Australia Anti-Encryption Law Triggers Sweeping Backlash

A newly-passed Australian law could allow the government to force tech companies to create backdoors in their products.

A controversial Australian bill, which could give the government access to data protected by end-to-end encryption, was passed Thursday.

The bill, called the Assistance and Access Act, empowers Australian police to essentially force companies (that are operating in the country) to help the government hack into systems, plant malware or insert backdoors.

Security experts and tech companies argue that the newly-passed law will weaken the overall data security of all Australians – and will pose as a dangerous precedent for other governments globally. Tech companies, for their part, also worry that the act will erode consumer trust in their products and platforms.

“This new law will have an unfortunate impact on Australia’s citizens and technology industry,” said Terrie Anderson, APAC Regional Director of Venafi. “Simply put: it is not feasible to force organizations to create backdoors into their products and have them comply with the consumer protection standards outlined in GDPR.”

Supporters of the bill, including Attorney General Christian Porter, say it could help the government combat terrorism groups that are potentially using encrypted communications to avoid detection.

The act enables the Attorney-General (who has obtained a warrant to spy on someone) to force access of someone’s data with different tiers of “technical notices.” The notice could require an organization to build a new capability that would allow them to give access to authorities. Essentially, a technical capability notice requires organizations to devise a way to crack their own security systems.

These crackdowns include an array of capabilities. That includes potentially installing malware on users’ devices as a way to work around encryption, modifying the service they are providing (including potentially blocking messages), and assisting law enforcement without alerting the end user.

For secure messaging services (including WhatsApp, Signal, or Wire), the new law could enable the government to spy in on users’ messages, according to an analysis by Danny O’Brien with The Electronic Frontier Foundation.

Essentially, while users’ messaging interfaces will claim they’re in a one-on-one conversation, “behind the scenes, the company will be required to silently switch you into a group chat,” O’Brien said in his analysis. “Two of the people in the group chat will be you and your friend. The other will be invisible, and will be operated by the government.”

In the case of Apple’s iMessage, O’Brien said, “Apple would be compelled to silently add new devices to the list apps think you own: when someone sends you a message, it will no longer just go to, say, your iPhone, your iPad, and your MacBook – it will go to those devices, and a new addition, a spying device owned by the government.”

Making matters more serious, companies that refuses one of these orders can face a fine of up to $7.3 million.

The act has garnered criticism from tech companies, privacy advocates, and others who say that it creates an array of new security and privacy issues.

Tech giants such as Apple, Cisco, and Mozilla, have openly opposed the act and in particular how it erodes trust from customers in their products and services.

Apple penned a seven-page letter criticizing the act, saying it creates “overly broad powers that could weaken cybersecurity and encryption,” and that technical requirements addressed in the bill may not be practical: “We believe that the law should draw clear lines that do not put providers in criminal and civil jeopardy for violations of foreign law,” the company said.

Another concern is the fact that creating backdoors to encryption could create obvious security holes – and ultimately lead to a similar situation to the leaked NSA EternalBlue exploit. EternalBlue was the codename for an exploit made public by a hacker group that accessed offensive hacking tools allegedly developed by the NSA.

“Giving the government backdoors to encryption destroys our security and makes communications more vulnerable,” said Venafi’s Anderson. “Government mandated backdoors will allow cyber criminals to undermine all types of private, secure communication.

It’s not the first time that tension has heightened between the tech industry and the government when it comes to law around encryption and data privacy – and experts warn that its not the last.

In fact, Australia’s recent act was modeled on the U.K.’s Investigatory Powers Act 2016. This act tries to set up a similar framework that would force companies to give the government access to users’ data.

In August, the US, UK, Australia, Canada, and New Zealand governments, known as a group called the “Five Eyes” nations, discussed in a meeting a statement that included taking a stronger stance on encryption.

“The Governments of the United States, the United Kingdom, Canada, Australia and New Zealand are committed to personal rights and privacy, and support the role of encryption in protecting those rights… However, the increasing use and sophistication of certain encryption designs present challenges for nations in combating serious crimes and threats to national and global security,” the proposal said.

While no such law has been close to being passed in the U.S., the United States has had its own conflicts with tech companies over data privacy. In 2015, Apple faced a legal standoff with the Federal Bureau of Investigation over the seized iPhone of San Bernadino killer Syed Farook in 2015. In 2018, FBI Director Christopher Wray called unbreakable encryption, such as Apple’s, an “urgent public safety issue.”

