punch as possible into about four minutes. It was enthusiastically received by the public in attendance and by several members of the committee, who provided thoughtful feedback and asked follow-up questions. 

It feels utterly fantastic to have made what I know is a big, positive impact on our country today, and it's a feeling that I know is only going to make me thirst for more. Here's the pre-written version of what I had to say:
 

My name is Jesse Schooff. I’m a blogger, and I volunteer with OpenMedia. I’ve also worked the IT Manager of a small company for the last decade.

I’m here today because I’m troubled by many aspects of The Anti-terrorism Act of 2015, also colloquially called C51. I’m troubled by the extraordinary powers given to law enforcement. I’m troubled by the implications for Canadian privacy. I’m very troubled by the lack of oversight compared to some of our democratic neighbours. I am extremely troubled by the idea that the Charter of Rights and Freedoms – one of the most sacred embodiments of Canadian values – could be sidestepped, even if it is for non-Canadians under the most extraordinary circumstances.

But the main reason I’m here speaking is because, as an IT Professional, I’m concerned, – nay – I am terrified at language of a question in the Online Canadian Security Consultation. I quote:

“How can law enforcement and national security agencies reduce the effectiveness of encryption for individuals and organizations involved in crime or threats to the security of Canada, yet not limit the beneficial uses of encryption by those not involved in illegal activities?”

The short answer is: you can’t.

The long answer would require much more time than would be polite for me to take. But I can explain by way of analogy. A few years ago, the Transportation Security Administration in the United States decided that they needed to be able to open luggage at will, without cutting off – and thus destroying – travellers’ luggage locks. So the TSA went to lock and luggage manufacturers and worked with them to create a TSA Master Key, which could open any luggage lock.

But it wasn’t long before someone created a 3D-printable model of the TSA Master Key, that could be downloaded and printed, allowing anyone – including criminals – to open any “TSA-approved” lock.

When we talk about “weakening encryption” or “creating a backdoor that only the good guys can access”, what we’re really talking about is deliberately putting bugs into our software. And any IT security expert will tell you that when there’s a bug in software  hackers will work hard to find that bug, and exploit it.

Encryption is not just a feature which makes it safe to use our credit card on eBay, or keep our racy instant messages private. Encryption keeps our data infrastructure safe from hackers, criminals, and yes, even terrorists. Encryption is the brick and mortar that allows enterprise IT to exist. If government weakens or backdoors encryption, I can say, without hyperbole, that we put the entirety of all our technology infrastructure at serious risk.

Thank you for your time.