When the Australian parliament passed the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 last week, it became the first country in the world to pass a law that allows government agencies to force companies to give secret access to encrypted information. Ostensibly, the bill will allow law enforcement and intelligence agencies to access data useful in investigating terrorism and criminal activity. But critics of the legislation point out that, like many terrorism-related laws these days, the language of the bill is broad and unclear and may lead to interpretive abuses in the future. The law passed without debate and overwhelmingly.
Specifically, agents from the Australian Security Intelligence Organization (ASIO) and the Australian Federal Police (AFP), agency equivalents to the CIA and FBI, can now go to the provider of encryption products, such as WhatsApp and Signal, and require them to provide access to encrypted data of a target, and to do so secretly. One problem, a technical one, is how to gain such access to the data, since the provider would not have the key.
ASIO and the AFP want providers to hand over “technical details’ of their encryption process that would allow the agents to exploit “systemic vulnerabilities”. The agencies claim that they would not be requiring providers to build in a “backdoor” for remote government access, but critics, such as Apple, Facebook and Google, who have apps that would be affected, argue that exploiting vulnerabilities may do just that — open up a system to other, more nefarious hackers, and make the encryption unsafe to use. Providers who don’t cooperate with the government will face fines and possible jail time, making them unintentional agents of potential government overreach.
Furthermore, ASIO and the AFP already have the power to infiltrate end-user computers to surveil before data is even encrypted, so it is hard to see the justification for further powers. At Policy Forum, Monique Mann, a law lecturer at the Queensland University of Technology, writes, “There is no evidence that any new powers are necessary, or proportionate, when viewed against existing police powers and investigative capabilities. Yet the stakes could not be higher for cybersecurity and digital rights.”
There is also some scepticism of how the requirements of the law would hold up in Australian business dealings with companies from other countries where data rights and online privacy are more legally protected. Of course, with a backdoor-that’s-not-a-backdoor, created by the government’s exploitation of systemic vulnerabilities, no one would really know, including the provider, if their data had been decrypted. And though a warrant issued by court is required to go ahead with a decryption, if America’s FISA court, which essentially rubberstamps government requests for secret access, is any example, such court-ordered warrants from Australian judges is no re-assurance — Australia has no Bill of Rights underwriting the integrity of such requests.
Along the lines of human rights and governmental accountability (a cornerstone of a functioning democracy), the new law allows not just the targeting of the usual criminals, such as child pornographers and scam artists, as well as so-called terrorists, but also “whistleblowers.” In short, the law would help prevent someone in Australia from dumping files at, say, Wikileaks, or even submitting documentation supporting government abuses to a whistleblowing sight in Australia, if said potential exposure could be seen to “weaken” national security.
Perhaps the world’s greatest champion of encryption, and its power to protect privacy, is that over-exposed guy holed up in the Ecuadorian Embassy in London. He rejects the common notion that such laws have no bearing on the doings of everyday people and scoffs at “if you have nothing to hide, you have nothing to fear” arguments often expressed with a naive smugness. “No worries, I use a VPN,” they might smile. But VPNs can be just as vulnerable.
It’s almost ironical that Assange, who grew up in Australia and cut his hacker’s teeth here (breaking-and-entering secret Pentagon servers as a teen), is now a virtual exile (his work would be criminalized here and has been called “illegal” in the past by a prime minister) who has almost single-handedly fought a war against the dark, corrupt secrets of government, while also attempting to protect individual privacy, the core of our humanity.
In his 2012 Cypherpunks: Freedom and the Future of the Internet, that he calls a “warning” rather than a “manifesto, Assange makes clear what’s at stake for us all and how encryption is a “key” to protecting ourselves from losing the last vestiges of privacy (and the consequent humanity that goes with it). Of the stakes he writes, “The internet, our greatest tool of emancipation, has been transformed into the most dangerous facilitator of totalitarianism we have ever seen….within a few years, global civilization will be a postmodern surveillance dystopia, from which escape for all but the most skilled individuals will be impossible. In fact, we may already be there.” In the post-Snowden cyberscape, it’s hard to argue.
Assange’s answer is encrypt, encrypt, encrypt. “Encryption is an embodiment of the laws of physics, and it does not listen to the bluster of states, even transnational surveillance dystopias,” he writes. “Cryptography is the ultimate form of non-violent direct action. While nuclear weapons states can exert unlimited violence over even millions of individuals, strong cryptography means that a state, even by exercising unlimited violence, cannot violate the intent of individuals to keep secrets from them.” Keeping these secrets, our thoughts — this is the last frontier. “If we do not [redefine force relations], the universality of the internet will merge global humanity into one giant grid of mass surveillance and mass control.”