Australian Government Passes Law Forcing Tech Companies To Break Encryption
from the nice-one,-idiots dept
The Australian Parliament has passed a law ordaining compelled access to encrypted devices and communications. The legislation was floated months ago and opened up for comment, but it appears the Australian government has ignored the numerous complaints that such a law would violate civil liberties and otherwise be an all-around bad idea. But that's OK. It's completely justified, according to the Prime Minister.
Scott Morrison, Australia’s prime minister, told local radio on Thursday that encryption laws were necessary to target Islamist terrorism, paedophile networks and organised crime. “These laws are used to catch the scum that try to bring our country down and we can’t give them a leave pass,” he said.
Sure, and if innocent people find their communications compromised by government-mandated holes, so be it. The law was rushed through Parliament in a late evening session since every moment wasted was just one more leave pass for scum. Legislators promise to review the law in 18 months to ensure it hasn't been abused or created more problems than it's solved, but let's be honest here: how often does legislation like this get clawed back after a periodic review? It's never happened in the history of the laws governing our surveillance programs, even after leaked docs exposed unconstitutional practices and widespread abuse of surveillance authorities.
Here's a short summary of the new powers the legislation hands over to law enforcement and national security agencies:
The law enables Australia’s attorney-general to order the likes of Apple, Facebook, and Whatsapp to build capability, such as software code, which enables police to access a particular device or service.
Companies may also have to provide the design specifications of their technology to police, facilitate access to a device or service, help authorities develop their own capabilities and conceal the fact that an agency has undertaken a covert operation.
This law will go into effect before the end of the year. How it will go into effect is anyone's guess. The law provides for compelled access -- including the creation of new code -- but no one seems to have any idea what this will look like in practice. The new backdoors-in-everything-but-name will be put in place by developers/manufacturers at the drop of a court order, with the onus on the smart people in the tech business to iron out all of the problems.
The law only prevents the government from demanding that "systemic weaknesses" be built into devices or programs. Everything else is left to the imagination, including the actual process of introducing code changes in multi-user platforms or targeted devices.
An actual software developer, Alfie John, has put together a splendid Twitter thread pointing out the flaws in the government's assumptions about software development. Since the compelled participants are forbidden from discussing surveillance court orders with anyone (which would include coworkers, supervisors, the general public, etc.), these requested alterations would have to be implemented in secret. The problem is coding changes go through a number of hands before they go live. Either everyone involved would need to be sworn to secrecy (which also means being threatened with jail time) or the process falls apart. Changes ordered by a court could be rejected by those higher up on the chain. Worse, the planned encryption hole could see the compelled coder being viewed as a data thief or foreign operative or whatever.
Law enforcement is going to have to make everyone involved in the product/device complicit and covered under the same prison threat for this to work. The more people its exposed to, the higher the chance of leakage. And if the code will break other code -- or the request simply can't be met due to any number of concerns -- the government make ask the court to hold the company and its personnel in contempt for their failure to achieve the impossible.
To make matters worse, the company targeted with a compelled access request may be monitored for leaks before and after the request is submitted, putting employees under surveillance simply because of their profession.
In some cases, the only weakness that can be introduced will be systemic, which will run contrary to the law. How will the government handle this inevitable eventuality? Will it respect the law or will it simply redefine the term to codify its unlawful actions?
Even if all of this somehow works flawlessly, users of devices and communications platforms will be put at risk. Sure, the compelled access might be targeted, but it will teach users to distrust software/firmware updates that may actually keep them safer. The government may even encourage the forging of credentials or security certificates to ensure its compelled exploits reach their targets. And just because these backdoors theoretically only allow one government agent in at a time, that doesn't mean they aren't backdoors. They may be slightly more difficult for malicious actors to exploit, but once the trust is shattered by compelled access, other attack vectors will present themselves.
It's a terrible law justified by the spoken equivalent of a bumper sticker. And it's going to end up doing serious damage -- not just in Australia, but all over the world. Bad legislation spreads like a communicable disease. If one democracy says this is acceptable, other free-world leaders will use its passage as a permission slip for encryption-targeting mandates of their own.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: australia, backdoors, compelled access, encryption, moral panics, secrecy, software development, terrorism
Reader Comments
The First Word
“Subscribe: RSS
View by: Time | Thread
" Bad legislation spreads like a communicable disease."
Or it'll produce so much damage it will be that case-study to be mentioned for years that will put an end to any new "going dark" discussion that involves weakening encryption.
Also, sine when Australia became a prototype for totalitarianism?
[ link to this | view in chronology ]
Now we get to see if it wrecks the economy.
My thought exactly, Australia has decided to be the test case for crypto mandates.
