social-media-mobile-apps-ss-192020180725151438 — The Australian government is one step closer to cracking encryption. Photo: TechNews

The Australian government has passed anti-encryption legislation compelling companies to grant authorities access to encrypted information, in a move analysts say will have vast implications for digital privacy.

The new law, which passed the Senate 44-12 this week (final bill here), will force companies to reveal technical characteristics of digital systems that could help intelligence agencies exploit weaknesses that have not been patched.

BACKGROUND

According to the Australian government, accessing encrypted information and technology has “become a vital necessity in the number of terrorist investigations and other high-level criminal cases recorded” over the last decade.

Because of this, Australian intelligence agencies need assistance from tech companies and individuals involved in the supply of communications services and devices to ‘solve this problem’, according to the authorities themselves.

Following consultations with a range of international and domestic companies about proposed reforms, the Assistance and Access Bill 2018 would be introduced in August to many criticisms from privacy advocates and technology experts all over the world.

The new laws will require providers to offer up details about technical characteristics of their systems, such as apps, websites or devices, that could help intelligence agencies exploit weaknesses that have not been patched.

This includes installing software, and designing and building new systems if necessary to crack the secure end-to-end encryption, and proposes ways for technology companies, software developers and others third-parties to assist with access to information.

Following brief discussions after the release of a Explanatory Document, the legislation was rushed through Parliament before the holiday season begins, as the opposition party ultimately capitulated into supporting the bill.

Bill Shorten supported the government argument that delaying the legislation until next year would threaten the country’s national security.

DETAILS OF THE BILL

According to the laws, fines will apply to those organisations who oppose or refuse to comply with demands from authorities.

Under the first half of the new laws, Australian government agencies would be able to issue three kinds of notices to tech companies:

Technical Assistance Notices | TAN
These are compulsory notices for a communication provider to use an interception capability they already have.

Technical Capability Notices | TCN
These are compulsory notices for a communication provider to build a new interception capability, so that it can meet subsequent Technical Assistance Notices.

Technical Assistance Requests | TAR
These have been described by experts as the most dangerous of all, as the assistance requests are not constrained by the same limitations as the notices in what agencies can ask for, neither are they part of annual reporting.

These options will compel a private companies to create new interception capabilities so no communications data is completely inaccessible to the government.

The new measures would force communications providers to work extensively with government agencies to gain access to a target’s data if it was in their power to do so.

These options listed above – for all intents and purposes – are requests for providers to create a backdoor into their encryption platforms, despite authorities continue to deny this is the case, maintaining individual safeguards will remain secured.

The government has adamantly denied the bill requires the creation of “backdoors”, and the legislation itself stipulates it cannot demand the creation of a tool that results in a “systemic weakness”.

Of course, many experts suggest these are games of semantics with there being no way a function can be built to access encrypted communication that doesn’t result in a “systemic weakness” being created.

Even a basic understanding of secure e2e encryption instantly brings to light the problem with this proposal. Government agencies are trying to weaken encryption, yet maintain the fundamental basis it was built upon – this is not possible.

The second half the new legislation also amends the computer access provisions in the ASIO Act to address particular ‘operational challenges’, as agencies currently need to use other powers and techniques to access information at points where it is not encrypted.

The bill will enable ASIO to intercept communications for the purpose of executing a computer access warrant, with schedules 2 to 5 addressing capability gaps and how to strengthen agencies’ “alternative-collection” capabilities.

This includes a permit for ASIO to temporarily ‘remove a computer or thing’ from a premise, for the purpose of executing a warrant, and to return that computer or thing, and enable ASIO to take steps to conceal its access following the expiry of the warrant.

The legislation offers major concerns in regards to the security of sensitive information based on these premises, with experts saying that it opens up a pandora’s box of information for the Five Eyes Alliance.

RESPONSE

The new legislation is undoubtedly problematic, in a variety of ways, however, the Australian Senate rushed the bill through on the final sitting day for the year, amidst a whirlwind of political games and sniping.

Earlier this year, in a submission to the Australian Parliament, Apple condemned the proposed legislation calling it “extraordinarily broad” and “dangerously ambitious”.

Similarly, a large range of other leaders from the technological and digital world also united to criticise the Australian government, stating that forcing companies to embed some kind of backdoor to encrypted data fundamentally weakens security for everyone.

The legislation may be impracticable from an implementation perspective, but the tech business sector in Australia has also raised concerns over how it will affect local firms competing in the international market.

James Turner, an Australian cyber-security expert, recently spoke on this:

“Any Australian technology company trying to crack an overseas market will inevitably have their local competitors hold up this legislation as Exhibit A as to why Australian vendors should now be treated with caution, if not suspicion.

That’s not great for our export market, and I suspect the impact of that will be quite costly. There will be deals we don’t win where our legislation may be raised as the block.”

The bill was also quickly introducing the Bill to Parliament during the midst of a ‘strawberry scandal’ after public submissions, and the final vote in the Senate to pass the Bill was 44-12, with Labor and the Coalition voting for it.

For more TOTT News, SUBSCRIBE to the website on the right hand panel for FREE and follow us on social media for more exclusive content:

Facebook — Facebook.com/TOTTNews
YouTube — YouTube.com/TOTTNews
Instagram — Instagram.com/TOTTNews
Twitter — Twitter.com/EthanTOTT