The Australian Parliament passed controversial legislation on Thursday that will allow the country's intelligence and law enforcement agencies to demand access to end-to-end encrypted digital communications. This means that the Australian authorities can force tech companies like Facebook and Apple to create backdoors in their secure messaging platforms, such as WhatsApp and iMessage. Cryptographers and privacy advocates who have always been staunch opponents of encryption doors for reasons of public safety and human rights warn against the fact that the legislation carries serious risks and will have real consequences that extend far beyond the country.
The bill has been criticized for being too broad, vague and potentially dangerous. After all, the tech industry is global. If Australia forces a company to weaken its product safety for law enforcement, that backdoor will exist everywhere, vulnerable to exploitation by criminals and governments well beyond Australia. If a company offers access to Australian law enforcement, other countries will inevitably demand the same ability.
"Australian legislation is particularly broad and vague and would serve as a very poor model."
Greg Nojeim, CDT
The new law also allows officials to contact specific people ̵
The Australian legislature praised the bill anyway, saying it would provide crucial capabilities in investigating organized crime and counter-terrorism. Even the opponents of the bill in Parliament, which had originally called for major changes to the draft, finally refused on Thursday.
"We will pass legislation that is so inadequate that we can provide our security agencies with some tools they say they need," said Bill Shorten, the Labor Party's opposition leader, to reporters.
Global Impact [AlthoughAustraliaisbecomingatestinggroundtechnologistsandprivacyofficerswarnthatthelawwillquicklyaffectglobalpolitics-allAustralianintelligenceallies-theUnitedStatestheUnitedKingdomCanadaandNewZealandknownasFiveEyes-havebeenlobbyingforthesemechanismsfordecades
"The debate on simplifying legal access to encrypted communications is mounting. There is a significant risk that the regulations will affect other countries," says Lukasz Olejnik, researcher for security and privacy and a member of W3C Technical Architecture Group. "Once the skills are in place, there will be many parties interested in a similar approach. It would spread. "
Just last week, US Attorney General Rod Rosenstein advocated" responsible encryption "at a Washington, DC symposium, and the United Kingdom passed the Investigatory Powers Act in late 2016, often as "Snoopers & # 39; Charter" (Snoopers & # 39; Charter) seeks to create a framework that forces corporations to give investigators access to encrypted user communications, and has so far been subject to litigation and does not allow individual claims to be made by the state, as is the case in Australia, but efforts to develop a legal framework for such monitoring requirements continue to increase.
Privacy representatives note that the Five Eyes increasingly euphemisms such as "responsible encryption" v which implies a certain balance. For example, the new Australian law has a section called "Restrictions," which states that "a particular communications provider need not be prompted to implement or build a system weakness or a systemic vulnerability."
"It's shocking to see this."
Danny O'Brien, EFF
What theoretically sounds promising. But the definition suggests a double. "Systemic vulnerability means a vulnerability that affects a whole class of technologies, but not a vulnerability that is selectively applied to one or more target technologies associated with a particular person," says Australian law. In other words, the deliberate weakening of any messaging platform with the same backdoor would not fly, but the development of a customized access to individual messaging programs like WhatsApp or iMessage is allowed.
Increasingly, intelligence agencies and law enforcement agencies seem to want tech companies to be able to involve government officials in the encrypted communication of a suspect. For example, an iMessage conversation that you think is only between you and your friend might be a group chat that includes an investigator added invisibly. The messages would still be end-to-end encrypted, just between you three and not two.
Cryptographers and privacy officers, however, quickly discover that, as with any such mechanism, criminals and other other adversaries would figure out how to exploit it, leading to an even greater public security problem – and possibly the operations of the entity could endanger the one who requested the workaround in the first place.
"They say," We agree that we will not use backdoors or undermine encryption, but we reserve the right to force companies to help us maintain all data, " says Danny O'Brien, international director of the Electronic Frontier Foundation. "And everyone in the technical community is a bit confused because there really is not much room between compelling people to give up plain words and create a back door. This is just the definition of a back door. "
For decades, cryptographers have been articulating a fundamental objection to backdoors, including in Keys Under Doormats' groundbreaking work in 2015. The recent legislative increases, such as in Australia, have yet another wave For example, IEEE, the international association of professional engineers, unequivocally said in a June statement: "Exceptional access mechanisms would pose risks … Efforts to restrict strong encryption or introduce key filing rules into consumer products can be long-term negative Impact privacy, security and civil liberties of citizens are regulated.
Privacy advocates say the new Australian law has other problems as well, especially because it's unclear when and how often investigators can ask for data requests, which could lead to an overreach, they say, especially as the law does Limits the information that companies have received in some situations.
"A country's requirements for a global vendor or global device manufacturer may impact their operations on a global scale," said Greg Nojeim, director of the Freedom, Security and Technology Project at the Center for Democracy & Technology. "And there is a danger that other countries will pass similar laws to force corporations to incorporate backdoors in encryption. The Australian legislation is particularly broad and vague and would serve as a very poor model. "
] For people on both sides of the debate, the question now is how laws like Australia will work in practice, and whether tech companies will require encryption Apple, for its part, made statements protesting both the UK's Investigatory Powers Act and the new legislation in Australia before it was passed, and in the US, the company went down on the floor when it did refused to build a tool that would make it easier for the FBI to access an iPhone of the San Bernardino Sagittarius in 2015.
It is not clear that companies will do so, but they can effectively defend themselves as more laws emerge. This is especially true if Australia has successes for individuals, and the Australian Parliament will be the next Year, but privacy advocates and technologists believe the situation has been worrying so far. "It's just shocking that this happens in Australia," says O'Brien of EFF. "The other shoe is sinking."
Fines and, above all, jail are already draconian punishments if they fail or refuse to materially affect the security of a digital product. However, the even greater danger posed by the new Australian law and the broader move to adopt backdoor-friendly laws is the logical one in which countries simply block access to technologies that provide users with robust privacy and security protection. Authoritarian states such as China, Russia and Iran are already doing this. Now the five eyes are closer than ever.
Other great WIRED stories