It's tough not to be cynical about the government when it seems most of their policies are self-serving and uninformed. Take the recent encryption-busting law passed by the Australian Parliament under the guise of addressing national security concerns.
What New Law?
For those who haven't seen the extensive coverage, a new anti-encryption law was introduced as a supposed amendment to the Telecommunications Act of 1997. Known as the A & A (Access and Assistance) bill, it was passed on December 6, 2018. This law forces telecommunications companies in Australia to allow the government and law enforcement agents backdoor access to encrypted communications. The wording states that requests for access are "voluntary and mandatory," but companies who refuse to comply can face fines of up to $7.3 million; individuals will face prison time.
But there’s an even more insidious element: law enforcement doesn't have to get permission from the courts or the provider company to get what they want.
This bill allows them to bypass regular channels and compel IT specialists, or anyone else with access to the company's security protocols and updates, to give them access to data on demand, even if it's done in secret without informing the company owner.
The rationale for this law is that such access is necessary to fight terrorism and other crimes. Privacy and human rights advocates disagree.
Who Does This Bill Effect?
According to the bill's sponsors, it will only affect drug smugglers, paedophiles, terrorists, and other dangerous criminals. The basis for the law, which was championed by such anti-encryption foes as Home Affairs Minister, Peter Dutton, is that criminals use encrypted communications. Not having unfettered access to their messaging systems and phone conversations hampers law enforcement efforts and investigations.
The reality is that this is a slippery slope toward further infringement on privacy by a governing body that has no idea how technology works. The bill was opposed by technology and cyber security experts, human rights activists, and corporations inside the tech industry and out.
It was also initially opposed by the Labor Party, but they withdrew their objections after a promise from a majority headed by the PM and his AG, Christian Porter, to address their concerns at a later date in exchange for their vote now.
This only reinforces concerns that the process is being rushed without listening to cyber security and IT experts, and with no input from the public.
Should Non-Tech Savvy Government Officials Make Decisions About Technology?
A recent survey of more than 500 IT security professionals found that 88 percent believe government officials should be required to undergo training in basic cyber security. Furthermore, less than 40 percent of those polled think people in government understand the risks facing cyber and physical infrastructure.
Those in favor of the amendment, who are in the minority, would have you believe that anyone who objects to it is in favour of crime and terrorism. Are these the people who should be making decisions about technology given their lack of knowledge?
Objections to the bill are threefold, and they come from all sectors of society:
- The wording is too broad and vague, opening the door for abuses and government overreach while limiting effectiveness toward the stated purpose of the bill.
- It has the potential to make sovereign nations or companies subject to Australian law. The internet and telecommunications apps aren't necessarily limited by borders, and neither are the billions of people who use them. Enforcing laws in one country could infringe on the rights of companies and individuals outside of its borders and legal jurisdiction.
- The "good guys" won't be the only ones with this access. If one country insists on gaining access to encrypted devices and platforms, repressive regimes will demand the same. It also allows covert ops to extend beyond the physical limitations of geography without ever leaving their home country.
The Problem of Unintended Consequences
The Australian government's solutions to criminal threats are knee-jerk and uninformed at best. The continued push of Five Eyes Alliance members toward anti-encryption legislation doesn't just undermine personal privacy and consumer trust in tech providers. It could also undermine their own intelligence-gathering capabilities by weakening their encryption.
This isn't the first attempt by a government to encroach into the realm of tech security. Legislators in the US, UK, and other countries have attempted to pass similar laws. So far, they've been beaten back by court challenges and corporate resistance.
Companies may simply decide not to do business or provide services in Australia over concerns about data integrity. Apple already stood up to the FBI over data access in the US, and they've strenuously objected to the Investigatory Powers Act in the UK in addition to opposing this new law in Australia.
How do you think government encryption backdoors will impact cyber security?