杏吧原创

Australia’s anti-encryption law is hurting press and personal privacy

Many politicians are calling for anti-encryption laws. Australia has already implemented one, and it is damaging tech firms, user privacy and freedom of speech
Australia
Tech firms in Australia say their products could be seen as less secure
Jason Reed/Reuters

POLITICIANS around the world are calling for so-called back doors to let them read messages on encrypted chat apps. But the surprising fall-out from Australia鈥檚 sweeping new encryption regulations reveals that such breaches of privacy can have unexpected consequences.

During her time as UK prime minister, Theresa May repeatedly called for tech companies to provide her government with ways to access encrypted messages, believing that terrorists were using them to communicate.

This sentiment hasn鈥檛 gone away. In late July, the UK鈥檚 new home secretary Priti Patel said messaging apps shouldn鈥檛 鈥渆mpower criminals鈥 by providing a sealed-off means of communication. Meanwhile, the Trump administration in the US reportedly met recently to debate whether to ban methods of encryption that law .

But in Australia, a law approved by parliament in late 2018 has raised strong privacy concerns, without much evidence that the introduced measures have helped thwart any crime. Leaders of other nations looking to manage encryption would do well to study the country鈥檚 cautionary tale.

Encryption is a mainstay of digital services like online shopping, email and messaging apps. It means that information is scrambled unless your device has the cryptographic key.

A form of this technology called end-to-end encryption has gained popularity in the past few years. Offered by apps like WhatsApp and Telegram, it means that messages are never stored in a decrypted form by the service provider, so they can鈥檛 ever read them. That is a strong draw for some privacy-minded individuals.

鈥淭hese services are designed from the beginning so that the service provider doesn鈥檛 know what is being communicated,鈥 says Vanessa Teague at the University of Melbourne, Australia.

Nevertheless, governments want a back door into such systems. This was the impetus for the most controversial part of Australia鈥檚 new law, the . It gives law enforcement and intelligence agencies three main powers.

First off, they can ask tech firms to help them access a user鈥檚 communications. If the company doesn鈥檛 want to, the agency can compel them to by issuing a technical assistance notice. If a company says it can鈥檛 comply because its technology doesn鈥檛 allow it, then the government can force it to make changes to its service that would allow compliance.

How that works is a matter of debate. One reading of the law is that companies can be forced to hack their own users, for example by installing what is effectively malware to read their messages before they are encrypted (see 鈥淪neaky peeks鈥, below).

Sneaky peeks

In 2013, Edward Snowden, then working for the US National Security Agency, revealed the details of an agreement between the NSA and several tech companies. The firms gave the agency covert access to their users鈥 messages聽鈥 a secret back door.

After these revelations, many聽firms began offering end-to-end encryption, meaning they never store decrypted messages. It is almost impossible to break modern encryption, so these firms can鈥檛 provide a back door.
But there is a loophole: if聽someone can access your smartphone, they might be able to sneak a look at messages before they are encrypted.

In submitted to the Australian parliament, Apple said such measures could, for example, 鈥渁llow the government to order the makers of smart home speakers to install persistent eavesdropping capabilities into a person鈥檚 home鈥.

The government has said it won鈥檛 force companies to introduce a 鈥渟ystemic weakness鈥. That phrasing is contentious. It is possible for even subtle changes to computer code to introduce vulnerabilities that hackers can exploit, sometimes without being detected for many years. This means that almost any change that the government forces firms to make could have the potential to endanger people鈥檚 privacy.

Unsurprisingly, this law has made tech companies concerned over the future of their sector in Australia. Microsoft has said companies it works with are no longer comfortable about storing their data there. And a survey of people working in the country鈥檚 cybersecurity industry found that the third-highest concern was consumers perceiving their products as less secure thanks to the new law.

Although framed as targeting terrorism, the law鈥檚 scope includes a range of relatively minor crimes, from white collar offences like copyright infringement to growing and selling marijuana.

An unexpected impact of this has been high-profile searches of journalists鈥 property. For example, in 2018, reporter Annika Smethurst exposed secret emails between Australian public servants discussing a plan to allow the country鈥檚 cybersecurity agency to covertly monitor citizens. On 4 June, the federal police raided her home and searched her electronic devices to find the source of her story. Police have also raided Australian Broadcasting Corporation offices in Sydney using the same powers.

Previously, police would have required a special warrant to search through a journalist鈥檚 digital notes. The new encryption law has granted them the power to 鈥渁dd, copy, delete or alter鈥 material that they find on any of a journalist鈥檚 devices without necessarily having a warrant.

Lizzie O鈥橲hea, a legal expert at Digital Rights Watch, says the new law also gives the police power to install malware on a journalist鈥檚 phone and get information that way, without anyone knowing. 鈥淲ho knows what kinds of things are happening under the cover of secrecy,鈥 she says.

What tech firms have said about Australia鈥檚 encryption law

鈥淭his bill could allow the government to order the makers of smart home speakers to install persistent eavesdropping capabilities into a person鈥檚 home鈥
Apple ()

鈥淭he underlying assumption of the Act, that a security vulnerability can be created for a targeted technology without creating a systematic weakness or vulnerability, is technically flawed鈥
Amazon

鈥淭he law has created uncertainty for our staff and our customers. It places the tech industry in a chokehold鈥
Scott Farquhar, co-founder of software firm Atlassian

There are worries that this will have a chilling effect on whistle-blowers and journalism. Riana Pfefferkorn, at the Center for Internet and Society at Stanford Law School in California, to make this point in June.

Have the new regulations helped investigate and prevent terrorism? Australia鈥檚 home affairs minister Peter Dutton has said that the law has played a 鈥渧ery positive role, in a number of investigations鈥.

Yet if people want to get around the law, they may be able to, says David Tuffley at Griffith University in Queensland. For example, they could use services from companies based outside Australia that aren鈥檛 inclined to comply with the country鈥檚 rulings.

What can politicians in other countries take from all this? Australia鈥檚 experience seems to underline that it is extremely difficult to enable a back door into encrypted messages without threatening civil liberties and tech businesses.

Many campaigners in Australia want the law scrapped. 鈥淐ivil society organisations have been calling for a wholesale repeal of the act,鈥 says O鈥橲hea. Failing that, one way to ameliorate the effects would be to require judicial oversight of the powers, she says.

There is some possibility that this could happen. Two reviews of the law are due to report early next year and they may recommend such changes.

Things might play out differently in other countries, because Australia is one of the few liberal democracies without a bill of human rights. If politicians in the UK or US introduced an encryption law, citizens would have human rights legislation as a protective counterpoint.

Topics: Government / Law / Privacy / security