Cryptology experts fear that contentious Australian laws that require tech firms to give security agencies access to encrypted data could be exploited by the same terrorists and criminals they are supposed to entrap.
Passed by federal parliament Thursday, the Assistance and Access Bill is likely to be copied in some form by other Western countries as part of an effort to redefine attitudes to the regulation of online communications.
Attorneys-general from the United States, United Kingdom, Canada, Australia and New Zealand laid down the new parameters during talks on Queensland’s Gold Coast in September that issued three documents, including a communique that said vendors had a “mutual responsibility” to help in law enforcement.
“Should governments continue to encounter impediments to lawful access to information necessary to aid the protection of the citizens of our countries, we may pursue technological, enforcement, legislative, or other measures to achieve lawful access solutions,” the document warned.
It also “reiterated the importance of industry investment in human and automated detection capabilities, underscoring the need for major companies to set industry standards and to help smaller companies deploy these capabilities [and] for increased efforts to counter foreign interference and disinformation conducted via online platforms.”
These same five countries comprise the so-called “Five Eyes” partnership that shares signals intelligence, so there is an obvious security aspect to the regulatory crackdown. The laws are intended to give police “back door” access to encrypted communications used by terrorists and criminals.
This would likely involve the installation of a screen-capturing application downloaded onto a suspect’s mobile phone, or software allowing police to track suspects through the GPS facilities already on their phone.
Australian Attorney General Christian Porter said security agencies would mostly be targeting messaging systems like WhatsApp, Wickr, Signal and Telegram.
“They are the stock-in-trade of drug dealers and drug importers, and so we need to be able to deal with that fact,” Porter argued. Individuals or firms that fail to hand over data could face fines of up to US$7.3 million.
But the industry sees only an unwanted intrusion that could backfire.
“If there’s a back door, then it’s not only the good people that can use it,” Michail Maniatakos of New York University’s Center for Cybersecurity told the Australian Broadcasting Corporation. “There’s no guarantee this back door won’t be abused by the people you want to protect [yourself] from.”
About 50% of messages sent by companies and individuals in Australia on applications like WhatsApp are encrypted, so a lapse by security agencies could have commercial ramifications. Then there is the privacy angle that will create an ethical dilemma for firms forced to comply with the laws.
Multinational technology firms may pack up and leave Australia rather than be compelled to install spyware on their networks and devices, the Communications Alliance warned before the regulations were approved. Its members include Apple, Nokia, Google, Inmarsat, Optus and Huawei.
Alliance chief executive John Stanton said the laws would be a “threat to the cybersecurity of all Australians” because of the lack of oversight and obsessive secrecy that could effectively leave companies in the dark.
“It’s possible, for example, that an engineer in a telecommunications company could be ordered to alter the network or services to create vulnerabilities or backdoors and not be able to tell senior management about that,” Stanton said.
“Similarly, device manufacturers could be ordered to install spyware onto devices they’re selling into Australia and not be allowed to tell the end users, or the companies selling those devices, that they had also been compromised.
“It’s very hard to counter potential threats if you’re prevented from knowing that they’ve even been installed to your services or products. It leaves the companies in quite an invidious situation,” he said.
The opposition Labor Party, expected to win a general election around May next year, pushed through an amendment that allows tech firms to challenge orders to provide access if they believe it will create a “systemic” weakness in their products, but does not say how this would be defined.
An appeal by tech companies would be heard by a panel of two people — an “expert in the area” and a retired federal or Supreme Court judge. But the government and company would have to agree on who they were.
Labor has promised further changes, including improvements in oversight, when parliament reconvenes briefly before the election. However, these are unlikely to tackle essential privacy concerns by users and the industry.
Tech firms in the US, Canada, UK and New Zealand will be watching closely.