On the last day of the legislative session, Australia’s government voted to force backdoors in encrypted messaging.
Presented as a counter-terrorism measure, the new legislation would apply to companies, forcing even non-Australian firms to install backdoors in their tools, for Australian spooks and cops to use to spy on Australians.
Under the new rules, Australian police and security services can get court orders to require tech companies and their employees to backdoor their encryption, serve malware and spyware to their users, or do anything and everything else that will decrypt the messages of the court order’s subject. If companies refuse they could face fines, of up to AU$10m (US$7.2m).
Companies will also have to provide the design specifications of their technology on request to law enforcement, facilitate access to a device or service (which could include doing the police’s hacking for them), help the authorities to develop their own capacity to intrude, break and spy on the company’s own products and customers, and conceal the fact that any of this has happened.
All this will be achieved through three new tools:
- Technical Assistance Notices (TANs): these can require communication providers to use an interception technology that they already have.
- Technical Capability Notices (TCNs): these can require a communication provider to build new interception capabilities that can meet the requirements for compliance with a TAN. This is the backdooring requirement.
- Technical Assistance Requests (TARs): Ostensibly voluntary requests which companies can turn down without risk of penalty.
Additionally, the new law could allow Australian police to force anyone to unlock their phone.
A move against encryption in the 5 Eyes
It’s a worrying development, for several reasons. First, like many recent examples of questionably-sane censorious overreach, it’s likely to be unenforceable as written. Secondly, it’s part of a worldwide trend of governments attempting to regulate the internet as if it were something it fundamentally isn’t.
The new law was railroaded through Australia’s parliament just before it broke up for Christmas, in an environment of overheated rhetoric which saw the Australian Prime Minister, Scott Morrison, tell the Australian: ‘Labor are quite happy for terrorists and organised criminals to chat on WhatsApp, leaving our security agencies in the dark.’
Energy Minister Angus Taylor went on Sky News to accuse Labor of ‘running a protection racket for terrorist networks who communicate using encrypted applications.’
Labor MP and opposition leader Bill Shorten agreed to pass the legislation on Thursday, saying, ‘I think these encryption laws were rushed, but we didn’t want to see this matter not have any conclusion. It is not a perfect solution and we want a review, but in the meantime, I’ll take half-a-win and move forward.’
The opposition Labor party has said its support is contingent on the government revisiting and amending the laws in February when Parliament reconvenes, but its decision to support the legislation prompted Crikey.com.au political editor Bernard Keane to say Australia was ‘the idiot of the global village,’ and argue that ‘Christmas [had] come early this week for hackers, organised crime and terrorists.’
We reached out to Bill Shorten on Twitter, but he didn’t reply — we’ll update this post if he does.
Lawmakers: We don’t know and we don’t care
The common assumption among lawmakers, that there’s no need to understand the digital economy or the technologies and processes that underpin it, have led to some eye-rolls.
But they show no signs of slowing down. Britain’s home secretary Amber Rudd has demanded that major tech companies step up their fight against encryption, or face new laws. Her stated aim is to ensure that extremists are not allowed to upload content at all, and she told the BBC that ‘what [technology companies] have been saying to us is using artificial intelligence, they’re beginning to make progress in that way.’
Like Australia’s legislators, Ms Rudd doesn’t think she needs to understand how technology works in order to legislate it. ‘I don’t need to understand how encryption works to understand how it’s helping – end-to-end encryption – the criminals. I will engage with the security services to find the best way to combat that,’ she reportedly told a Spectator event.
America may follow suit. In fact, the big story here isn’t so much that Australia has passed a lunatic law as that it’s a test case for the other Five Eyes countries — the UK, the USA, Canada, and New Zealand — to create an international zone of censorship, and tighten their spying grip on their own, each others’ and other nations’ citizens.
America has form in this area: previous attempts to regulate the laws of mathematics by fiat include the 1897 Indiana ‘Squared circle’ law, which attempted to mandate that Pi be 3.2 statewide. Less humorously, it also has a new Supreme Court Justice who has a history of sacrificing privacy (and the Fourth Amendment’) to ‘national security,’ as defined by the executive branch and the NSA.
