Understanding Australia’s new anti-encryption laws
On Dec 6th the Assistance & Access bill was passed by the Australian parliament. It will soon be enacted in law. The purpose of this bill is to assist security agencies by helping them access and read encrypted end-to-end communications of suspected criminals and terrorists.
The bill will force technology companies to assist Australian security agencies in their efforts in tackling organised crime and preventing terrorism. There has been much community and industry backlash against the bill, with many arguing its design is flawed, debate was rushed, and that weakening encryption, weakens the security of all Australians.
How will the new laws work?
First a warrant first needs to be signed by a judge before an investigation can be initiated. Then companies may receive a technical assistance request (TAR), technical assistance notice (TAN), or technical capability notice (TCN) from police or security agency. Non-compliance with these notices can attract penalties.
Assistance may range from providing technical details about how a service works, through to modifying source code on phones or in applications. This means companies can be forced to build software to expose contents of a message before is it is encrypted, eg through the installation of targeted malware on a device.
The bill forbids any implementation that creates a ’systemic weakness’:
Systemic weakness means a weakness that affects a whole class of technology, but does not include a weakness that is selectively introduced to one or more target technologies that are connected with a particular person
This is intended to prevent the building of ‘backdoors’. However whilst technically creating vulnerabilities outside the encryption channel is not a backdoor, its still a system weakness in the encryption itself.
Who will be impacted?
Any person or organisation that “provides an electronic service that has one or more end-users in Australia” is a designated communications provider and therefore subject to the new law. Australian companies and foreign companies with Australian operations will be impacted.
The government is worried about end-to-end encryption where by data - your messages - are encrypted before they get to the server. Only the sender and receiver can see the actual message. This is the technology employed by WhatsApp, Signal and others. These are the types of software services that may be impacted. There could be others such as device manufactures like Apple.
Other companies who provide services to Australians but do not operate in Australia will not be affected. The law does create a precedent globally. Other countries may now follow.
What is wrong with this law?
There have been numerous concerns raised across industry about the broader ramifications of such a law for business and individuals. Many believe are there are serious implications for the technology and startup sectors in Australia. The risk is over time less software will be developed in Australia and users will chose apps developed in other countries that aren’t subject to these laws.
In August 2018, the Australian government banned Chinese telcos Hauwei and ZTE from bidding to supply equipment for upcoming 5G networks. This was based on fears the Chinese government would force these companies to build backdoors in their hardware compromising communications and security of Australians. With Australia now passing it’s own anti-encryption laws, other foreign governments may shun Australia developed technology because of this same fear.
The Australian Computer Society is one group concerned about the ability of Australian businesses to compete internationally. Australia is now at a competitive disadvantage in software development. There is a disincentive for investment in local startups and tech companies. Their software won’t be trusted in international markets. You can read about their concerns here.
The Law Council of Australia argues there could be unintended consequences of the bill. This was a complex piece of legislation given four days of debate in parliament. Not enough time has been given to work through all the concerns raised about the detail of the legislation by experts and industry groups.
Engineers and developers are worried about being forced to implement such vulnerabilities into their software. It is generally accepted amongst security professionals that “there are no backdoors that only let the good guys in”. Deliberate vulnerabilities can be exploited by others and compromise the security of everyone.
Where to from here?
Law enforcement has a critical role to play in ensuring safety for our citizens, communities, cities and country. This bill has the balance wrong. Most view this bill as rushed through parliament and flawed by design. It is debatable whether weakening encryption services will actually stop the most tech-savvy criminals. Most will just switch to custom software or services not under Australian jurisdiction. The larger risk is to individuals and business and the Internet itself. This quote helps sum things up:
“Legislating the means to weaken or circumvent security systems in practice, or even the threat of doing so in secret, destabilises the entire system by undermining the trust that people have in that system; and attacking the trust jeopardises the cooperation that the Internet depends on.” - Martin Thomson, Internet Architecture Board
In the long-run this new law will make us less safe. It weakens trust in government and in technology companies. Encryption does make us safer. It secures our privacy and our data along the way. Let’s not base these new laws on fear and ignore the facts. Let’s hope they can be amended when parliament sits again.