I'm curious what happens when a company such as Apple makes a system that is difficult to break (takes decades) and then is mandated to help law enforcement break it.
At any rate, it's good cause for such corporations to move all assets out of Australia.
[ link to this | view in chronology ]
Re: Now we get to see if it wrecks the economy.
Yeah, this should be another aspect to watch. If it costs them financially it'll be another incentive not to apply it to other countries.
And also which companies have the spine to simply move out instead of capitulating to the insanity.
[ link to this | view in chronology ]
Re: Now we get to see if it wrecks the economy.
Australia's economy is simply not that big, and not that many people live there. They don't have the clot or money that the entire EU had to effectively enforce GDPR on the planet.
[ link to this | view in chronology ]
Re: Now we get to see if it wrecks the economy.
It's not so new. America had its export prohibitions in the 90s, while crypto was basically illegal in France. Then there was (is) RIPA in the UK.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
Resident Evil zombie virus.
[ link to this | view in chronology ]
Re:
If you haven't already removed any and all TLS certs issued by Australian CAs from all trust stores* under your control you're at risk.
Further, if any security agency / CA doesn't pull out completely from Australia and refuse to abide by any of their requests or send their people there, distrust them as well*.
Also start keeping tabs on Microsoft, Apple, Google, Mozilla , Samsung, any device manufacturer, OS distro developer, etc. If anyone of them start issuing "updates" that contain pre-compromised code, distrust them*, disable automatic updates (you've done that already right? And uninstalled Windows 8 & 10?), and make their treachery known far and wide. Shout it from the roof tops if you have to, because preventing this disease from spreading requires a populous to disobey the assholes implementing it. Civil disobedience is the word, and if it's a fight these assholes want, they've found one.
*: Assuming you're able to with things like Secure Boot and it's ilk around. God, that's painful to say. We're going to need exploits just to get rid of the Australian's, and soon to come others', exploits.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
...Or just remove themselves from Australia.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
The tech companies can not compete against government.
What the tech companies id provide information on who does provide encryption with out running afield of law.
For example.
XYZ sell you a phone.
XYZ then suggest that you would be better served by downloading, for free, encryption from QRS, WER, ERT, et who are members in the ENC Encryption network.
Also, XYZ makes donation and provides technical expertise to the ENC Encryption network.
XYZ problem is solved. They provided an open phone. The user downloaded and install encryption after they purchased the phone. If there is some problem with this it is between the purcher and government not the manufacturer and government.
[ link to this | view in chronology ]
Re: Re: Re:
On possible effect of this law is the Government insisting that the device manufacturers provide an update channel that the user cannot see or turn off.
[ link to this | view in chronology ]
Re: Re: Re: Re:
At worst the manufacturer might be able to give the government the encrypted files, but they'd already have that from seizing the device itself.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
That is to say encryption becomes an illusion if somebody else can control your machines.
For text only email an offline encryption decryption system based on the likes of Arduino would be very hard to compromise, as you control all the code from reading the SD card upwards, and changes in program size when you compile, on an offline Raspberry pi would also be visible.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
If they can force code onto your machine they have access to the decoded data...
This assumes the government knows what encryption the end user has installed, which is true if it's default.
If it's not default then they're likely to get garbage, or worse, brick the phone.
While this may catch some people off guard, any business operating in Australia larger than a mom-and-pop store is going to need to replace the default data encryption software with something else from outside Australia, or install a different operating system on the phone.
Either that or risk being succeptable to attacks from rival companies, let alone Australian law enforcement.
[ link to this | view in chronology ]
Mandated quiet device update vector.
Sounds like Australia is going to be the land of the jailbroken phones.
Appropriate!
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
If Murdoch can't get a publishers tax on Google for linking to News Corpse then this will do quite nicely.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Ok, you go first
Force them to use backdored versions of e-mail programs, web browsers, instant messaging, photo sharing, etc.
All the things they use for private communications.
And, if there are no problems, complaints, leaks or stolen identities, the general population will follow in a couple of months...
[ link to this | view in chronology ]
Just wait until it happens to them
Let's say Google actually installs a government-mandated back door in the Android operating system. How long will it be until "bad guys" (meaning anyone against this dumb law) takes advantage of the back door and hacks into every government phone?
And like you said, bad laws spread. How long will it be until China, Iran, or even England says US companies have to install back doors for use in their countries as well?
[ link to this | view in chronology ]
Re: Just wait until it happens to them
[ link to this | view in chronology ]
Re: Re: Just wait until it happens to them
[ link to this | view in chronology ]
Re: Re: Re: Just wait until it happens to them
[ link to this | view in chronology ]
Re: Re: Re: Re: Just wait until it happens to them
Those drongos haven't coughed up the brass razoos to support anything home-grown like that in the past and they won't do it now.
