Published on the 18/12/2018 | Written by Pat Pilcher
But will the new law work?...
Australian Signals Directorate (ASD) Director-General, Mike Burgess has lashed out at what he claims is misinformation around the Access and Assistance Encryption legislation that recently passed into law, saying that much of the debate to date has been ‘hyperbolic, inaccurate and influenced by self-interest, rather than the national interest’.
The response, in a blog post, came in the form of a series of ‘myth-busting’ statements. Burgess took exception to the most commonly cited concern with the new law, namely that Australian companies could end up moving their operations offshore, saying that was at best a case of flawed logic.
“Australia is not the first country to enact this sort of legislation – and we will not be the last.”
“Australia is not the first country to enact this sort of legislation – and we will not be the last. Agencies in the UK already have similar powers.” He went on to say that other nations are considering their options.
As ironic as Burgess’s claims of flawed logic may be, the logic expressed by those with concerns is difficult to fault, regardless of how many other countries are considering similar laws.
Under the new law, the Australian government can issue notices to tech companies that require they remove encryption and other security on devices and services, to provide Australian law enforcement agencies access to stored data.
At first glance, this may seem perfectly reasonable. However, there are question marks around whether the law will require the creation of backdoors and other vulnerabilities in hardware and services sold in the Australian market – something that is a big issue for many. Detractors argue that these susceptibilities could get leaked, ending up being used (and abused) by the very people who the Australian government is trying to capture.
Minister for Home Affairs Peter Dutton said during the Bill’s second reading in the Australian parliament that “The legislation will not weaken encryption or mandate backdoors into encryption. The Bill specifically provides that companies cannot be required to create systemic weaknesses in their encrypted products, or be required to build a decryption capability.” He then clarified this by saying “The Bill provides law enforcement agencies with additional powers for overt and covert computer access. Computer access involves the use of software to collect information directly from devices.”
Detractors have pointed out that this part of the new law is, at best, problematic as definitions of basic terms like “systemic weakness”, are vague and used in conflicting ways in the Bill.
Worse still, is the potential impact on the Australian tech sector. Any encryption capable products designed, built or sold in Australia will have to have these vulnerabilities built in, potentially decreasing their appeal (and sales). Put simply, most Australian (and offshore) businesses, when faced with the choice of purchasing a messaging platform with backdoors or another with none will invariably go for the more secure option.
The issue was brought to the fore during joint committee on Intelligence and Security hearings on the legislation when Australian security vendor Senetas warned that they (and an estimated 200 jobs) could move offshore to avoid irreparable damage to their brand.
The timing couldn’t be worse. Australia can ill-afford an overseas exodus of tech talent. A recent report from the Department of Industry, Innovation and Science recently forecast declining demand for ore and falling prices would see export will drop from a high of A$214 billion recorded in 2017/18 to $200 billion in 2019. Other sectors such as manufacturing lack the competitiveness to pick up the slack, and many had been looking to Australia’s tech sector as a possible answer.
Burgess says suggestions Australian tech companies will be regarded ‘as no different to the high-risk foreign vendors that have been blocked from supplying equipment in Australian 5G networks’ are ‘absurd’.
“High-risk vendors have been banned from Australia’s 5G network because of the threat they pose when they could be subject to unbounded extrajudicial directions from a foreign government. It is not in any way an equivalent comparison to the highly-targeted assistance that the Australian Government will be seeking under the TOLA Act.”
While Burgess’s blog post attempted to answer claims that the new law will hurt the Australian tech sector, he did not address its potential impacts on consumer choice. Australian tech companies are not the only ones who will have to comply with the laws. Multi-national tech companies will also have to toe the line and weaken encryption and security in products and services sold in Australia. It is fair to assume that given the small size of the Australian market, some may simply put Australia in the too hard basket, choosing not to sell their products and services there.
Burgess also lashed out at concerns that the new laws were open to abuse, stating that “Nobody’s personal communications can be accessed under the Act without a warrant, in the same way, other legislation has operated for decades.”
What Burgess failed to discuss was that the new laws could also be used to provide evidence and prosecute lesser crimes including copyright infringement. It was also Interesting to note that he did not address fears around the scope for abuse within the new law.
This comes amidst recent revelations that the Australian Government’s Data Retention Bill (that required telcos keep records of phone and internet usage for security agencies) saw 80 agencies applying for access, including Greyhound Racing Victoria. Any laws involving access to personal and private data needs to be both well thought out, and have robust checks and balances to prevent similar abuse.
Burgess concludes by saying that “Many of the claims about the “dangerous” nature of the Act are hyperbolic, inaccurate and influenced by self-interest, rather than the national interest. The true danger is the thing the TOLA Act seeks to prevent: terrorists, paedophiles and other criminals communicating in secret, without law enforcement and security agencies being able to ‘crack their code’. Australia’s law enforcement and national security agencies do not ask for legislative change lightly or routinely. But when technology evolves, the law should evolve too – so we can continue our mission to keep Australians safe.”
Regardless of the fuss surrounding the new law, the simple reality is that it is the cyber equivalent of the Maginot Line, and is easy to bypass. Organised crime and terrorist organisations (that the law is intended to catch) could stop using commercial apps with built-in encryption and instead use customised software written in countries beyond the reach of the Australian law, whose encryption does not have any built-in vulnerabilities or weaknesses for law enforcement agencies to exploit.