Political consensus is an interesting thing to behold—especially when ruling parties and their nominal "opposition" join to force truly terrible legislation down the throats of their subjects. Take, for example, the legislative attack on privacy-protecting encryption technology that both Australia's ruling Coalition and the "opposition" Labor party joined together to inflict on that country last week.
Those Australians still cherishing a desire to protect their data from surveillance now need to turn to extra-legal means to shield their lives from snoopy officials and anybody else who might exploit legally mandated peepholes into personal information.
As always seems to be the case, Australian legislators rushed to pass the Assistance and Access Bill of 2018 at the insistence of law enforcement and intelligence agencies, which shrieked that curbs on encryption were necessary to enforce laws and forestall unspecified security threats. "Our police, our agencies need these powers now," Prime Minister Scott Morrison huffed.
And so both major blocs in Parliament conspired to ram through a bill that will not only let the government force communication providers to use existing interception capabilities on demand, but also to mandate the creation of new interception capabilities, and even let the state "request" wide-ranging changes, such as the complete redesign of systems.
"This Bill … has the likely impact of weakening Australia's overall cybersecurity, lowering confidence in e-commerce, reducing standards of safety for data storage and reducing civil right protections," Digital Rights Watch warns. "Encryption is not a barrier to a safe society – quite the opposite – it is a form of protection against criminal acts, including state-sponsored hacking."
Not to worry, say officials. The law explicitly says that services subject to the law "must not be required to implement or build a systemic weakness."
Except, as Internet security firm Kaspersky Labs protested in a pre-passage statement on the law, "there is broad industry agreement that a third party access to encryption keys weakens encryption for all users, including those not targeted by the encryption agency." Kaspersky also frets that Australia's wide-ranging new law might put cooperating firms in breach of the laws of other countries, so that "providers may face a stark choice of which country's laws they will have to violate."
Civil libertarians pointed out that the dangerous people ostensibly targeted by the intrusive legislation are the least likely to be affected by it.
"The reality that law-enforcement grapples with is that the ability to encrypt information is itself public, the algorithms are public, the ways of generating keys are public," Paul Brooks of Internet Australia told lawmakers before they voted. "Any organisation, for good or bad, can create their own software relatively simply and communicate using it and are unlikely to respond or even be known about to receive some sort of notice."
Which is why libertarian Senator David Leyonhjelm snorted about the new law, "It won't help catch any terrorists, but it will drive the software industry offshore."
But much of the software industry is already outside Australia, accustomed to working around all sorts of intrusive national laws, and accessible to anybody with Internet access and a disdain for home-grown busybodies. Sure, the big tech firms are likely to knuckle under—they have commercial presences to maintain and the capability to comply with all sorts of requirements (although contradictory laws across international borders will be as much a problem for them as for anybody). But anybody who was placing their privacy hopes in the hands of Facebook and Google is trusting in the wrong cabal of collaborators.
Better prospects are to be found in the likes of Signal, the open-source encrypted messaging app that exists largely to give cops and snoops heartburn. Journalists working in authoritarian dumps around the world appreciate the app, which is a strong endorsement.
Signal recently largely lost the ability to use domain fronting to hide itself from censors who try to block the service, but the fact that it's working to remedy that problem and that the company celebrates "when we receive a subpoena for user data and have nothing to send back but a blank sheet of paper" suggests that Australian officials shouldn't anticipate eager cooperation from this quarter.
Protonmail is an email service that deliberately structures itself to protect privacy—in part by positioning itself under the legal protections of Switzerland. "There is virtually no way to enforce this law outside of Australia because it has no foreign equivalent," Protonmail notes of the Assistance and Access law. The company says bluntly that it "is not under Australian jurisdiction" and that "we remain committed to protecting our users anywhere in the world, including in Australia."
The similar German-based Tutanota email service warns that "the governments of the United States, United Kingdom, Canada, Australia and New Zealand (also known as Five Eyes) have made it clear that they plan to force technology providers based in their countries to enable lawful access to users' encrypted communications" and assures users that "we have made it our mission to stop mass surveillance with encryption."
Some privacy-peddling services have actually been using the Australian law as a marketing point.
"Companies based outside of Australia would have a much easier time operating without complying with the new law," encrypted internet-connection-provider NordVPN boasts on its blog. "NordVPN, for example, is based in Panama, where we aren't legally required to collect user logs."
And, as several experts continue to remind us, building encryption into new and potentially underground applications is not a huge challenge for organizations intending both good and ill. Echoing Internet Australia's Brooks, Tutanota added that even if such legislation spreads, those unwilling to submit to surveillance "will build their own encrypted tools, making it even harder for law enforcement to keep track."
That potential for overseas solutions and DIY encryption continues even if other countries decide to follow in Australia's footsteps. Privacy will remain available to criminals, terrorists, and those most skeptical of state power and willing to buck the system. The true victims will be the people who are the most deferential to their snoopy masters.