Australia’s new decryption legislation: another dent in our digital privacy and security
New legislation intended to fight crime gives government agencies the power to invade Australians’ digital privacy, and opens data to attack by hackers.
Imagine Apple secretly giving the federal police access to all your iMessages on your mobile phone. Imagine installing a WhatsApp update, and unknowingly installing a new ‘feature’ that Facebook has built for you alone so that ASIO can freely read even your most intimate conversations. Imagine your Amazon Alexa continuously recording everything it hears in your home and sharing the audio with ASIO.
No, it’s not an episode of Black Mirror. It’s not even futuristic. It’s 2018.
On Thursday, 6 December 2018, Australia's House of Representatives passed a bill that gives new powers to government agencies, including federal and state police. These agencies will soon have the power to co-opt technology companies (like us) to help them spy on Australians through apps and cloud services.
The anti-encryption bill
Unveiled in August 2018, the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018, referred to as the Assistance and Access Bill, or, as some call it, the Anti-Encryption Bill, is effectively now law. Or rather, it will be in February 2019, when federal parliament resumes.
After a rushed parliamentary inquiry, the Bill was pushed through by both major parties late on Thursday 6 December. Not incidentally, this was also the final sitting day of parliament for 2018. And it was voted on and passed, despite a record 173 amendments that were introduced only hours before the vote was cast.
Why do we need this legislation, and what’s the rush?
Terrorists, paedophiles and organised criminals are the targets of the legislation, according to (current) Prime Minister Scott Morrison. They commonly communicate using secure messaging apps such as WhatsApp. WhatsApp encrypts or ‘scrambles’ their messages so that no-one other than the intended recipient can read them.
But it's not just criminals that use secure messaging apps. If you have ever used WhatsApp, or sent someone an iMessage (that is, sent a message from your Apple iPhone using the message app to someone else's iPhone), then you too have used encrypted messaging services.
Both the police and ASIO claim, however, that their job is being hampered by encryption. More than 90% of data intercepted by the federal police is reported to be encrypted.
Why the government pushed to have the Bill made law by Christmas, however, remains unclear. Some people speculate that the risk of a terrorist attack rises over the festive season. Either way, the parliamentary process has been a scramble, or as some have described it, a farce.
What the new legislation does
The new legislation gives government agencies (such as ASIO) the power to force technology companies to help them snoop on suspected criminals. This includes device manufacturers (such as Apple) and service providers (such as Google).
They can make three types of requests:
- Technical assistance request: Police could ask a company, or person within a company to voluntarily help by, for example, sharing technical details about a digital service.
- Technical assistance notice: Police could require a company, or person within a company to help by, for example, decrypting a specific message. If they don’t comply, they face a fine. A warrant from a federal court judge is required.
- Technical capability notice: The Attorney General could demand that a company or person within a company modify their software or services, or develop a new function to help them access a person’s data. Big fines apply for non-compliance. Alarmingly, no judicial warrant is required.
Government agencies can use these new powers when investigating any crime that carries a penalty of 3+ years’ jail. In reality, that means that a broad range of offences—not just serious crimes—are covered.
This raises a red flag. If the intention of the Bill is to intercept serious criminals like terrorists, paedophiles and crime rings, then government agencies should only be able to use these powers to spy on people suspected of serious crimes. But that isn't how it reads in the legislation. These new powers can, in the legislation, be used to spy on people for any number of less serious crimes.
Why should I care about this legislation?
You might think that encryption is not a big deal for you, because you don’t use apps like WhatsApp. Or maybe you genuinely don’t care who reads your messages.
But encryption is about more than just message reading. It's used all over the place. Your online banking password is encrypted. Your Gmail password is encrypted. Every time you shop securely online, your credit card details are encrypted. When you log in to Console Cloud, your login details are encrypted.
If we didn't have encryption, it would be much easier for hackers to steal your credit card details. It would be just as easy to access your accounts and for someone to steal your identity.
Encryption, in other words, is there for good reason—it keeps our private information secure. So a law that gives police the power to build a back door into your phone to read your encrypted data, and to do that without a warrant? That's concerning.
How encryption works
‘End-to-end’ encryption is used by iMessage, WhatsApp, Signal and Wickr. When you send a message with these apps, only you (the sender) and the person you are messaging (the intended receiver) can see what’s inside. Even the company who manages the app cannot read it.
Even though your message will travel through many servers on its journey, end-to-end encryption means that no-one can read it along the way. Because even if someone tries to intercept it, it will just look like a garbled string of characters.
The messaging app uses a pair of ‘keys’ to encrypt the message. If you send a message to your sister, for example, the app on your device uses her ‘public key’ to scramble your message before sending it on its way. When she receives the message, the app on her device uses her ‘private key’ to unscramble the message. It’s as if you put the message into her safe and she is the only one who knows the combination.
Encryption software uses complicated maths to make sure that no-one else can crack the code.
What could possibly go wrong?
Under the new legislation, the police could force tech giants such as Facebook (the owner of WhatsApp) to give them access to your phone so that they can intercept your messages before they get encrypted. Similarly, they could get access to the phones of the people you are messaging and intercept your messages AFTER they are decrypted at the other end.
Police could even request that a company hand over a person’s ‘private key’ (their ‘public key’ is already public). Then, having the pair of keys, they could read all your conversations with that person. Apart from it being an invasion of your privacy, the police would need to record the pair of keys somewhere, and this database would be very attractive to hackers.
But the biggest issue with the new legislation relates to the technical capability notice, whereby the police could force a tech company to modify its product to allow the police to secretly spy on you. The concern is that a ‘back door’ built especially for police would most likely be detected by hackers. This would spell disaster not just for you, but for the tech company and all its users.
The Bill does prohibit the creation of product changes that, if hacked, would make lots of users vulnerable. However, it does not define what 'lots of users' actually means. The Bill simply refers to avoiding the creation of ‘systemic weaknesses'. But creating a secret entrance for police that can never be discovered by hackers? That is a huge challenge.
It’s not surprising then that the Digital Industry Group Inc—the peak body representing tech giants Facebook, Google, Twitter and Amazon—campaigned against the Bill.
What the new legislation means for Console
According to Tim Singleton Norton, the Chair of Digital Rights Watch: “These laws are deeply flawed, and have the likely impact of weakening Australia’s overall cyber security, lowering confidence in e-commerce, reducing standards of safety for data storage and reducing civil right protections. In their very design, they are antithetical to human rights and core democratic principles.”
Of course, at Console, we accept that strong measures are needed to combat serious crimes. Our position on the Bill, however, is that this law jeopardises the security of the internet in a way that is neither intelligent nor ethically sound.
Fortunately, property management software is unlikely to be the first, second, or even third target of hackers. Console Cloud is and remains a secure, cloud-based trust accounting platform. However, we will be paying very close attention to the Bill when it is debated in February 2019. We expect there to be more last-minute changes to the legislation when parliament returns. And we’ll be sure to keep you up to date with those changes as we learn about them.
In the meantime, if you are as concerned as we are about potential risks to your data, contact your local MP and let them know.