A few people have asked me about my views on the recent Assistance & Access (A&A) bill passed by the the Australian parliament. A&A, an amendment to the Telecommunications Act of 1997, gives new powers to ASIO and other law enforcement and intelligence agencies to circumvent end-to-end encryption in technology (such as WhatsApp) and wiretap suspected criminals, e.g. terrorists.
In short, intelligence agencies can now compel companies such as Facebook, Apple, and Google to secretly install backdoors in their software in order to enable wiretapping. It is allegedly the first of its kind in any democratic country, providing powers greater than those of the UK Investigatory Powers Act, which was considered incompatible with EU civil liberties and privacy laws.
Whilst I wholeheartedly agree with the need to fight terrorism, giving government authorities the ability to install trojans and other backdoors in hardware and software is not the solution. There are 5 key reasons for this:
- It derails the trust in one of our greatest sources of future prosperity in Australia: our technology industry. Australian technology start-ups are booming, as evidenced through Xero, Atlassian, and Canva. Prospects of government-funded backdoors could severely hurt their reputation. In addition, we run the risk of large technology companies such as Google and Facebook, significant employers of Australian talent, pulling the pin on local presence in order to avoid the new legislation.
- It undermines our democratic rights to privacy. In an open, democratic society, people have the right to privacy and free speech without fear of government surveillance. If we keep chipping away on our democratic rights, we end up being no better than the totalitarian regimes we set out to fight in the first place.
- It is insecure by design, opening the door for criminals to leverage the same backdoor. Security holes, backdoors, and mathematics in general do not discriminate who the user is, because they can’t. The backdoors imposed by government officials are secretive, until they are not. Yes, there are legal provisions that make it illegal for anyone to leak information about an introduced backdoor, but everytime a new update is pushed unexpectedly by a software vendor, we can expect malicious attackers to start scanning applications for security holes.
- It is ineffective, only addressing a subset of use cases. Yes, criminals can no longer use / trust WhatsApp and similar proprietary services with operations on Australian soil. However, the legislation doesn’t consider how copylefted and open source software such as Linux, OpenSSH, or critical infrastructure libraries such as OpenSSL will work? Theoretically, if a backdoor is introduced in open source, it will be visible to everyone immediately, rendering it useless. Will the Government fly officials to Canada to tell Theo de Raadt to install government backdoors in order to avoid criminals communicating secretly via an SSH tunnel?
- It is a non-technical solution to an inherently technical problem – square peg, round hole. The debate and public commentary suggests that the majority of politicians did not understand the context and ramifications of what they are voting on. It’s great that they agree on the broad outcome required (we need better access to wiretaps), but it doesn’t make the underlying technical go away (the law of mathematics). Adding to this, the law as rushed through without due debate and broad consultation.
I will end this post with a quote from ProtonMail’s write-up on A&A:
“On Thursday, the Australian government and its Labor partners rammed a shockingly invasive anti-encryption law through Parliament, over the objections of experts, businesses, and civil rights groups.”