Moving forward, O’Brien with the EFF called for Australia to re-visit its privacy and security policies when it comes to the the Assistance and Access Act – before other countries decide to start adopting similar laws.

“If the country continues to walk down this road, then it’s only a matter of time before only back-doored communication tools run by compliant multinational tech companies are permitted in Australia; and all other services and protocols will face government-mandated blocking and filtering,” he said.

Suggested articles

Discussion

  • Anonymous on

    Sure this is FANTASY LAND wishing, but I do wish that laws like these would lead to companies PULLING THEIR PRODUCTS from a country entirely. If you're SERIOUS about encryption and privacy, then laws like these mean you have NO OTHER OPTION than to drop your product entirely (at least in that country) in response.
  • David Heath on

    Welcome to the death of the Australian innovative tech industry. Who would trust ANY Australian-developed product now?
  • WhiteHat on

    While it is important to protect privacy, in our not-so-anonymous digital world, it is also important acknowledging, that by doing so you also actively support crimes. While that's not your intention at all, one cannot "knight" him/herself as solely "the protector of innocent". While I do not hold the solution for the controversy, at least I evaluate my actions from all angles and views. Responding solely on privacy grounds, represents ignorance of all consequences, specifically those one tag as "undesirable". While undesirable, consequences of our actions should not be ignored.
  • BadGuyNumber5743 on

    There is no such thing as a key that only works for the good guys. Additionally, I would like to point out the fact that "criminals" are not all "bad". This may seem hard to understand but it becomes obvious when you look at Saudi Arabia where conversion from Islam to another religion is a crime punishable by death. An example even closer to home is the case in Indiana where the police chief is promoting as many bad cops as he can to supervisory positions. You'd be naive to think that criminals come with clear warning labels. The government imposed information dragnets often fail long before they ever have the need/chance to break encryption. Furthermore, everyone is innocent until proven guilty and thus everyone deserves protection. This laws sacrifices the safety of the majority to help catch a very small portion of the population that could be caught using other methods. Finally, I work as a security professional and I can say for certain that you can't build a system that is magically secure for everyone except the "bad guys". It's either secure or it's not secure and there is no middle ground.
  • Stephen on

    Another ill conceived idea. Let's blunder along, destroy companies, invade the privacy of whomever they feel like. Just on the off chance that 1 person in millions is doing something illegal.
  • BadGuy9274 on

    "While it is important to protect privacy, in our not-so-anonymous digital world, it is also important acknowledging, that by doing so you also actively support crimes." This statement is absolutely not true. Supporting privacy is not ACTIVELY supporting crime. We have the capability and capacity to record every single word you say as well as to record every single place that you go. Is it appropriate to do that? No it is not. Is failing to use that capability actively supporting crime? No it is not. Do you want to be able to have a private conversation with perhaps your counselor about your spouse and not have that recorded? Do you want to ensure that perhaps someone can not take that conversation and communicate to someone else who has the capacity of informing your spouse that you said something in confidence? What about your medical records? Should they be made public? Should you be required to disclose to a potential employer that you are diabetic? What about if you have trouble sleeping? Should that be considered in your job application? Privacy is important and should not be surrendered for the sake of ease of pursuit of supposed "bad guys". Regarding my example of recording your every word -- we have the technical ability, but we shouldn't use it just to make investigation of crimes easier for lazy investigators. Similarly, we don't need to decrypt all communications in order to pursue someone who is suspected of doing something "bad". Frankly, if you force commercial apps to do this, the genuine "bad guys" will simply use non-commercial apps that have high encryption and no back doors. And of course those who wrote that installation of a back door will not only be used by "good guys", it will be learned of and then exploited by "bad guys" too, are correct.
  • G’Day on

    David: regarding Australian companies. It’s worse than just companies based in Australia. It’s any company continuing to do business in Australia. If Apple (for example) continues to operate there, you must assume that all their services are back-doored.
  • John Moser on

    We have laws against arresting people, searching their homes, and doing other things to them when we can't provide a legal basis for doing so. These laws protect criminals. We know.
  • Scott on

    These laws are disgusting and passed under the guise of terrorism to spy on everyone not just terrorist, when the crappy metadata laws were passed only a few agencies were meant to be able to see our metadata ,now even local councils can apply to see it . Australia is turning into little China monitoring all citizens . Wa is trying to get laws that would see tracking devices in all cars with kill switches as well. Can we really say this is a free country anymore because it sure doesn't feel like it with the current crew of pricks who run the place .

Leave A Comment

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.