Now if they could only install backdoors in bushfires, floods, cyclones, coal seam gas-caused water poisoning, and dust storms, they'd be on a winner.
[ link to this | view in chronology ]
They have nothing to hide do they?
They should be at the forefront of opening themselves up to review, I look forward to the texts telling you this was a good idea, your lucky numbers of the day, & your horoscope.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
They are already looking at what it will take to exit Australia entirely because following Australia's "phakencryption" law will make us liable to global lawsuits and security audit findings that could cost us billions in fines.
ie - Most countries outside of Australia require "real" encryption that cannot be broken by outside entities.
Australia has just made itself the bane of global corporations.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
The "Bad Guys"
The actual bad guys might, but if Australian law enforcement is like US law enforcement they don't really want to catch them. Rather they're going for the low-hanging fruit of people who post their ill-gotten gains on Facebook.
Actual terrorists with real encryption, real guns and real agendas? Better to just let that fire burn.
[ link to this | view in chronology ]
Re: The "Bad Guys"
[ link to this | view in chronology ]
screw them
[ link to this | view in chronology ]
Forcing open source
Considering the rules requiring that the companies must give law enforcement access to the code and standards, this will encourage the companies who do comply to make their standards resistant to exploitation.
Given enough eyes, all bugs are shallow. But when some eyes are known to be adversarial, we might be even more driven to find and fix exploits.
[ link to this | view in chronology ]
Re: Forcing open source
There aren't enough eyes, hell, there haven't been enough eyes on the combined numbers of humans ever alive to make "backdoored" encryption safe.
It's statistically impossible to do with software (which includes software tokens, and hardware tokens are just customized hardware running software token code).
At some point in the distant future, when they've stabilized n-factor qubits, they may be able to send physical encryption/decryption keys, one with vendor, one with device/software, one for NSA, one for KGB, one for 5-eyes, etc, drek-cetra, one thousand for hackers round the world for a pittance of the proceeds.
[ link to this | view in chronology ]
Backdoor = exploitable
Sure, for the backdoored layer of encryption.
But we already have public-access unbreakable encryption, and a number of open source implementations.
So any business that wants to stay in business in Australia will either replace default backdoored crypto with available secure crypto, or will layer the secure crypto underneath it.
When the postern only gets you into the gatehouse, it makes the sabotage mission really short.
[ link to this | view in chronology ]
Easy solution
1) USERNAME: ADMIN
2) PASSWORD: 12345
[ link to this | view in chronology ]
Re: Easy solution
[ link to this | view in chronology ]
Re: Easy solution
USERNAME: admin
PASSWORD: !@#$%
[ link to this | view in chronology ]
There are people in those "companies" that have been working those scenarios for years. Top People.
[ link to this | view in chronology ]
Re:
There is no "mandate" to shareholders. If not the fact that all the company execs are also shareholders there would be no major motivation for keeping shareholders happy. Because the C-level execs are shareholders there is every reason to do so but there is no law that says they must.
[ link to this | view in chronology ]
Re: Re:
Maybe not a law with criminal punishments, but it can be valid grounds to be sued.
[ link to this | view in chronology ]
Re:
"The "companies" affected by this will do whatever it takes to maintain the highest possible profit margins, that is their mandate to the shareholders, that is how it works."
Yup.
And in this case that'll mean pulling out of australia if any part of what they do involves IT. Because if a multinational corporation has a branch in australia this new law now demands the entire corporation works without IT security.
[ link to this | view in chronology ]
"That's mathematically not possible."
"What if we just made 2 illegal?"
[ link to this | view in chronology ]
Response to: Anonymous Coward on Dec 10th, 2018 @ 11:52am
[ link to this | view in chronology ]
Re: Response to: Anonymous Coward on Dec 10th, 2018 @ 11:52am
So it's more like .5+.5=1
Twins and any higher counts of fetuses in the womb won't help that map match your numbers.
for three babies, it would be .5+.5+.5+.5+.5+.5 = 3
Or 3(.5+.5) = 3
[ link to this | view in chronology ]
Re: Re: Response to: Anonymous Coward on Dec 10th, 2018 @ 11:52a
Please stop that. Much like them the only thing productive you're doing is creating hot air.
[ link to this | view in chronology ]
Re:
"1" + "1" = 11 (binary) - convert to "3" (decimal)??
That seems to be the level of unthinking that the Australian government is shooting for.
Maybe they'll call that OzBinDecMath? I'd think it would better to call it "MethMath" as only someone on drugs would think that was right.
Has anyone checked the Australian government peeps homes for meth labs in their basements?
