Australia’s New Encryption Law portends bad things for personal privacy
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

Australia’s New Encryption Law portends bad things for personal privacy

The new encryption law was voted on yesterday and could be finalized before Christmas

Let’s talk about Australia’s new encryption law. As we cross off the final days on our 2018 calendars, one of the biggest takeaways from this past year has to be that nothing happens in a vacuum on this planet anymore. We saw the European Union’s General Data Protection Regulation send companies and organizations across the world scrambling. We’ve watched as tariffs and trade wars halfway around the globe have had tangible effects on the homefront. More than ever, we are operating in a truly global, highly interdependent economy where the legislation and regulation in one region can have profound impacts around the world.

That’s why Thursday’s decision by the Australian parliament to pass its new encryption law could potentially be so problematic for the rest of the world. Australia is a country of about 25-million people. That would make it the third largest state in the US, behind Texas, ahead of Florida. To give you a sense of just how much influence the decisions of a single government (albeit an influential one) can have on the rest of the world, consider this: estimates hold that there are more than 7.5 billion people on Earth. Australia represents about .003 of the Earth’s population. But that .003 is about to have an out-sized influence on the future of encryption and personal privacy.

Today we’re going to talk a little bit about Australia’s new encryption law, we’ll talk about what it could mean for the tech industry and personal privacy around the world, and we’ll clear up a few misconceptions along the way.

Let’s hash it out…

What is Australia’s New Encryption Law?

Before we get into the specifics of the legislation and some of the palace intrigues that developed over the final hours of the Australian parliament’s 2018 session, I’d like to first pay homage to how few punches the Australian press seems to pull with regard to covering its legislature. I can’t speak for other countries, but in the US we tend to grant our legislature a level of deference, and act with a certain decorum that quite frankly isn’t merited most of the time.

Not so with Amy Remeikis of The Guardian:

And with that imbroglio of omnishambled batshit chicanery that was the final sitting of parliament, we are going to close the blog down for the night.

You had me at imbroglio, Amy.

By all accounts, this entire situation was muddled and confused and – as governments are wont to do – the end product fell short of literally everyone’s expectations. Part of the issue is that this entire piece of legislation was rushed. Parliament had its backs up against the wall, given that a recess was coming and they were loathe to push this into the next session, citing “protecting Australians during Christmas/the Summer holiday” as the reason to ram this through on the final day.

And because of the speed with which it was rammed through, it had to compete with other proposed legislation, one of which would have provoked government drama centering around a refugee situation on an island called Nauru. That caused a standoff that ultimately ended in an encryption bill being passed without any amendments being made to it, the Nauru bill not getting passed at all, and the entire parliament adjourning with a very dangerous precedent set to become law.

Here’s the key component of the law:

By a count of 44-12 count, Australia passed a law that will give the government’s security and intelligence agencies the legal authority to compel tech companies (like Signal and WhatsApp) to break their encryption.

How is the world reacting to the Australia’s new encryption law?

Immediately following the vote, Morry Bailes, the president of the Law Council of Australia criticized the legislation:

“The half-amended encryption access laws rammed through the Senate are better than the original, but serious concerns remain. We now have a situation where unprecedented powers to access encrypted communications are now law, even though parliament knows serious problems exist. This is what happens when you compromise a committee process and allow the work of parliament to be rushed and politicised. Next year, as well as passing the remaining amendments, the intelligence and security committee needs to be brought back into the frame to get these laws right.”

The legislation still has to be rubber-stamped by the royal assent, but that could happen before Christmas.

In the meantime, the tech industry is going to be scrambling. And the patchwork legislation in other countries could complicate things even further.

Australia is a part of the Five Eyes Intelligence Alliance which released a rather dunderheaded statement earlier this year calling for the tech industry to willingly weaken its encryption to better comply with legal requests for access. And while Australia is the first of the countries in the alliance to make good on the threat of legislating these issues. Christopher Wray, the current director of the US FBI, has already made similar threats, too.

