Australia’s New Encryption Laws, common sense or government surveillance?
In December 2018 the ‘Assistance and Access (2018)’ Bill passed through the Senate with public outcry that it erodes the security, privacy and internet freedoms for internet users across the world.
The bills primary aim is to force tech giants like Facebook & Google as-well as smaller software developers like Signal to assist authorities access encrypted communications to solve serious crime like terrorism. This is an expansion on top of existing powers under the Telecommunications (Interception and Access) Act which allow law enforcement to obtain a copy of any information an organisation may have such as unencrypted emails, SMS, saved voicemail and call records.
Encryption is a growing challenge for law enforcement around the world as device manufactures and web service providers such as Facebook have started encrypting all communications as standard to protect their users security. While these changes help ensure private communications aren’t intercepted by hackers and data cannot be accessed from a stolen or lost devices, it also prevents authorities with legitimate reasons from easily being able to carry out investigations.
One such example of this occurring was in February 2016 when Apple refused a court order to decrypt a terrorist’s Iphone 5C which was within their technical ability, ultimately the FBI turned to a private mobile forensics firm to unlock the device.
Under this new legislation, law enforcement agencies can issue three different types of notices to tech companies;
- Technical Assistance Request (TAR): A notice asking for ‘Voluntary Assistance’ from the organisation, ie disabling a particular feature like encryption for a specific target, installing software on a users device or facilitating access to it in general.
- Technical Assistance Notice (TAN): This is a step up from a TAR which is ‘non-voluntary’ which requires companies to provide reasonable, proportionate and technically feasible assistance which they already have the capability to do. Such as forcing to Apple to unlock a I-Phone for authorities.
- Technical Capability Notice (TCN): Where a company does not have the ability to provide assistance, they may be forced to “build a new capability” to fulfill the request such as saving an un-encrypted copy of a message before or after it is encrypted and sent. This point is contentious as the bill explicitly states it is not aimed at adding systemic backdoors or weakness into products.
So what’s all the fuss, it seems like common sense, not too dissimilar to existing powers with other forms of communication and isn’t really ‘banning encryption’ as the media play it out to be?
While seemingly very reasonable on first glance, criticism of the bill is founded and not just exaggerated claims by extreme privacy advocates. Here are some of the main points raised with the bill in its current form;
The bill is dangerously ambiguous , overly broad and even “intentionally vague” as claimed by Mozilla, the developers of Firefox and in a seven-page submission to the government.While all legislation does need some wiggle room to account for future technology, this ambiguity Apple claims “could allow the government to order the makers of smart home speakers to install persistent eavesdropping capabilities into a person’s home, require a provider to monitor the health data of its customers for indications of drug use.” Apple
Most people would like to think such a bill which is first of its kind not just in Australia, but around the world would be heavily debated and scrutinised.
While the bill is supported by both the Coalition and Labor, it has been under immense pressure from both sides to rush it through with Defence Minister Christopher Pyne appealing to emotions tweeting “Labor has chosen to allow terrorists and paedophiles to continue their evil work in order to engage in point scoring” in a since deleted tweet in relation to Labor proposing 173 amendments to it.
Shockingly these proposed amendments were dropped despite Opposition Leader Bill Shorten conceding the new laws were rushed and widely believed within the party to be inappropriate.
Almost identical to the controversial MyHealthRecord scheme there is serious concerns that the programs focus and who exactly can use it may change over the years. While currently we are promised it’s only going to be used in exceptional cases, there is still the possibility it may be used for lesser crimes including civil issues.
As this bill is the first of its kind, many have grave concerns it could set a precedent for other countries around the world. Some even speculate it may give the ability for partners of the ‘five-eyes’ spy network to circumvent local laws in home countries which prevents them spying on their own citizens as requests could be funnelled through Australia.
Erosion of trust
Our trust in a particular product or service is a core reason we decide to purchase it. If we don’t trust it or know full well it could be spying on us without our knowledge it’s almost certain we’ll go with a competitor. Just ask Huawei!
Major manufacturers and service providers such as Apple, Facebook and Google are concerned users will avoid their products and seek out lesser known alternatives who are known not to comply with the request.
Lack of independent judicial oversight
In the wake of numerous scandals by International Intelligence Agencies exposed by Edward Snowden, it would seem inappropriate and a conflict of interest for an agency to issue a TAN or TCN requests to someone they themselves are investigating!
Similar to current surveillance laws which require a warrant, privacy advocates are calling for such requests to be issued by a Magistrate or independent neutral party and create appeal options for tech firms who disagree with the request.
Severe penalties for unlawful disclosure under the guise of secrecy
Unlawfully disclosing the details of a request can carry up-to 5 years imprisonment and a 10 million dollar fine for even acknowledging “the existence of non-existence of a request or notice”. While secrecy is extremely important there is criticism that these provisions may be used to silence or cover up abuse, such has believed to have occurred with ‘Witness-K’ in the East-Timor spying scandal.
Threat of misuse
By creating backdoors and powerful tools to exploit systems, you naturally create a risk which could be misused if documentation on how it functions or the tools themselves were ever leaked. Such a thing occurred in 2017 when hacking tool ‘EternalBlue’ which took advantage of undisclosed Windows SMB vulnerabilities were stolen from the NSA and formed part of the WannaCry ransomware attack which may have caused up-to $4 billion in damages.
With such major risks and concerns left unanswered, it’s clear the ‘Assistance and Access’ bill is not yet ready to be written into law regardless of what side of the debate you stand on. While such powers are needed as we go further into the digital era, it needs to have both industry support, robust privacy safeguards and the backing of the community.
The lack of trust globally and limited independent oversight while good intentioned could setup the perfect storm as feared.
What are your thoughts on the bill?