The Australian government has passed a new piece of legislation that, at its core, permits government enforcement agencies to force businesses to hand over user info and data even though it’s protected by cryptography.
If firms don’t have the power to intercept encrypted data for authorities, they will be forced to create tools to allow law enforcement or government to have access to their users’ data.
Needless to say, this is unprecedented.
A Backdoor for One Is a Backdoor for All
The downside to this legislation is that making tools to weaken cryptography for one purpose weakens it for all functions. People around the world depend on cryptography for their security in many areas of life.
The tools that will need to be created to intercept encrypted messages between suspected terrorists could undermine the digital security of anyone who does business with Australia or United Nations member countries.
People around the world depend on cryptography for their security in many areas of life, whether they’re shopping for things online, managing their checking accounts, or using it for private personal or business communications.
The security being subverted by this law largely happens in the background for most users. However, with this new legislation, they now have a reason to be worried on top of the regular online security concerns brought about by hackers or malicious actors. In other words, this will only make things worse.
Undermining Cryptography Jeopardizes Everyone
The law, titled Assistance and Access Act 2018, has been criticized by large corporations all over the world, including the likes of Apple. And different technology firms and reps in the United Nations agency continue to argue that the bill will weaken the information security of all Australians with a reach that would jeopardize the information of businesses, citizens, and societies around the world.
Hackers with dangerous intentions will do their best to gain access to the tools that businesses will be forced to provide to the government.
The truth is that there’s simply no upside to allowing tools to undermine cryptography. In doing so, Australia is jeopardizing digital security and harming the individual rights and freedoms of its citizens or anyone else who has chosen to do business in the country. And you can bet that hackers with dangerous intentions will do their best to gain access to the tools or methods that businesses will be forced to provide to the government.
When these tools exist, it will be simple for Australian authorities to share them with their counterparts in allied nations, something they regularly do.
Sharing (User Data) Is Not Caring
As it stands, Australia is a component of the 5 Eyes Intelligence Sharing Agreement, which includes Britain, Canada, New Zealand, and the US. That means that the nations share data with each other and generally don’t spy on one another. It means you can bet that the other nations in the agreement will gain access to the tools pretty quickly.
Governments around the world have a hard time dealing with malicious actors who use cyber attacks to subvert democracy.
A handful of large tech companies are strongly opposed to the legislation, Apple among them. They’ve expressed concerns that cryptography and online security should first and foremost be a defense against cyber attacks and acts of terrorism.
The FAANG companies are not alone in their opposition of the bill. As it stands, governments around the world have a hard time dealing with malicious actors who use cyber attacks to subvert democracy. Recent reports show that there is a growing body of organized and well-capitalized hacker groups, many of whom are state-sponsored (looking at you, China).
Data Insecurity Is Already a Problem
Many pundits are alarmed at the level of technical incompetence proposed by such a bill, worrying that existing vulnerabilities in peer-to-peer (P2P) communication. Cybercriminals would jump at the opportunity to exploit these vulnerabilities and gain access to the backdoor. What’s more, many privacy-protecting applications themselves have vulnerabilities and are susceptible to attack.
Among them are some of the more popular VPNs for Australians, which promise to encrypt web traffic over a public network. However, a recent expose by ZDnet showed that nearly 60 percent of VPN services are owned by Chinese companies. Given the ongoing concern of China’s Huawei spying on Australian Telecom networks, the possibility that Australian VPN providers are logging users’ traffic and sending it to China is cause for concern.
The Australian government, which proposes fines up to $7 million dollars if tech companies don’t follow along, has argued that the powers they are mandating are necessary to defend its population against acts of terrorism and crime.
Politicians and lawyers have been quick to point out that, in their opinion, the legislation isn’t going to weaken any security systems.
Tech firms are pushing back against having to introduce capabilities that might introduce a backdoor into their technology. However, politicians and lawyers have been quick to point out that, in their opinion, the legislation isn’t going to weaken any security systems.
And to make the whole situation worse, the Law Council of Australia has been bad mouthing the government for trying to speed the legislation through the Australian parliament. A draft version of the bill was created and submitted back in August, and lawmakers had very little time to review the results of a parliamentary committee’s thoughts before voting on the bill soon after.
The opposing Labor Party reached a temporary compromise, agreeing to drop all 173 of the additional amendments given that Parliament amends the bill in the new year.
What, Exactly, Does the #AABill Do?
The legislation grants enforcement agencies three distinct powers.
Of the three, the two biggest are the Technical Assistance Notices and Technical Capability Notices. These outline what is required and mandates that firms to provide access to encrypted knowledge if they’re ready, or, if they aren’t ready, to create the capability to try.
As stated earlier, these tech firms and businesses may be penalized up to $7.2 million USD if they don’t respond to the government’s requests. The third power this bill grants the Australian government is referred to as a Technical Assistance Request. This is a voluntary version of the first two powers and doesn’t have to be compelled by law under the threat of fine, unlike the previous two powers.
Once these encryption-breaking technologies exist for any agency, they’re then a possible avenue for hackers to use across the planet, and we’ve already seen attacks emerge as a result of government breaches. For example, the WannaCry ransomware attack, which compromised both individual and business computers around the world, was enabled when the NSA leaked an exploit in multiple versions of the Windows operating system.
This begs the question: can we really trust our law enforcement agencies to protect our data when we keep being confronted with situations like what occurred with WannaCry?
If governments cannot be trusted to keep their own data secure, how hard will they work to protect the data they want to gather in Australia?
Sam Bocetta
Sam Bocetta is a retired defense contractor for the U.S. Navy, freelance journalist and part-time cybersecurity coordinator at AssignYourWriter. He specializes in finding solutions to seemingly-impossible ballistics engineering problems. Sam writes independently for a handful of security publications, reporting on trends in international trade, InfoSec, cryptography, cyberwarfare, and cyberdefense.
This article was originally published on FEE.org. Read the original article.