Pass? No, This Encryption Bill Gets a Failing Grade

Fail copy.jpg

The Australian Government’s has pushed through their encryption assistance access bill, using the excuse that potential terrorists use encrypted messaging apps. Believing the notion that a ‘local’ (read national/federal) government can geographically ring fence ‘people-of-interest’ into a group that can be secretly listened is nonsensically out-of-touch. In fact, this rushed bill simply illustrates the government’s profound lack of understanding of technology, the web and the global digital economy, which includes everything from email and ecommerce to banking online. 

The Australian Government’s has pushed through their encryption assistance access bill, using the excuse that potential terrorists use encrypted messaging apps. Believing the notion that a ‘local’ (read national/federal) government can geographically ring fence ‘people-of-interest’ into a group that can be secretly listened is nonsensically out-of-touch. In fact, this rushed bill simply illustrates the government’s profound lack of understanding of technology, the web and the global digital economy, which includes everything from email and ecommerce to banking online. 

Some points to consider:

  • Where is the data stored and where is the company based? The majority of companies that have messaging apps (the use case the government puts forward is needing to listen into encrypted messaging) don’t have meaningful legal presences in Australia, nor do they store their data here.

So, under what legislation would they be compelled to provide the data and functionality?

  • Who is going to change their software? Generally speaking, Australia is, at most 5% of a multinational company’s total revenue (and these are typically providing the messaging services that the government is currently focusing on). There is no commercial incentive for a multinational to hack their technology. 

This is particularly true for what is, essentially, a vague idea cobbled together by a foreign (Australian) government to compel them to secretly give access to some of their customer’s data when said government requests it.

  • Precisely who is being targeted? How many pseudonyms do people have on the web? Ask a company like Facebook or Google and they would likely answer – a lot… a whole lot. 

Using the example used by the Australian government, which focusses on encrypted communication going between individuals, how can the government specify the exact (read correct) username(s) to listen into?

  • Who is going to enable the listening? To enable listening software developers would have to introduce ‘hacks’ into their software to enable backdoor access. If they did they would a) never get a new sale and b) most probably be sued by businesses using their software for breaking the terms and conditions of the confidentiality and data protection/security provisions. 

The reality is a) there are hundreds of thousands of software developers in the market – most of whom deliver some form of encrypted functionality (e.g. accounting packages, bank transfers etc.) and b) there are magnitudes more companies operating said software - and they can be anywhere in world. 

So, how is the hack going to be implemented and who is going to operate on behalf of the government?

  • In what instance is someone declared to be ‘of interest’ and who would control the data if it were to be provided to the government? Since there appears to be no set parameters delineating what data can be asked for and about whom, it is possible that highly confidential business information will be captured. Broadly speaking, governments do not have a stellar reputation around data security and data controls. For instance, rather than only the intelligence service that is doing the investigation having access to the captured data, it would certainly not be impossible for a government IT person to, potentially, access, copy it and post the data elsewhere. 

Without strong, independently verifiable process and data controls there is prodigious potential for abuse of this power.

  • Will there be ‘scope creep’? Once the government has this power what else could it be used for? Recent examples show how broad legislation can have unintended consequences as with the Patriot Act being used by the IRS to track down tax dodgers rather than just being used for anti-terrorist actions.

  • And what about PII (Personally Identifiable Information)? Legislation like the EU’s GDPR (General Data Protection Regulation) are specifically designed to protect users data from abuse by individuals and organisations looking to profit off their data without their knowledge or consent - along with the right to be forgotten (i.e. the removal of their data from the company that had it. 

It is not at all clear how a government attempting to get backdoor access to data and not allowing data to be deleted does not contravene the very ideals of the legislative protection around PII. A potential side effect is that any Australian company complying with the Australian legislation could, in effect, be prevented from doing business in Europe and any other jurisdictions that have these data protection legislations in effect.

It appears that the thinking behind this legislation is from an age group that grew up watching FBI shows in the 70’s and 80’s, where ‘the good guys’ could listen into the ‘bad guys’ in the next room or get a wiretap from the country’s one Telecommunication company (there was only one at that time). 

The world has changed immensely and it is time to wake up, keep up and rethink how to address the global problems of the 21st Century without attempting to recast antiquated ideas.