Security news that informs and inspires

New Australian Law Poses Risk to Encrypted Services


In a move that has been looming for more than a year, the Australian parliament has passed a law that will require technology companies to give law enforcement agencies access to encrypted communications, such as emails and texts.

The law provides broad powers for the government, and will force technology providers to find a way to comply with a warrant for encrypted communications or risk substantial fines. Although the new law requires companies to provide technical assistance and access to target communications, it does not have any language that would require vendors to build backdoors in encryption systems. In fact, it has specific language that prevents the government from demanding technology providers introduce a “systemic weakness or systemic vulnerability” into their products in order to provide access for law enforcement.

Australia’s bill has security and privacy advocates worried, especially in light of continued calls for similar legislation in the United States and other countries. In September, the governments of the Five Eyes countries--U.S., U.K., Canada, Australia, and New Zealand--published a statement on encrypted communications and the problems they cause law enforcement agencies. In the statement, the governments made it clear that if technology companies weren’t willing to provide voluntary assistance, then legislation would be forthcoming.

“Should governments continue to encounter impediments to lawful access to information necessary to aid the protection of the citizens of our countries, we may pursue technological, enforcement, legislative or other measures to achieve lawful access solutions,” the statement says.

The Australian Parliament said in the description of the new law that it was a direct result of law enforcement agencies not getting the technical assistance they believe they need.

“The Government is responding to the impediment that the increasing prevalence of encrypted data and communications represents to available investigative and interception capabilities,” the bill’s summary says.

How technology companies will be expected to comply with technical assistance requests or warrants resulting from the new law is the big question. In many cases, including Apple’s iMessage and Signal, the encrypted messaging service, the providers don’t have the keys to decrypt users’ communications. And many providers, most notably Apple CEO Tim Cook, have said publicly that they won’t compromise users’ security in the name of government surveillance.

“We’ve seen some pretty strong statements from [Apple CEO] Tim Cook on this. Apple has the most cash on hand of any company in history. If Australia gets in a game of chicken with Apple, it’s not clear to me that Australia would win,” Senior Staff Attorney Nate Cardozo of the Electronic Frontier Foundation said in September.

“These companies’ other option is to capitulate and give every petty dictatorship a backdoor so they can do business there.”

While Apple and other wealthy companies may have the money and corporate will to resist these new laws, that path isn’t available to everyone. Some companies can afford not to do business in a given country or to go through lengthy legal fights, but there are plenty of smaller companies and projects that can’t do that.

“But what about other services, who refuse to compromise their users’ security? What about the open source projects that will ask their Australian contributors to stop working on their security code, and businesses who will choose not to employ Australian developers, or decline to open offices in that country?” wrote Danny O’Brien, international director at the EFF.

“There can be only one step after you’ve compelled the big companies to agree to your back-doors, and that is to criminalize those truly secure services who prefer to follow the ‘laws of mathematics’ instead of ‘the laws of Australia’.”