Presently the United Nations isn’t having any of it, and UN Special Rapporteur on the right to privacy, Joe Cannataci, has been extremely clear that any similar laws would be thrown out by a European court. After criticizing Australia’s insane legislation on the grounds that ‘the government has not substantiated the need for this Bill, asserting a growth in the use of encryption does not constitute an argument, or evidence,’ he went on to say: ‘Everybody is going to use encryption, and so they should, get over it.’
Preach.
But wait, what about national security though?
Privacy, terrorism and technology
There are a couple of major questions to answer here. First, can you have a backdoor in encryption? And second, is there a link between encryption and terrorism? Are terrorists actually using encryption?
Let’s start with the first.
The consensus on this is absolutely overwhelming. No, there’s no such thing as ‘a bit encrypted,’ or ‘mostly encrypted.’ Forcing backdoors and decryption is like picking up one end of a snake. Don’t worry; you’ll be holding the whole thing soon enough. Something is either encrypted or it’s not.
Either all encryption will be weak, meaning all stock trading, ecommerce purchases, banking, and medical information will be very much easier to hack, or all encryption will be strong.
And encryption is orders of magnitude stronger in defence than offence; if you’re using WhatsApp, your messages are so strongly encrypted that it’s literally impossible to break into them by brute force — just trying lots of different keys until the right one is found by chance. It would take more computational cycles than is allowed for by the amount of matter in the known universe.
If we turned all the stars and galaxies we have ever seen through every telescope, ever, into computers, dedicated to this single task, which is itself obviously impossible… we would still fail.
Consider that.
Then consider outgoing Australian PM Malcolm Turnbull’s comments last year.
Confronted with the fact that the legislation he wanted was, and is, literally impossible, he replied:
‘Well the laws of Australia prevail in Australia, I can assure you of that. The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia.’
In case of doubt, he went on to comment, ‘I’m not a cryptographer,’ before adding that ‘what we are seeking to do is to secure their assistance”. They have to face up to their responsibility. They can’t just wash their hands of it and say it’s got nothing to do with them.’
In other words, hearing ‘it can’t be done,’ Turnbull — and many, many others — hears ‘we aren’t sufficiently motivated to do it,’ where in fact he’s being given expert advice that the thing he wants does not exist and never can.
If you’d like to spend a few minutes in that world, consider this Chrome extension, which rewrites every instance of the word ‘encryption’ to ‘magic.’
My purpose in doing this isn’t to trivialize terrorism; it’s to point out that this is what many news and opinion pieces, and legislators, are actually saying anyway. We have to get some better magic in here!
Now let’s turn our attention to the second issue: do terrorists actually use encrypted messaging?
In some cases, yes, they do. But many of the more notorious terrorists of recent years did not.
The pair behind the 2016 Brussels terrorist attack didn’t use encrypted messaging, or disk encryption. They didn’t even use old-fashioned, hey-let’s-call-it-something-else encryption. They used a normal laptop and kept the details of their plan in an unencrypted folder, in English, called ‘Targets.’
The same year, the evidence was that the group behind the attacks in Paris used burner phones (buy, use, throw away), but there was no proof at all that they’d used any kind of encryption.
Some terrorists do use encrypted messaging channels. Of course they do. But as Matthew Green, Johns Hopkins Information Security Institute assistant professor, told Scientific American:
‘I think there’s this magical view that you can have FBI or NSA [National Security Agency] listen to people’s communication and this is going to stop terrorist attacks. What we’ve learned is that these terrorists are very adaptable and they will find ways to communicate no matter what you do.’
(It’s also worth pointing out that a vanishing minority of users are terrorists: WhatsApp has a billion monthly users worldwide.)
Services like WhatsApp and iMessage offer privacy as part of their service. But encryption, says Green, ‘is just math, and there are dozens of open-source encryption packages. There’s no way you could stop it.’
Dr Suelette Dreyfus, cybersecurity and privacy researcher at the University of Melbourne, told Australian news site 10daily, ‘Communications can’t simultaneously “be secure” and “be wiretap-able.” There will be smart criminals who will find and use these backdoors in all sorts of dangerous ways.’
Again: preach.
So, to answer our own questions:
- There’s no way to build in a backdoor that doesn’t fatally weaken encryption globally.
- It won’t help and could do real damage.
And by the bye, Australia might now be the first country to ban its own vital national security research by mistake — the national equivalent of shooting yourself in the foot with a gun you keep for self-defence.
Censorship, spying and the economy
These laws are a privacy disaster and a technology farce — but they’re also an economic timebomb. Who will stay in Australia if their products are subject to destruction by secret security services fiat?
