In a move that is being greeted with horror and disbelief by cybersecurity experts and technology developers, Australia’s Senate has passed into law a bill that would compel technology companies to provide what is effectively a “back door” to users’ encrypted communications. The Guardian described the rushed legislative process as an “imbroglio of omnishambled batshit chicanery,” and the resulting law seems to be about as well thought through as that implies.
Though advocates call the legislation a move against “terrorists and paedophiles,” critics say it is a threat to law-abiding citizens and will weaken Australia’s technology sector, without actually doing much to stop the criminals it’s aimed at. The Electronic Frontier Foundation has described the bill as “disastrous.”
The bill, which will be subject to a hazy committee review and amendment process next year, gives the government several new powers. The most immediately striking is what’s termed a “technical capability notice,” in which authorities could compel a company to build a new capability to access user information into existing or planned technology. Though the bill specifies that this capability cannot introduce a “systemic weakness” into a platform such as WhatsApp, there is widespread consensus among security experts that the creation of any such backdoor creates an attractive new target for malicious hackers.
Australia’s legislation may be the clearest explicit command from a major democracy to enable systemwide backdoors to encrypted services.
Tech giants Cisco, Apple, and Mozilla have previously said as much about the this type of access. Even Facebook—hardly known for giving a damn about its users—has stated that “it’s impossible to create any back door that couldn’t be discovered — and exploited — by bad actors.”
The bill, then, would decrease the personal security of law-abiding citizens in Australia. If mandated backdoors were to spread through global versions of software, it could also threaten the safety of dissidents and activists in authoritarian societies. Meanwhile, as pointed out by Australian engineer Dan Draper, backdoors could be easy for actual criminals to circumvent simply by wrapping Telegram or Whatsapp messages in open-source PGP encryption, only crackable by “directly accessing that user’s physical device.”
Other implications of the bill seem to have been ignored. “The AA Act strips any trust the rest of the world might have in Australian technology,” says Danny O’Brien, International Director for the Electronic Frontier Foundation, because users would assume it to be compromised. According to Australian security advocate Asher Wolf, encryption backdoors are also incompatible with European data law.
Individual developers could also be placed in a precarious position. In the words of one Australian coder, “I could be fired by my company for implementing government backdoors, or go to jail for saying no.” Another wrote that the law’s impact on coders “is akin to requiring a doctor to infect a patient or an engineer to weaken a bridge.”
Perhaps most troubling of all, because the bill contains provisions preventing the disclosure of government-mandated backdoors, it could present a liability to white-hat hackers paid to look for unintended security vulnerabilities, and even discourage software vendors from conducting thorough security testing.
Other liberal-democratic countries have struggled to balance citizens’ privacy with a desire to combat criminal use of encrypted messaging. In September, the U.S., U.K., Canada, Australia, and New Zealand, the so-called “Five Eyes” intelligence-sharing coalition, called on tech companies to build government backdoors to encrypted products, threatening to exert other approaches if voluntary compliance didn’t follow.
Australia’s legislation may be the clearest explicit command from a major democracy to enable systemwide backdoors to encrypted services. In the U.S., the FBI has repeatedly clashed with Apple in a quest to compel either the creation of a backdoor, or case-by-case access to suspects’ devices. So far, no court has managed to compel Apple to comply with either sort of request. Meanwhile, however, the U.S. National Security Agency has secretly devoted resources to subverting digital encryption methods, with reportedly significant success.
The U.K. in 2016 passed the “Investigatory Powers Bill,” sometimes referred to as the “Snooper’s Charter.” In addition to formalizing the U.K. government’s power to hack into systems in the course of an investigation, the act included language that, while convoluted, required “removal of electronic protection” at government request. That effectively, according to The Register, introduced the possibility of mandated backdoors, though with relatively strong oversight. (In April of this year, however, the European Union ruled that the act was incompatible with E.U. law and should be rewritten, though whether that will remain in force with Brexit on the horizon is unclear).
It seems likely that there is no true “middle ground” in the debate over encryption backdoors. Just as you can’t be a little bit pregnant, digital communications can’t be “mostly” private. But the Australian government, according to its critics, hasn’t even tried to strike a balance, instead rushing to trade the real possibility of privacy for the fleeting illusion of safety.