Brian Jackson - Fotolia
Australia has signalled its intention to introduce legislation that would require technology companies to work with warranted intelligence and law enforcement agencies to provide access to encrypted communications.
According to the Australian Federal Police, as much as 60% of web traffic is now encrypted, making it harder to track criminals and terrorists.
But plans – both in Australia and overseas – to force technology companies to provide agencies holding warrants to access encrypted communications have been described as unworkable and potentially damaging by a range of industry and security experts.
In a Wired magazine report earlier this year, Tim Berners-Lee, inventor of the World Wide Web, noted: “If encryption were not a thing, then huge amounts of modern life would be impossible. If you put a hole in encryption – if you decide WhatsApp shouldn’t be secure – then you do that to everything else that is equivalent to WhatsApp”.
“It’s not possible to build a system which you can guarantee that only a definition of good guys can break,” he said.
Australian prime minister Malcolm Turnbull, however, remains undaunted. In a press conference to announce the new legislation, he said encryption currently was a barrier to police “finding out what terrorists are plotting, what drug traffickers are up to and what people who are exploiting children online are planning”.
“We need to ensure that the internet is not used as a dark place for bad people to hide their criminal activities from the law,” he said.
Besides demanding that technology companies work with warranted agencies to help them decipher encrypted messages, the legislation will also give the Australian Federal Police the same capacity as the Australian Security Intelligence Organisation to remotely monitor computer networks and devices.
Attorney general George Brandis said the law needed to be changed “to address what is potentially the greatest degradation of intelligence and law enforcement capability that we have seen in our lifetimes”.
According to senior research fellow Nick FitzGerald from security firm Eset, the current situation is just the logical extension of criminals using scrambler devices to thwart police intercepts of phone calls in the past century.
FitzGerald said unless agencies were provided with the keys of an encrypted message, it would not be possible to decipher a strongly encrypted message service such as Signal or WhatsApp.
If agencies were provided with the key, then it was likely that those seeking privacy would just “use a service developed in a country where they don’t give a toss about Australia or the G20 or Five Eyes,” he added.
“Any erosion of encryption could have a damaging effect on the reliability and defensibility of everything from online banking to electronic voting,” he said. “Good police work involves things other than cracking encryption.”
While compelling technology companies to provide access to encrypted communications is a well-intentioned effort to deal with a serious issue, Laurie Patton, executive director of Internet Australia said there is an inadvertent risk of creating an even bigger problem. “If we make the internet less secure, we make it more vulnerable to malicious attacks,” he said.
Read more about cyber security in Australia
- Experts say Australia’s efforts to get technology and social media firms to cooperate with the authorities in decrypting communications will be hard to achieve.
- Australia’s national cyber security blueprint has been a catalyst for improvements in cyber security across the country, but its long-term impact remains to be seen.
- Unsanctioned cloud apps continue to be major bugbear among security chiefs in Australia, a Symantec survey has found.
- Demand for people with the right mix of skills to keep organisations in Australia safe from cyber attack is far in excess of supply.
Details of the legislation have yet to emerge, but the attorney general said there would be “coercive powers” introduced to force the hand of technology suppliers.
“There is a culture, particularly in the United States, a very libertarian culture, which is quite anti-government in the tech sector,” said Turnbull.
He added that governments need to say with one voice to Silicon Valley and its emulators that their help is needed “to ensure the rule of law prevails and that they’re not exploited by those who want to hide from the law as they plan to do us harm”.
“What we need is the co-operation, where we can compel it we will, but we will need the co-operation from the tech companies to provide access in accordance with the law,” he said.
Exactly how technology companies will respond to the legislation or its coercive powers remains to be seen, but they are unlikely to roll over easily.
Apple did not respond directly to inquiries about the Australian plans, but a spokesperson pointed to an earlier statement made by CEO Tim Cook about the company’s approach to user privacy.
“I want to be absolutely clear that we have never worked with any government agency from any country to create a backdoor in any of our products or services. We have also never allowed access to our servers. And we never will,” said Cook.
Read more on Hackers and cybercrime prevention
Australia unveils ransomware action plan
FBI planned a sting against An0m cryptophone users over drinks with Australian investigators
FBI arrests distributors accused of selling An0m encrypted phones to crime groups
Police raids around world after investigators crack An0m cryptophone app in major hacking operation