The Five Eyes Alliance has clout, too. From an international relations standpoint, the information-sharing alliance clearly makes China and Russia uncomfortable. But in a more practical sense, the five members of the alliance are regarded as some of the most progressive countries in the world. So when a country like Australia feels comfortable making this kind of a move against its own citizens’ digital privacy, it gives ample political cover for more repressive governments around the world to do the same.

It’s not hard to imagine how this issues breaks with certain camps. The pro-government, security-first camp thinks it’s a much-needed tool for law enforcement. Rodger Shanahan, a research fellow at the Lowy Institute for International Policy, told the New York Times that the bill addressed a legitimate need to give the authorities access to encrypted data.

“I know it’s a very sensitive issue, but the people arguing privacy just don’t have a handle on how widespread it’s used by the bad people,” he said. “It’s pretty universal.”

Personally, I think that’s a bit insulting because it misrepresents the way that the privacy camp actually views this issue, but… politics.

In terms of entities with opinions that actually hold weight, Apple has made no secret of its distaste for this legislation. It filed a brief in opposition,

“…the idea that weakening encryption is necessary to aid law enforcement… In just the past five years alone, we have processed over 26,000 requests from Australian law enforcement agencies for information to help investigate, prevent and solve crimes.”

Already some analysts are predicting that Apple – who had a high-profile dispute with the FBI over unlocking an iPhone a few years ago – could reduce its presence in Australia. Apple and its battle with the FBI actually serve as a fairly interesting test case, if just for the fact they demonstrated how unbelievably ill-equipped our current laws are when dealing with this issue.

The FBI relied on the All Writs act, which was first established in 1789 and saw its last major reworking in 1911, while Apple made a number of fairly bizarre arguments that, as Facebook found out a few years later, were completely untenable.

The question isn’t whether we need to update our laws, it’s whether doing it this way is the right method.

Why is breaking encryption a bad idea?

Let’s clear up a few things, first of all the encryption that this legislation is referring to is end-to-end encryption like you see on messenger apps. Really, at its heart, this is just a hamfisted attempted to access the communications of criminals or terrorists.

And that is absolutely a worthwhile goal, it’s just something that needs to be done in a way that doesn’t inadvertently (or even advertently) impugn on everyone else’s right to privacy. And that’s where there seems to be a real disconnect. Even bodies like the UN, have stated that law enforcement needs to get better at using the tools they already have at their disposal before compelling companies to break their own encryption.

And beyond that, just about any cryptographer or security professional with a solid understanding of encryption will tell you that there is no way to achieve what is being requested without completely undermining that entire cryptosystem for everyone.

Part of the issue with this debate is that one thing that seems to unite people all across the world is a distrust of government. It’s not as if the entities that are demanding broken encryption all have unblemished track records. So exactly how much power do we want to give these entities? And can we trust them with these powers? It wasn’t that long ago that the NSA got hacked, and all of its tools and tricks leaked on to the internet. And right now, security teams across the world are still dealing with those effects.

These are important questions that need to be debated by informed parties that can accurately identify and then weigh the risks and the benefits that new legislation might bring. Charles Duan, a senior fellow at the R Street Institute, in an article on the LawFare blog proposes a three questions test for any new legislation:

First, we ask whether there is empirical evidence for the need for extraordinary access. Second, we ask whether an acceptable technology already exists for such access. Last, we ask whether adequate policy and legal frameworks can be developed to put that technology safely into practice.

That would lead to a thoughtful, and hopefully productive debate on how to proceed on a very complicated issue.

Unfortunately you can’t really accomplish that when you try to ram a bill through parliament on the last day of session.

As always, leave any comments or questions below…

Hashed Out by The SSL Store is the voice of record in the SSL/TLS industry.

Be the first to comment

Leave a Reply

Your email address will not be published. We will only use your email address to respond to your comment and/or notify you of responses. Required fields are marked *

Captcha *


Patrick Nohe

Patrick started his career as a beat reporter and columnist for the Miami Herald before moving into the cybersecurity industry a few years ago. Patrick covers encryption, hashing, browser UI/UX and general cyber security in a way that’s relatable for everyone.