Security news that informs and inspires

Developers Worry About Long-Term Effects of Anti-Encryption Law

When the Australian Parliament passed a law last week that gave the country’s government the power to demand access to encrypted communications, digital rights organizations and privacy advocates decried it, while app developers and technology providers began considering their options.

The developers of Signal, a popular encrypted messaging app that’s considered one of the more secure choices on the market, have come right out and said they don’t have a method for inserting a backdoor into the app and wouldn’t do it even if they could. Signal is built in such a way that not only are messages encrypted end to end, but the Signal servers don’t hold any keys for users’ messages. So there’s not really any way for Signal’s developers to create a backdoor or hand encryption keys to a law enforcement agency.

“We can’t include a backdoor in Signal, but that isn’t a new dynamic either. By design, Signal does not have a record of your contacts, social graph, conversation list, location, user avatar, user profile name, group memberships, group titles, or group avatars,” Joshua Lund of Signal wrote on the company’s blog Thursday.

“The end-to-end encrypted contents of every message and voice/video call are protected by keys that are entirely inaccessible to us. In most cases now we don’t even have access to who is messaging whom.”

Australia’s new bill will give law enforcement agencies in the country broad authority to request technical assistance from technology providers in decrypting secure communications. If a provider doesn’t respond or comply with a technical assistance request, the government can then get a warrant requiring the company to provide the requested services. The bill has drawn pointed criticism from security experts, privacy advocates, and digital rights organizations, and there are concerns that a similar piece of legislation could emerge in the United States soon.

“The end-to-end encrypted contents of every message and voice/video call are protected by keys that are entirely inaccessible to us."

The FBI and other law enforcement agencies have been pushing for technical assistance from technology providers in accessing encrypted communications for many years. Law enforcement officials say that the steady increase in usage of secure messaging apps and encrypted email services, coupled with the moves by Apple and Google to encrypt their mobile devices by default, have created a major impediment to investigators. However, legal experts say that problem often is overstated.

“It’s just factually not true. It’s simply false that law enforcement isn’t getting what it needs. It may be a little harder because of encryption, but look at the San Bernardino case. They got into that phone,” said Nate Cardozo, a senior staff attorney at the Electronic Frontier Foundation. “It may be true that encryption frustrates your local county sheriff.”

Secure messaging apps and encrypted email services have become critical tools for many groups of users, not just the professionally paranoid or technically inclined. Activists, journalists, and many people who live in countries with repressive regimes rely on these tools, as do many other groups of users. Signal’s Lund said that one of the side effects of laws such as the one Australia passed and the similar one passed in the U.K. is that app developers may just decide not to offer their services in those countries to avoid the complications.

“One of the myriad ways that the ‘Assistance and Access’ bill is particularly terrible lies in its potential to isolate Australians from the services that they depend on and use every day. Over time, users may find that a growing number of apps no longer behave as expected. New apps might never launch in Australia at all,” Lund said.

Other secure communications services are concerned about the effects of the Australian law, too. The developers of ProtonMail, an encrypted email service, said that although the services is hosted in Switzerland and isn't subject to the Australian law, that doesn't mean the law exists in isolation.

"Even though A&A is confined to Australian jurisdiction, it sets a precedent with far-reaching dangers to cybersecurity. Online privacy and security are often predicated on trust in the service provider. Australian Parliament has single-handedly undermined global confidence in any software maker with an Australian presence, including Facebook (by extension WhatsApp and Instagram), Google, and Apple," Ben Wolford of ProtonMail said.

The way we protect privacy rights is by helping citizens and lawmakers understand that data security and crime prevention are not opposing ideas. Simply put, encryption prevents far more crimes than it enables. But more importantly, privacy is a pillar of democracy, and encryption is how we ensure our democracy survives. The fact that it also makes our online data safer in the process is an added bonus.