Australia’s Assistance and Access Bill – A threat to privacy
Since 2017, there have been talks in Australia about a new bill that would require tech and communications companies to cooperate with government agencies and authorities to decipher encrypted messages. The Australian government seems convinced that being able to access encrypted messages is crucial to investigating terrorism cases. According to Australian authorities, most messages intercepted by them during their investigations were encrypted. As a result, a bill proposal known as the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 has drafted to act on the issues that the police face with encrypted communications.
While it is not possible to intercept secure end-to-end encryption without implementing a backdoor, the government is determined to get access to communications that are protected. Under the legislation, law enforcement would be allowed to get access to specific messages without putting the security of a network at risk. The law is meant to prevent any intended weaknesses or backdoors to be implemented on communications that have been securely encrypted. What the government doesn’t seem to understand is that this would be the only method to break e2e encryption. The law may state that companies are not to implement systemic vulnerabilities into their technology, the government could ask businesses to weaken the encryption or to fully remove it for specific users.
How does the government intend to make the bill effective?
The bill mentions three methods that will allow high-ranking officials to request information from companies. The first method is known as voluntary technical assistance request, which is set to encourage businesses to willingly provide access to the content of their customers’ communications. The second method is a “technical assistance notice” and it forces companies to help the government to decrypt messages if they have the technical capacity to do this. Last, but not least, there is another, and even more effective “technical capability notice” in the shape of a warrant that forces companies to develop technology that allows them to grant authorities access to encrypted communications.
The issue with the law
The proposed law has come under question for its contradictions and for ignoring the basic principles of e2e secure encryption. While the legislation states that it won’t force companies to weaken encryption, the mentioned technical capability notice is simply a request to implement backdoors. This provision of the law is based on the idea that companies must be able to break their own encryption platforms. This is not possible without making the encryption vulnerable or implementing backdoors. Pretending that firms are able to let the government access encrypted messages without breaking their own encryption technologies is absurd.
Who is subject to the law?
As per the draft bill and the explanatory document that was published at the same time, the legislation would apply to all foreign and local companies involved in communication, manufacturing of devices and components, as well as traditional service providers and carriers. This means that the law would apply to major names like Google, Apple, Facebook and Microsoft. Encrypted messaging services such as WhatsApp and Telegram, and email services will also be covered by the legislation. The law poses a significant dilemma for these companies because by weakening their technologies to help authorities to fight crime, they would also leave their consumers exposed to cyber fraud. For businesses, earning the trust of their customers is essential, so the law could have not only a serious impact in security, but also an economic impact.
It is clear that the government has missed important points while drafting this bill and even major companies are concern about the fact that the global policies to establish surveillance legislation that can coexist with freedom of expression and privacy rules, are being ignored. The Bill is on its way to Parliament so it is crucial that the government allows people in Australia to get involved in discussion regarding the implications of the legislation and the principles that are set to be followed. One of the main aspects that the government is overseeing is that when access to encrypted messages is granted to authorities, a vulnerability in the system is created and cyber criminals can take advantage of this.
Weakening encryption
Strong end-to-end encryption uses mathematical cryptographic principles that is not possible to undone. What this means is that in order to fulfill the requirements of a technical capability notice, companies have to make their encryption weaker, which means that they need to implement a backdoor. This presents a huge problem, no matter how you see it since if encryption is working as it should, the bill is asking the companies to achieve something that can’t be done. If data has been properly encrypted, it shouldn’t be possible to access it. If the bill passes, companies will have to break their own encryption and install backdoors to comply with the law, which also means that users will see the privacy and security of their data compromised.
The draft legislation is currently available for public debate and it will remain so until September 10, 2018. After that, the bill will be considered for amendments before it can move forward to the Parliament. If the bill passes into law, without any changes, the effects can be devastating. People won’t be able to trust communication providers and won’t be able to use their devices on a daily basis, without fearing for the safety of their data. This can also have an impact on the companies that have invested a lot of effort and money throughout the years, to earn the public’s trust. Australian citizens who want to make their voice heard, are encouraged to submit their questions and concerns to the following email address: AssistanceBill.Consultation@homeaffairs.gov.au