Australia's foolish encryption experiment
Posted on , about a 9 min read.
- Australia just rushed through anti-encryption legislation that is at best useless and at worst downright dangerous.
- It seeks to do the impossible, providing secure access for police while keeping malicious actors out.
- The people supposedly targeted by the legislation will be able to circumvent it relatively easily.
- It will fall back on targeting points where information is not encrypted, something it already had the power to do.
- However, it will still have very real, if difficult to calculate, economic and social costs.
- If properly implemented, the Australian technology sector will suffer the most, but it will be largely unseen.
- Every Australian is now exposed to unintended consequences, such as data theft.
- What could possibly go wrong? I offer some predictions.
I try not to dabble in day-to-day events, especially when politics are involved. But Australia’s parliament just passed legislation, with the full support of both major parties I might add, that is at best useless and at worst downright dangerous. It’s called the Assistance and Access Bill (AAB), and here’s why it’s so bad.
It seeks to do the impossible
According to TechCrunch:
The bill, in short, grants Australian police greater powers to issue “technical notices” — a nice way of forcing companies — even websites — operating in Australia to help the government hack, implant malware, undermine encryption or insert backdoors at the behest of the government.
The problem is that it’s impossible to provide a secure way to allow law enforcement in while simultaneously keeping malicious actors out. If the government goes ahead with mandating backdoors in encrypted software - one of the problems with the AAB is it’s ill-defined, so its reach could be tiny or enormous - it undermines the security of everything from your loyalty cards to your banking details.
While no one can be sure, I suspect the technical difficulties and security risks of mandating backdoors will be a bridge too far for Australia. More likely it’ll go with what I call the “wrench” strategy, whereby it’ll metaphorically beat people/corporates into backdooring specific people, or blocking access to popular encrypted applications entirely.
The wrench strategy
The people supposedly targeted by the AAB - the “criminals, the terrorists, the paedophiles”, as Home Affairs Minister Peter Dutton described them - will be able to circumvent it relatively easily. If you have something to hide, it’s not difficult to independently acquire or develop your own encryption without relying on a third-party. Sharing files could be done with something as simple as an AES-256 encrypted 7-Zip archive. For chats, a relatively easy option would be the XMPP protocol with off-the-record (OTR). Email communication could be secured with PGP via GnuPG.
Even if it tried, the Australian government wouldn’t be able to compel foreign individuals or companies which derive little (if any) revenue from Australia, have their full source code available online (open source) and are generally privacy advocates, to backdoor their products. No number of local laws will change that fact. I already use several of these services (e.g. Signal, ProtonMail, Standard Notes) and I’m sure plenty of other “innocent” people, concerned about the privacy violations committed by the likes of Facebook, do as well.
I admit it’s a different story for major corporations. End-to-end encrypted services may refuse to comply with the AAB (although I suspect Facebook will melt faster than a snowball in hell), forcing the government to lean on Apple or Google - through their App/Play Stores - to deny Australian users access based on their geolocation (or inject malware themselves). It wouldn’t be the first government to do so: a messaging app called Telegram was banned in Russia for refusing to turn over its private keys.
But if all else fails - as it will for the vast majority of encrypted applications - the government will need to take its wrench to the end points where information is not encrypted (e.g. the user, or his/her device), something it already had the power to do.
It was rushed
Despite having nearly two years to debate and consider numerous issues relating to the AAB, it was rushed into law before Christmas to avoid an “egg on face” political moment. You see, if an attack occurred over the holiday season - regardless of whether the AAB would have done anything to prevent it - the governing Liberal party would be able to call the opposition Labor party “weak on national security”. 2019 is an election year, meaning as usual political incentives triumph over logic, reasoning and the people of Australia.
The laws of Australia prevail in Australia, I can assure you of that. The laws of mathematics are very commendable but the only law that applies in Australia is the law of Australia.
The above quote is from former Prime Minister Malcolm Turnbull, who was defending the AAB way back in the middle of 2017. It was a silly thing to say but it has also been taken out of context by privacy advocates, which did them no favours.
What Malcolm Turnbull meant was people living in Australia have to obey the laws of Australia. The laws of mathematics always apply but if you’re heavily fined or even incarcerated for using them, then there’s a good chance Australians won’t be building or using products based on the laws of mathematics. Not only that, but foreign companies may not want to develop or launch their products in Australia if their and their clients’ data are at risk.
Now that it’s law, the AAB will have very real, if difficult to calculate, economic and social costs.
It leaves people exposed
The target of the AAB (I think; it’s deliberately opaque) is end-to-end encryption, which works as follows (image courtesy of ProtonMail):
The AAB was designed to circumvent the above without “breaking” encryption, which was its original intent. For example, the government may try to compel providers of encrypted services to inject a second, hidden public key right at the beginning of an encrypted conversation. In the above case, Bob would believe he’s encrypting his message only for Alice, but in reality he’d also be encrypting it for the government as well. It’s a strategy the British have publicly discussed, and the Americans have already tried (ibid).
In a world of encrypted services, a potential solution could be to go back a few decades. It’s relatively easy for a service provider to silently add a law enforcement participant to a group chat or call… The service provider usually controls the identity system and so really decides who’s who and which devices are involved - they’re usually involved in introducing the parties to a chat or call. You end up with everything still being end-to-end encrypted, but there’s an extra ‘end’ on this particular communication.
Businesses operating in Australia will have to comply with requests such as the one above and it will have unintended consequences. But practically none of the providers of encrypted communication have servers in Australia, meaning the AAB will be difficult if not impossible to enforce in the vast majority of cases.
Fortunately, there is virtually no way to enforce this law outside of Australia because it has no foreign equivalent. ProtonMail, a Swiss company with datacenters only in Switzerland, is not under Australian jurisdiction. Any request for assistance from Australian agencies under the A&A [AAB] law would need to pass the scrutiny of Switzerland’s criminal procedure and data protection laws. Tech companies with a corporate presence in Australia however, are more likely to be impacted.
I’m not a betting man but if I were, I think the following outcomes are most likely to occur:
- The Australian technology sector will suffer, but it will be largely unseen. Just the existence of the AAB means clients outside of Australia cannot be sure their data are secure. Australian coders and tech entrepreneurs will increasingly have to move overseas.
- Large foreign companies such as Facebook will fold and give the government secret access to their users’ conversations. Apple will refuse.
- At some point in the future, a request made through the AAB and the subsequent security hole (e.g. poorly implemented malware) will result in the theft of hundreds of thousands of users’ private data.
- Very few criminals, if any, will be apprehended as a direct result of the AAB, nor will any terrorist attacks be thwarted because of it.
Benjamin Franklin wrote that “Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety”. The worst thing about the AAB is there is no demonstrable gain to safety, with Australia’s politicians almost unanimously trading their constituents’ liberty for a few magic safety beans.
As a “nothing to hide” passive consumer of encryption, whether through WhatsApp or even TLS (the padlock next to a website’s name), you are the target of the AAB. Not from the Australian government but from criminals or foreign governments that will be able to, at some point in the future, exploit poorly implemented or undermaintained vulnerabilities injected into the numerous applications you use on a daily basis.
The whole AAB debacle, from inception to implementation, reads like a bad joke. But I suppose it was to be expected from the same politicians under whose watch hundreds of top secret cabinet documents were found in two locked filing cabinets at a second-hand furniture store.
What could possibly go wrong?
Note: The festive season draws near and I will be travelling over the next two weekends. I hope to get at least one article out over that period but if not, now you know why.
If you enjoyed this post, consider subscribing to the newsletter!