The Australian Government has passed a world-first legislation that gives law enforcement agencies the ability to read your communications from encrypted messaging services like WhatsApp, Signal and Wickr. Under the controversial new ‘Assistance and Access Bill’, agencies like ASIO and the Australian Federal Police will be able to request cooperation from both telcos and tech companies in their investigations.
The bill proposes three key powers:
- A technical assistance request – a company can choose to ‘voluntarily’ help, such as giving details about the development of a new online service.
- A technical assistance notice – a company is required to give assistance if they can. For example, if they have the ability to decrypt a specific communication, they must or face fines.
- A technical capability notice – the company must build a new function so it can assist police, as long as it does not force encryption to be broken.
Points two and three are the most alarming because they essentially compel tech companies to create backdoors for accessing encrypted messages.
Now I’m all for cracking down on terrorists, sex offenders and other serious criminals (many of whom use encrypted messaging apps to communicate), but this new law could have serious ramifications, not to mention ethical grey areas.
Here are my predictions…
It will destroy trust and brand integrity
Tech companies and telcos know how much users value privacy and security. These service providers go to all ends of the earth to ensure that customer data remains secure, and doesn’t fall into the wrong hands. Robust privacy and security measures are the bread and butter for these services and without them, they wouldn’t exist.
For hardware and software providers, the Assistance and Access Bill is a huge conundrum. Vendors are caught between a rock and a hard place. The new challenge will be maintaining user trust (which will somewhat inevitably erode in the Australian market) while complying with jurisprudence.
Potential abuse of power
For authorities to exercise any of the three aforementioned powers outlined in the bill it has to be on suspicion of a ‘serious crime’ – an offence with an imprisonment term of three years or more.
No ministerial sign-off is required for technical assistance notices, and assistance notices do not require any consultation period with the communications provider and can take immediate effect. Assistance notices can be issued, and subsequently varied by delegated officers within enforcement agencies, not just by the head of that agency. These points are concerning because of the apparent lack of checks and balances, which could lead to abuse or misuse of power.
Encryption will become redundant
Encryption protocols are secure by design in order to prevent data from falling into the wrong hands. WhatsApp, for example, uses the Signal Protocol by Open Whisper Systems to provide end-to-end encryption. This configuration provides a private key for each user, which is tied to a specific device. There are no public keys, which means no other party – including WhatsApp employees – can access or view your messages.
If this new law forces the WhatsApp team to create a ‘spare key’ for authorities to use, the integrity of the encryption protocol is lost.
Another interesting point…
Because WhatsApp uses a third-party encryption system (mentioned above), it may hold an advantage. If the Signal Protocol is deployed as is to a messaging service and cannot be tweaked or reconfigured, the onus to provide backdoor access to authorities could be on Open Whisper Systems, not WhatsApp. And given that the Signal Protocol is open source and secures several different messaging apps, Open Whisper Systems would effectively be shooting itself in the foot by building a backdoor.
Australians could miss out altogether
Popular messaging services like WhatsApp may well choose to pack up shop and block access to Australian users. Technology companies could weigh up the value of the Australian market against the impact this new legislation will potentially have on their global brand and reputation. If the cost is seen as too high, they could opt to pull their apps from the Australian marketplaces. This is unlikely to happen, but is entirely possible. Remember when the US Amazon marketplace stopped shipping products to Australia earlier this year to protest a new GST law? Fortunately, Amazon recently reversed this decision in response to overwhelming customer feedback.
New services will emerge
Despite the intense competition in the instant messaging space, new services are launching regularly. Crooks will simply switch between messaging platforms, favouring those with relatively low profiles. By the time authorities are onto it, the bad guys will have already moved on. When the FBI shut down the Silk Road website, which used the Dark Web to sell just about every illegal product and service imaginable, barely a day passed before multiple copycats surfaced. It’s a constant game of cat and mouse, with criminals perpetually one step ahead.
Legal workarounds will ensue
Big tech companies have an army of expensive lawyers at their disposal and rest assured these legal practitioners are adept in finding loopholes. There are almost always workaround options and contingencies. For example, many large corporations set up their headquarters in Ireland and operate local offices as subsidiaries to avoid high tax bills. A similar strategy to skirt the Assistance and Access Bill may involve moving various resources and capabilities offshore.
Some companies will just flat out refuse to comply
The world’s most popular encrypted email service – ProtonMail – is already saying ‘go f**k yourself’ in response to the new law, arguing if the bill forces companies to create ‘deliberate vulnerabilities’ in their security protocols these could be exploited by others and compromise the security of all. ProtonMail – based in Switzerland – says it’s only bound by Swiss law, which offers some of the strongest privacy protection in the world for both individuals and corporations.
If other services follow this lead, it does raise the question: ‘What can/will Australian authorities do about it?’ Probably not much.
It undermines legitimate use cases
While we all (should) have the right to private and secure communications, there are some situations where this is paramount. Journalists use encrypted messaging services as a way to protect sources. Politicians use them for policy discussions. This new law threatens the sanctity of messaging platforms as trusted tools that facilitate secure communications.
So all-in-all, this new legislation, in my view, will do more harm than good. I’m anticipating more backlash, lawsuits and complications than I am an increase in the number of criminals being brought to justice. But I’m happy to be proved wrong.
What are your thoughts on this new law? Please feel free to share your comments.
If you disagree with the new legislation, you can make your voice heard by signing this petition. Please share this with your friends, family and colleagues.
Let’s ensure a safe and secure digital environment for all Australians.
Content marketer, blogger, author and tech geek.