A controversial Australian bill, which could give the government access to data protected by end-to-end encryption, was passed Thursday.
The bill, called the Assistance and Access Act, empowers Australian police to essentially force companies (that are operating in the country) to help the government hack into systems, plant malware or insert backdoors.
Security experts and tech companies argue that the newly-passed law will weaken the overall data security of all Australians – and will pose as a dangerous precedent for other governments globally. Tech companies, for their part, also worry that the act will erode consumer trust in their products and platforms.
“This new law will have an unfortunate impact on Australia’s citizens and technology industry,” said Terrie Anderson, APAC Regional Director of Venafi. “Simply put: it is not feasible to force organizations to create backdoors into their products and have them comply with the consumer protection standards outlined in GDPR.”
The Assistance and Access Act
Supporters of the bill, including Attorney General Christian Porter, say it could help the government combat terrorism groups that are potentially using encrypted communications to avoid detection.
The act enables the Attorney-General (who has obtained a warrant to spy on someone) to force access of someone’s data with different tiers of “technical notices.” The notice could require an organization to build a new capability that would allow them to give access to authorities. Essentially, a technical capability notice requires organizations to devise a way to crack their own security systems.
These crackdowns include an array of capabilities. That includes potentially installing malware on users’ devices as a way to work around encryption, modifying the service they are providing (including potentially blocking messages), and assisting law enforcement without alerting the end user.
For secure messaging services (including WhatsApp, Signal, or Wire), the new law could enable the government to spy in on users’ messages, according to an analysis by Danny O’Brien with The Electronic Frontier Foundation.
Essentially, while users’ messaging interfaces will claim they’re in a one-on-one conversation, “behind the scenes, the company will be required to silently switch you into a group chat,” O’Brien said in his analysis. “Two of the people in the group chat will be you and your friend. The other will be invisible, and will be operated by the government.”
In the case of Apple’s iMessage, O’Brien said, “Apple would be compelled to silently add new devices to the list apps think you own: when someone sends you a message, it will no longer just go to, say, your iPhone, your iPad, and your MacBook – it will go to those devices, and a new addition, a spying device owned by the government.”
Making matters more serious, companies that refuses one of these orders can face a fine of up to $7.3 million.
The act has garnered criticism from tech companies, privacy advocates, and others who say that it creates an array of new security and privacy issues.
Tech giants such as Apple, Cisco, and Mozilla, have openly opposed the act and in particular how it erodes trust from customers in their products and services.
Apple penned a seven-page letter criticizing the act, saying it creates “overly broad powers that could weaken cybersecurity and encryption,” and that technical requirements addressed in the bill may not be practical: “We believe that the law should draw clear lines that do not put providers in criminal and civil jeopardy for violations of foreign law,” the company said.
Another concern is the fact that creating backdoors to encryption could create obvious security holes – and ultimately lead to a similar situation to the leaked NSA EternalBlue exploit. EternalBlue was the codename for an exploit made public by a hacker group that accessed offensive hacking tools allegedly developed by the NSA.
“Giving the government backdoors to encryption destroys our security and makes communications more vulnerable,” said Venafi’s Anderson. “Government mandated backdoors will allow cyber criminals to undermine all types of private, secure communication.
Influence on Government-Tech Industry
It’s not the first time that tension has heightened between the tech industry and the government when it comes to law around encryption and data privacy – and experts warn that its not the last.
In fact, Australia’s recent act was modeled on the U.K.’s Investigatory Powers Act 2016. This act tries to set up a similar framework that would force companies to give the government access to users’ data.
In August, the US, UK, Australia, Canada, and New Zealand governments, known as a group called the “Five Eyes” nations, discussed in a meeting a statement that included taking a stronger stance on encryption.
“The Governments of the United States, the United Kingdom, Canada, Australia and New Zealand are committed to personal rights and privacy, and support the role of encryption in protecting those rights… However, the increasing use and sophistication of certain encryption designs present challenges for nations in combating serious crimes and threats to national and global security,” the proposal said.
While no such law has been close to being passed in the U.S., the United States has had its own conflicts with tech companies over data privacy. In 2015, Apple faced a legal standoff with the Federal Bureau of Investigation over the seized iPhone of San Bernadino killer Syed Farook in 2015. In 2018, FBI Director Christopher Wray called unbreakable encryption, such as Apple’s, an “urgent public safety issue.”
Moving forward, O’Brien with the EFF called for Australia to re-visit its privacy and security policies when it comes to the the Assistance and Access Act – before other countries decide to start adopting similar laws.
“If the country continues to walk down this road, then it’s only a matter of time before only back-doored communication tools run by compliant multinational tech companies are permitted in Australia; and all other services and protocols will face government-mandated blocking and filtering,” he said.