At the end of 2018, Australia became the first nation in the world to enact encryption laws requiring companies to provide access to encrypted communications. The new encryption laws, while designed to combat terrorism, cybersecurity threats and criminal activity, is extremely controversial because it would essentially allow law enforcement agencies and federal authorities to conduct surveillance on the users of any social media or online platform, even those that today are encrypted.
Impact of the new encryption laws
Perhaps not surprisingly, both tech companies and privacy rights activists have spoken out about the new encryption laws, suggesting that they will lead to censorship, surveillance and the loss of privacy. Essentially, tech companies would become willing accomplices of the government’s surveillance operations as they go about devising ways to enable the government to snoop on everyday citizens.
It’s important to note here that the new law, even though it has been accused of being part of a “war on encryption,” is not actually anti-encryption. Even though Australian lawmakers rushed through this law at the very end of 2018, they were still smart enough to know that encryption plays a very important role in today’s social media and communications landscape. If you send a text message to someone in your network, you have a reasonable expectation that the message will not be intercepted and read by someone else. Encrypted messages are what make that possible.
So the problem is really not so much about encryption as it is about end-to-end-encryption. With encryption, a law enforcement agency can still get access to the message that you sent someone else. With end-to-end encryption, though, the story is different. In that case, only the sender and recipient can ever read the encrypted information. That’s why law enforcement agencies are so concerned – as they see it, terrorists and criminals are gravitating to end-to-end encryption services such as WhatsApp, iMessage, Wicker and Signal precisely because it enables them to hang out and send messages to each other without worries that someone might be eavesdropping on them online.
Thus, to put the new Australian encryption laws into proper context, it’s really about giving the authorities a way to access encrypted personal messages without doing away with encryption entirely. But you can see the problem here – there is no such thing as a message that is “sort of encrypted.” It’s either encrypted or its not. That’s because encryption is a mathematical concept. So that’s what is worrying privacy advocates – as soon as you make a message “sort of encrypted,” you are essentially saying that the message is not encrypted because a smart enough hacker will find a way to read that message. It’s like locking the front door to your house, but purposely leaving the back door unlocked. Someone is eventually going to figure that out and break in, right?
Tech companies asked to provide “technical assistance” to government
To prevent this from happening, the Australian government made it clear that the new law should not provide a “back door” to hackers as a result of the encryption laws. Companies, they say, should not create “systemic weakness” by creating back doors to their technology. Instead, companies should provide “technical assistance” in helping government authorities read encrypted communications. There are three levels of “technical assistance” required. The first is the most basic level – companies should provide technical information about how their products work, facilitate access to services and equipment, and generally make it possible to get access to data or information. Even most privacy advocates would probably agree to this.
But where things get a bit more opaque is with the second level of assistance required by the encryption laws. This requires tech companies to provide decryption functionality wherever technically feasible or practical. This would not apply to end-to-end encryption, because even tech companies can’t decrypt these messages. However, it could require companies to remove one or more layers of electronic protection, or to install special software (such as key logging software or screenshot software) to help intelligence and security authorities read messages as they are being created.
And, finally, there is the third – and very scary – level of assistance required by the encryption laws. This so-called technical capability notice would require tech companies to build entirely new technical capabilities that facilitate snooping and surveillance by security agencies. For example, Amazon might be asked by the government to modify its Amazon Alexa home personal assistant to record continuously, instead of when being asked to by the user. Or, it might even require companies to create a “fake” website that says it’s encrypted when it is really not.
The basic story is clear, then. The new Australian encryption laws essentially force tech companies to build all the functionality required to create a true surveillance state, all under the guise of protecting national security. In all fairness, the Australian lawmakers originally proposed 173 different amendments to the law. Apparently, something about it just didn’t feel right. But it was the end of the year, they were in a rush to get on with the Christmas holidays, and so they passed the encryption laws anyway.
The start of a new worldwide precedent?
The problem, of course, is that other nations around the world could soon follow suit, including the United States and the European Union. Already, India has proposed a new draft law that would go one step further than the Australia law – it would actually force companies like WhatsApp to break encryption entirely. The draft law was designed to enable the tracing of the originators of dangerous or unlawful content online. To make that “traceability” possible, you have to get rid of encryption. Thus, while the Australian law was really designed to take on the problem of end-to-end encryption, the new Indian draft law is designed to do away with encryption entirely. That’s getting into dangerous territory, because it would start to place countries like India into the same basket as countries like China, Russia and Turkey, all of which have banned end-to-end encryption.
So you can see that the new Australian law has potentially set a very dangerous precedent. Some tech companies have suggested that they might pull out of Australia as a form of protest. However, quite frankly, the more dangerous scenario is that they don’t pull out of Australia. That would mean that they are willing to be complicit in the creation of a surveillance state, and are simply banking on the fact that most users won’t have any idea of what’s going until it’s too late.