Back in July 2017, the Australian Government stated its intention to introduce new legislation that would force companies to decrypt secure messages, and now the details surrounding the proposed laws are finally coming to light.
While Australian telcos already offer a degree of assistance to the country’s law enforcement, providing user data in investigations relating to high-level crime, the government’s concern is that the same cooperation isn’t provided by big tech companies such as Apple, Google, and Facebook, which all offer their own encrypted messaging services.
As such, the proposed bill is intended to request a degree of cooperation in accessing devices or messages from any tech company that operates within Australia, or whose services are made available in the country.
The bill detailed
Much of the new details we’ve learned about the proposed legislation come from an exposure draft of the Assistance and Access Bill 2018, which offers close to 200 pages worth of legislation amendments regarding cybersecurity and law enforcement.
The most significant of these – Part 15 of the Telecommunications Act, which is titled “Industry Assistance” – will allow certain high-ranking security officials to formally request access to encrypted communications from the providers of those services.
While the companies being issued the requests are initially only asked to hand over information on a voluntary basis, this can be escalated to an official notice, which would “require” companies to provide the data in the situation where it has access to it, or to devise a means of obtaining the data if not.
The inherent issue
The latter “technical capability notice” is particularly troubling when it comes to end-to-end encryption, as it hopes to force any company involved in the encryption process to somehow create a decryption solution within 28 days.
The companies affected could include telcos, messaging service providers, physical communications facilities and their staff, or even contracted software developers that happened to have worked on any of these.
Critics of the legislation have previously pointed out that it could undermine the security of end-to-end encrypted messaging, which would otherwise see the communication unconditionally protected until it reaches the recipient's device.
Despite the Assistance and Access Bill mentioning a ban on the use of backdoors – it says it does not want a “systemic vulnerability” to be built into encrypted systems, that could then be accessed by anyone with the key – it’s unclear how tech companies will be able to fully comply with the proposed laws without these in place.
Citizens now looking to circumvent the bill have been recommended to use a VPN service, which will allow them to keep their browsing habits private and secure.
The bill has come in for criticism from leading security experts, with one saying that, "it has such little regard for people's basic right to privacy that it’s becoming increasingly difficult to distinguish from fiction."
"This is not to say that national security isn’t important. Wiping out terrorism, organised crime and paedophilia should always be prioritised, but it shouldn’t take legislation that snoops on everyone and everything to achieve it," said Brad Poole, Consumer Security Expert, HideMyAss!.
"Online privacy is as much of a human right as privacy offline is. While these kinds of bills are alarming, we are seeing growing numbers of everyday web users turn to virtual private networks to stop prying eyes from accessing personal data.”
“Encryption is vital for online security,” added Marty P. Kamden, CMO of NordVPN. “In order to be safe on wireless networks, people need to use encryption services, such as VPNs. Encrypted communication apps, such as Telegram, are important for private conversations. Since many businesses have moved online now, the significance of Internet privacy and security has increased, and people should be allowed to use encryption.”
“Opening a backdoor for the government means opening it for other entities capable of exploiting the access as well. It lead to a flood of hacks, stolen information and other forms of abuse. This could jeopardize the privacy of all players involved - individuals, companies, and their clients."