Not WhatsApp, whose parent company, Facebook, has already turned down similar demands from the Brazilian government; a Brazillian judge ordered telcos to cut off access to WhatsApp countrywide in response to Facebook’s explanation that it can’t supply WhatsApp chat logs related to a criminal investigation because those chat logs are end-to-end enchanted encrypted.
The block was lifted several hours later by the Brazilian Supreme Court, which questioned whether the lower court’s ban was reasonable and proportionate.
On Facebook’s side, at least, this is probably how it will respond in Australia; whether Australian judges and lawmakers can relate to a need to be reasonable and proportionate remains to be seen.
Apple will probably quit too, based on previous form; it’s never complied with law enforcement requests to backdoor its encryption or unlock its devices.
As Daniel Weitzner, director of the Internet Policy Research Initiative at MIT, patiently points out, ‘if a company that does business globally is suddenly told by the Australian government that it has to weaken its security, then it may think twice about whether it’s worth being in the Australian market.’
If Australia loses Facebook, Alphabet (Google’s parent company), Apple and Amazon — the four companies that jointly spoke up against the law before it passed — the results could be devastating to the Australian economy. And they likely won’t be the only technology companies that rethink involvement in Australia.
Then, there’s the question of the economic damage caused even if businesses were to comply.
Dr Daniel Potts, founder and CEO of connected-device security firm Cog Systems, is an expert in the field of distributed mobile device and IoT security and has a defence security background. His warning is a little more nuanced than ‘bad men are using it,’ but Australian lawmakers might want to read the Cliff’s notes anyway.
‘The longer you’re in [the connected-device industry], the more you’re amazed by how complex it is,’ Dr Potts told Financial Review.
‘It’s an ecosystem with a lot of global supply chains, so it isn’t as easy as just going to one provider and saying, “Hey, I need this new feature.” It might involve 50 companies, trying to do something at the device level.’
‘Even on a single device, it’s an ecosystem,’ Dr Potts goes on. ‘You’re dealing with lot of different little things and they’re not necessarily all [accessible] even to the device maker. Which is great from a security viewpoint, but it might mean that [a law enforcement agency] would need to approach 50 companies to get what they need.’
In other words, the company that has to act to break encryption might not be the company that makes the device or the software. The knock-on effects of spying and breaking demands down these international supply chains could be gigantic, causing economic havoc outside Australia as well as decimating the company’s own tech sector.
It’s worth considering, too, what this means for the emerging crypto and blockchain spaces.
In Asia, blockchain jobs are booming even as cryptocurrency prices stagger, and worldwide the blockchain sector — distinct from cryptocurrency — is forecast to grow at a 51% compound annual growth rate from 2016 until 2020 and to cross $2 billion in revenue by 2022. But that’s far from the whole story.
Companies that are investing in and directly using blockchain technology in their worldwide supply, management and production networks include shipping giant Maersk, whose TradeLens logistics blockchain has also attracted truckers DAMCO and PLH. Diamond producer De Beers has created a provenance platform for diamonds, Tracr; Singapore airlines has launched a blockchain-based loyalty wallet; Singapore’s PSA port authority is considering switching to the technology; so is the Swedish Land Registry.
Aside from cutting Australians off from duty free and the opportunity to purchase pristine Nordic forest, barring blockchain-enabled providers from the country could create a ‘digital border’ which heavy blockchain users wouldn’t want to cross; since the global supply chain runs both ways, we’re not just talking about putting a needless stumbling block in the way of, in Maersk’s case, a US$30m-revenue business.
We’re talking, too, about making it harder and more expensive for Australia’s farmers to sell their produce, as well as for Australians to work with or for these companies.
Companies like Maersk, hit with a cyberattack it blames for a 2017 revenue hole, aren’t likely to be persuaded of the merits of weaker encryption.
Conclusion
On the surface, this law is simply madness. But look a little bit deeper and you can see that even though it’s hamfisted, it’s also a testbed for a wider, international attempt to censor and monitor us all. The fact that it’s not compatible with technological advances, privacy rights, the constitutions of some of the affected countries, or even basic economic self-interest, might not be enough to stop it. Opposition from the EU and UN will help. And there’s a good chance that the laws as written are unenforceable. They’re definitely a scary sign of things to come.