Australia Passes Encryption-Busting LawGovernment Can Force Technology Companies to Break Encryption
Australia's Parliament on Thursday night passed sweeping new laws enabling it to compel technology companies to break their own encryption.
Although the government argued the laws are needed to combat criminal activity and terrorism, civil liberties organizations and technology companies, including Apple, had lobbied against the legislation, called the Assistance and Access Bill 2018, contending it would result in weaker software products for legitimate users.
Critics worried that software vendors would be forced to put "backdoors," or secret access methods, into their products, which could be discovered and exploited by cybercriminals or nation-states (see: Tech Companies Bristle at Australia's Crypto Legislation).
The government contends the legislation can't be used for force "systemic" vulnerabilities to be built into products and also can't be used to stop a company from fixing a software vulnerability. But critics say the definition of systemic within the law isn't precise and leaves large leeway.
The law "perpetuates the myth that cybersecurity can be broken just a little just for targeted people or technologies," writes Vanessa Teague, an associate professor of cybersecurity at the University of Melbourne, on Twitter.
It perpetuates the myth that cybersecurity can be broken just a little just for targeted people or technologies (see (17)). Nobody listened to anything that any of the technologists told them about the disastrous implications of undermining our cybersecurity. #aabill #auspol— Vanessa Teague (@VTeagueAus) December 6, 2018
It initially looked uncertain on Thursday, the last sitting day of Parliament, if the legislation would pass due to opposition from the Labor Party. But in a last-minute compromise, Labor withdrew amendments that aimed to restrict how the powers could be used.
The Coalition government, under Prime Minister Scott Morrison of the Liberal Party, had expressed a desire to see the legislation passed this year, contending that a delay could put the public at risk.
After the law passed, Labor Party leader Bill Shorten called it "unsatisfactory." But he said his party passed it on the condition that the Coalition government consider amendments to it in January, according to a video on the ABC.
"We are not going to go home and leave the Australian people on their own over Christmas with inferior laws of national safety," Shorten said.
The law creates three flavors of notices. The least aggressive one is a technical assistance request, which asks for voluntary cooperation. The second level is a technical assistance notice, which requires an organization to comply with a decryption request if it is technically feasible.
The last and most stringent one is the technical capability notice, which must be approved by Australia's attorney general. Organizations receiving that kind of notice are compelled to build a new capability to give assistance to the government. The government has said that this kind of order does not mean a company must remove encryption if it is not possible to do so.
The Australian government is primarily interested in cracking messaging products to aid in criminal investigations. But in recent years due to rising incidents of data breaches and criminal activity, software companies have sought to ensure content transmitted within those products is shielded by encryption if messages are intercepted.
Companies including Apple, Facebook's WhatsApp, Wickr and Signal have created systems for which the encryption and decryption keys are held only on the devices. That means that while the content could be intercepted or obtained via a warrant, it couldn't be read in plain text without the keys.
One alternative is to seize a suspect's phone, and then authorities could try to persuade the person to turn over their passcode. But if the suspect is dead, as was the case in 2015 with Syed Rizwan Farook, the shooter in a San Bernardino, California incident, authorities may not be able to unlock the phone. In that case, the U.S. Justice Department obtained a court order that compelled Apple to created a special version of iOS that would remove the security protections on Farook's phone. Apple opposed the order, which CEO Tim Cook equated with creating cancer.
But the case was dropped after investigators eventually found a way to unlock the phone, presumably using a software vulnerability (see: FBI Unlocks iPhone; Lawsuit Against Apple Dropped).
Major technology companies could soon begin receiving notices under the new law. Liberal lawmakers contended that the new powers were needed to protect Australians over the Christmas holidays, a soft intimation of a pending security threat.
It also may not be evident when the powers are invoked. The law also creates new penalties for resisting or disclosing such notices, which critics have argued could prevent whistleblowing on whether the powers are being misused.
If/when the #aabill passes how many multinational software and security companies will have to consider restricting access to their codebase and servers from Australian subsidiaries to protect the integrity of their systems, Australia will have become one giant systemic weakness.— Chris Culnane (@chrisculnane) December 6, 2018
The laws could also have broader implications for trust in Australia's software industry, says Chris Culnane, a cybersecurity expert and lecturer at the University of Melbourne.
Culnane questioned on Twitter prior to the bill's passing "how many multinational software and security companies will have to consider restricting access to their codebase and servers from Australian subsidiaries to protect the integrity of their systems. Australia will have become one giant systemic weakness."
There are also worries that Australia's move could spur other government to adopt similar laws with perhaps less oversight.
"The real problem with the Australia encryption bill is that it will pave the way for social proof - 'Australia did it and nothing bad happened'," writes Jake Williams, founder of Rendition Infosec, an Atlanta-based security consultancy. "But it will certainly be abused in ways the public can't see. Nonetheless, other governments will use it as justification to go ahead."