Congratulations, Australian Government! You've Just Destroyed the World's Data Privacy!
Parliament passes a bill at the last possible moment to give officials the power to weaken encryption.
Pretty much every single person in the tech industry, human rights circles, and academia warned the Australian government that forcing online platforms to weaken encryption would lead to disastrous results. Nonetheless, lawmakers are pushing forward—and it's not just Australians who will suffer as a result.
Last night, Australia's parliament rushed through the Assistance and Access Bill of 2018 right as their session was coming to a close. The bill gives various government agencies the authority to demand that tech and communication platforms provide them secret bypass routes around encrypted messages.
This is what is known as an encryption "backdoor," and it's a bad idea. Governments insist such tools are needed to fight crime and terrorism. The problem is that an encryption backdoor doesn't care who uses it: If there's a mechanism to bypass privacy security on a communication system, it can be exploited by anybody who knows how. That includes hackers, thieves, officials from authoritarian governments, and all sorts of dangerous people (including, of course, the very government people who insist they're trying to protect us). That's why tech companies have spent years fighting against the idea.
Weak encryption is a threat to the health of any tech platform that involves transferring data, and governments know that. So they insist they're not demanding encryption backdoors while attempting to enact policies that pretty much demand them.
The Assistance and Access Bill won't just grant the Australian government the power to demand that everybody from Facebook to Whatsapp help them bypass security to access private communications. The bill will let officials order companies, through "technical capability notices," to alter their programming to facilitate snooping. And it gives the government the authority to force the tech employees who implement the changes to keep them secret. Break that secrecy, and the employees can face up to five years in jail.
The legislation does state that tech companies cannot be forced to introduce "systemic weaknesses" into a platform's security, but initially the bill didn't even define what that means. Backdoors by their very nature introduce a system weakness. A definition was eventually added but it is less than clear—and given the secrecy involved, how would any outsider know whether these changes introduce a weakness? How could the public possibly trust that officials would back down when a tech company explains that a demand would create a security vulnerability?
The bill presents a worldwide threat to all of our data security. We shouldn't assume that secret surveillance tools forced into an app or online platform will be functional only in Australia. And because of the gag order, companies won't be allowed to tell the public whether it is or not.
For citizens in the U.S., the United Kingdom, New Zealand, and Canada, there's even more to worry about. These five countries have intelligence-sharing agreements. So whatever the Australian government picks up in this secret snooping can be shared with other governments as well, even if those countries themselves forbid such unwarranted surveillance.
Digital Rights Watch has absolutely blasted lawmakers for rushing through the bill at the last moment without considering most of the amendments (173 of them!) that had been proposed:
"The fundamental fact remains that the powers being handed out to law enforcement are ill-informed, badly drafted and a gross overreach," said Digital Rights Watch Chair Tim Singleton Norton.
"This Bill is still deeply flawed, and has the likely impact of weakening Australia's overall cybersecurity, lowering confidence in e-commerce, reducing standards of safety for data storage and reducing civil right protections. In its very design, it is antithetical to human rights and core democratic principles. Lawmakers are on notice that they will be responsible for the consequences of introducing weaknesses into our digital infrastructure—including adverse consequences borne by everyday people who rely on encryption to go about their daily lives in a digital society."
Despite the complaints about terrorists "going dark," one MP noted that Australia has foiled 11 terror plots since 2014 without this additional authority. Libertarian Australian Sen. David Leyonhjelm (a member of the country's Liberal Democrat Party) critiqued the bill's intrusiveness and the authorities' insistence that legislators needed to rush the bill through by Christmas as though there were some sort of threat looming if they didn't:
