Australia’s vague anti-encryption law sets a dangerous new precedent

australia assistance and access

On Thursday, the Australian government and its Labor partners rammed a shockingly invasive anti-encryption law through Parliament, over the objections of experts, businesses, and civil rights groups.

The Assistance and Access (A&A) law requires tech companies to help law enforcement agencies break into individuals’ encrypted data. Using secret warrants, the government can even compel a company to serve malware remotely to the target’s device.

The goal of the law is to give police more latitude to investigate criminals using encrypted communications software. But Assistance and Access goes far beyond that. It endangers the security of everyone who uses online services, it weakens civil rights like privacy and due process, and it places an unprecedented burden on tech companies to attack the very users they set out to serve.

There is nothing new about a government seeking to break encryption. From the British Investigatory Powers law to the NSA’s possible decryption programs, law enforcement agencies around the world are working hard to gain an edge over information security technology. But Australia’s new law goes much further, deputizing tech businesses as accomplices in a surveillance scheme so loosely conceived that no one really knows its limits. “The definition of ‘acts or things’ in the Bill is so vague as to potentially permit almost limitless forms of assistance,” the Australian Human Rights Commission wrote to Parliament.

Does the Assistance and Access (A&A) law impact ProtonMail?

Fortunately, there is virtually no way to enforce this law outside of Australia because it has no foreign equivalent. ProtonMail, a Swiss company with datacenters only in Switzerland, is not under Australian jurisdiction. Any request for assistance from Australian agencies under the A&A law would need to pass the scrutiny of Switzerland’s criminal procedure and data protection laws. Tech companies with a corporate presence in Australia however, are more likely to be impacted.

But just because this particular law does not affect ProtonMail and ProtonVPN does not mean we are indifferent. A&A is one of the most significant attacks on digital security and privacy since the NSA’s PRISM program. But the Australian measure is more brazen, hastily forced through Parliament over the loud objections of every sector of society, from businesses to lawyers groups. We thoroughly condemn the new law, and as the world’s largest encrypted email provider, we remain committed to protecting our users anywhere in the world, including in Australia.

What’s wrong with the Assistance and Access law?

The Australian government had been an outspoken advocate for encryption backdoors, requiring tech companies to build systematic weaknesses in their encryption to allow law enforcement in. Privacy advocates successfully argued that there is no such thing as a backdoor that only lets the good guys in. So the government went back to the drawing board. The result is the Assistance and Access law.

From the center-left to the far-right, Australian lawmakers voted Thursday to break encryption once and for all. While the law does not technically require a backdoor, it would require companies to help police build software capable of decrypting a targeted user’s data (i.e. with targeted malware).

But the law is extremely confusing and vague, so it is difficult to know how it will be interpreted in practice. The Australian Computer Society, a trade association for IT professionals, outlined several problems in their letter to Parliament. To paraphrase a few:

  • Not every company has the technical know-how to safely implement malware that won’t accidentally backdoor the entire product (particularly with IoT devices), putting the security of people’s homes and organizations at risk.
  • Businesses can’t easily plan or budget for possible covert surveillance work with the government.
  • A companion “explanatory document” outlines some safeguards to protect civil rights and privacy that don’t actually appear in the law itself.
  • Once police have gained access to a suspect’s device, they could easily remove evidence from the device that could prove the person’s innocence. There would be no way to know.

These are just a few of the issues, and that’s barely scratching the surface.

The Assistance and Access law makes us less safe

A&A forbids the implementation of “systemic weaknesses,” but the law does not adequately define the term. Without a better definition, police could deploy tactics that result in unintended consequences. In our view, this is one of the most dangerous aspects of the law.

To illustrate this danger, the Australian Human Rights Commission described a potential scenario in which police order Facebook to send a push notification to a single user asking that person to install a software update. This in itself would not constitute a systemic weakness, but if large numbers of Facebook users stop downloading software updates (including security updates) because they’re afraid of government spyware then that could create systemic weaknesses.

Even though A&A is confined to Australian jurisdiction, it sets a precedent with far-reaching dangers to cybersecurity. Online privacy and security are often predicated on trust in the service provider. Australian Parliament has single-handedly undermined global confidence in any software maker with an Australian presence, including Facebook (by extension WhatsApp and Instagram), Google, and Apple.

The law’s easy passage may also encourage other governments to create their own versions. But because Australia is a member of the Five Eyes intelligence-sharing arrangement, some foreign intelligence agencies may not even have to wait to reap the benefits. The governments of the US, UK, Canada, and New Zealand can gain access to whatever information Australian spies collect using their new A&A powers.

Protecting encryption in the wake of Assistance and Access

We are not opposed to law enforcement, and we respect the important role that law enforcement has to play in ensuring security both online and offline. Similarly, many law enforcement officials also understand the importance of technologies like end-to-end encryption, and many even use ProtonMail themselves. As we have previously noted, the widespread use of encryption can actually further governments’ national security goals. It is critical that we strike the right balance. In our opinion, the A&A law does not do this, and in the long run, will make us all less safe.

The solution is education. The way we protect privacy rights is by helping citizens and lawmakers understand that data security and crime prevention are not opposing ideas. Simply put, encryption prevents far more crimes than it enables. But more importantly, privacy is a pillar of democracy, and encryption is how we ensure our democracy survives. The fact that it also makes our online data safer in the process is an added bonus.

For these reasons, we remain committed to our mission to expand access to privacy and security online. You can support these efforts simply by switching to a ProtonMail secure email account and educating those around you about why privacy and security matter.

Best Regards,
The ProtonMail Team

 

You can get a free secure email account from ProtonMail here.

We also provide a free VPN service to protect your privacy.

ProtonMail and ProtonVPN are funded by community contributions. If you would like to support our development efforts, you can upgrade to a paid plan or donate. Thank you for your support!

About the Author

Ben Wolford

A journalist by training, Ben has reported and covered stories around the world. In 2014, he founded a magazine, Latterly, devoted to international reporting on human rights. He joined ProtonMail to help lead the fight for data privacy.

 

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>