Understanding Australia’s new anti-encryption laws
On Dec 6th the Assistance & Access bill was passed by the Australian parliament. It will soon be enacted in law. The purpose of this bill is to assist security agencies by helping them access and read encrypted end-to-end communications of suspected criminals and terrorists.
The bill will force technology companies to assist Australian security agencies in their efforts in tackling organised crime and preventing terrorism. There has been much community and industry backlash against the bill, with many arguing its design is flawed, debate was rushed, and that weakening encryption, weakens the security of all Australians.
What is the argument for this bill?
The message from the Government is about empowering security agencies to keep us safe. And that means new laws to give agencies better intelligence capabilities. Encrypted communications have changed have changed the game for everyone. For example, if a group or individuals are planning a terrorist attack and communciating via encrypted means, agencies want to know what they are saying.
The UK first passed the Investigatory Powers Act in 2016 and Australia’s bill has taken cue from this law. Alex Younger, MI6 Chief in the UK calls for a ‘fourth generation espionage’ capability as we enter fourth industrial revolution and we face new hybrid threats. This is the context for why we are seeing Governments such as the UK and Australia pass these new laws. Other countries are bound to follow.
How will the new rules work?
There must first be a warrant issued as per the Telecommunications Act, to access any communications. Companies may then receive a technical assistance request (TAR), technical assistance notice (TAN), or technical capability notice (TCN) from police or security agency. Agencies include ASIO, ASD and the AFP. Different notes pertain to different agencies. Non-compliance with these notices can attract penalties.
Assistance may range from providing technical details about how a service works, through to modifying source code on phones or in applications. This means companies can be forced to build software to expose contents of a message before is it is encrypted, eg through the installation of targeted malware on a device.
The bill forbids any implementation that creates a ’systemic weakness’:
Systemic weakness means a weakness that affects a whole class of technology, but does not include a weakness that is selectively introduced to one or more target technologies that are connected with a particular person
This is intended to prevent the building of ‘backdoors’. However whilst technically creating vulnerabilities outside the encryption channel is not a backdoor, its still a system weakness in the encryption itself.
Who will be impacted?
Any person or organisation that “provides an electronic service that has one or more end-users in Australia” is a designated communications provider and therefore subject to the new law. Australian companies and foreign companies with Australian operations will be impacted.
The government is worried about end-to-end encryption where by data - your messages - are encrypted before they get to the server. Only the sender and receiver can see the actual message. This is the technology employed by WhatsApp, Signal and others. These are the types of software services that may be impacted. There could be others such as device manufactures like Apple.
Other companies who provide services to Australians but do not operate in Australia will still be affected, but legally won’t be under Australian jurisdiction so cannot be forced to comply.
The bill does create a precedent globally. Other countries may now follow in enacting similar laws.
What are the concerns with this bill?
There have been numerous concerns raised across industry about the broader ramifications of such a law for business and individuals. Many believe are there are serious implications for the technology and startup sectors in Australia. The risk is over time less software will be developed in Australia and users will chose apps developed in other countries that aren’t subject to these laws.
In August 2018, the Australian government banned Chinese telcos Hauwei and ZTE from bidding to supply equipment for upcoming 5G networks. This was based on fears the Chinese government would force these companies to build backdoors in their hardware compromising communications and security of Australians. With Australia now passing it’s own anti-encryption laws, other foreign governments may shun Australia developed technology because of this same fear.
The Australian Computer Society is concerned about the ability of Australian businesses to compete internationally. Australia is now at a competitive disadvantage in software development. There is a disincentive for investment in local startups and tech companies. Their software won’t be trusted in international markets.
The Law Council of Australia argues there could be unintended consequences of the bill. This was a complex piece of legislation given four days of debate in parliament. Not enough time has been given to work through all the concerns raised about the detail of the legislation by experts and industry groups.
Engineers and developers are worried about being forced to implement such vulnerabilities into their software. It is generally accepted amongst security professionals that “there are no backdoors that only let the good guys in”. Deliberate vulnerabilities can be exploited by others and compromise the security of everyone.
Who is speaking out?
The internet lit up after this bill was passed, with many views stridently against and little commentary for the bill. The hashtag ##aabill was trending on Twitter.
Software companies are speaking out against the bill and it’s principles. Signal have posted saying they won’t and can’t build back doors in their software. ProtonMail spoke out saying they won’t, on principle, and also as a foreign company subject to strong Swiss privacy laws. Both companies are aware their may be attempts to block access to their services in Australia.
Major companies in the US, Facebook, Google, Microsoft, Apple who are signatories to the Reform Government Surveillance coalition (RGS) has urged the Government to ‘correct flaws’. Credit ratings agency Fitch even warned of an overall ‘negative impact’ on the Australian tech sector. The Software Alliance believes the bill in it’s current form would compromise data privacy and security of businesses and individuals. There are more many with strong views too.
Where to from here?
Law enforcement has a critical role to play in ensuring safety for our citizens, communities, cities and country. This bill in my view has the balance wrong. Most view it as rushed through parliament and flawed by design. It is debatable whether weakening encryption services will actually stop the most tech-savvy criminals. Most will just switch to custom software or services not under Australian jurisdiction. The larger risk is to individuals and business and the Internet itself. This quote helps sum things up:
“Legislating the means to weaken or circumvent security systems in practice, or even the threat of doing so in secret, destabilises the entire system by undermining the trust that people have in that system; and attacking the trust jeopardises the cooperation that the Internet depends on.” - Martin Thomson, Internet Architecture Board
In the long-run this new bill will make us less safe. It weakens trust in government and in technology companies. Encryption does make us safer. It secures our privacy and our data along the way. Let’s not base these our security laws on fear and ignore the facts. I doubt this bill will ever be repealed, so let’s hope it can be amended to address community concerns when parliament sits again.