[ link to this | view in chronology ]
REALLY??
1. do you think your Gov. reps will adhere to this, or walk around the Checkpoint??
2. IF' I dont want you to scan my Phone, I wont take it.. I have this little compartment in my shoe, want a smell?? How many Micro SD do you think I can stuff in there..forget that, 1-256gig will do.
3.Pedophilia?? Im more worried about your sheep..(old joke)
4. Pedo..Generally its a family thing, unless you are Rich and can afford Slavery..A good lawyer, and your OWN PLANE.. and Bangkok is Right over there..
This is just Justification, created by the Music/movie boards.. Anything to give the right/ability to Charge you with other crimes to circumvent the true USE/MEANING, that they will ADD to the end of this law.
Australia is an international port..They are in the middle of ALL OF IT.. From Bollywood to Hollywood.. and the RIAA has created some interesting Agencies in other countries, JUST to get control of ALL the music created around the world..
Which is strange, because FEW nations acknowledged OTHER countries COPYRIGHTS..
[ link to this | view in chronology ]
Hmmm
[ link to this | view in chronology ]
'Can't let those amateurs show us up after all.'
Scott Morrison, Australia’s prime minister, told local radio on Thursday that encryption laws were necessary to target Islamist terrorism, paedophile networks and organised crime. “These laws are used to catch the scum that try to bring our country down and we can’t give them a leave pass,” he said.
Great, so when can the australian public expect you to be arrested and fined extensively if not thrown into jail?
... oh, you meant scum attempting to bring the country down other than yourself. I see.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
For eff's sake, we just HAD the state election...
Any chance that we can re-do the election? If this is what the idiots do once their position is secured for 4 years...
[ link to this | view in chronology ]
Re: For eff's sake, we just HAD the state election...
[ link to this | view in chronology ]
Re: For eff's sake, we just HAD the state election...
Few, if any, of these politicians have any actual concern for the citizens of Australia.
I have privately proposed that the way any legislation be passed is that it is mandatory for each member of parliament take each piece of legislation back to his or her electorate and get a response back from the electorate. An actual count of the Yes/No/No Response. From this, he or she will present this to parliament and a national count take place. Legislation only passes if the number of Yes votes exceeds the number of No votes and no Responses.
One additional thing is that all legislation be fitted with a mandatory 3 year expiration clause that requires it to actually come before Parliament for renewal for another 3 years. again via the process of taking it to the electorate.
Somehow, I think much legislation would never get passed and would simply disappear from the books. It would certainly make the pollies work for their quid quo pro.
[ link to this | view in chronology ]
Say goodbye to technology companies Australia
Global fortune 100s, 250s, 500s, will all be shuttering operations in Australia because they will not be able to use "real" encryption. They'd only be allowed to use "phakencryption" which would violate all kinds of global laws that require real encryption to protect personal information like financial transactions, health information, identification information, etc.
I can't wait for all their government secrets to be exposed because they switched to "phakencryption" for all of their services to use.
[ link to this | view in chronology ]
Re: Say goodbye to technology companies Australia
[ link to this | view in chronology ]
Re: Say goodbye to technology companies Australia
No worries, I'm sure a mass-exodus of companies from the country will in no way cause a massive hit to the economy, or have any other significant impact at all. And really, if they're so determined to 'try to bring [the] country down' as to be that dedicated to working encryption then Australia will surely be better off without them anyway.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
the idiots we had to have
[ link to this | view in chronology ]
People, groups, and nation states are CONSTANTLY attempting to break into things... as of right now, all the time... affecting devices that are considered secure... and many times succeeding. Once it is known that exploits or external/"public" keys exist the bad people attempting to break in to anything/everything will see an exponential growth in success.
Regardless of who controls or maintains the code/keys/software/etc. someone will eventually figure it out and exploit it. Look how long it normally takes for new DRM to be cracked and circumvented, or how ridiculously quick the Pwn2Own tournaments produce root level access to devices. And the Aussie government wants to make it even easier??
[ link to this | view in chronology ]
Justa Thought
vEkc9JOGVkdvGEhIsJyF
6R1oxQyNRAHNcTS9h1nI
qUcXeedsID2N8c8eGNBY
JzWQo0gkRfmxLhNMfGl1
KMLbIIzdUvfuj5Sqakba
izCLPZIMbo4zGEumDS7j
uzDNtjjptlbZC2B6org4
f4a1iAlh3Wx54ahqNFN5
zjDt8IbHRm9jjcwRYnCW
AT6oBtSNoWzLC4Wi3zkG
0scQyNzt9yWusn0FB6RO
gNmIotRFvFVJB4gUpaps
lQMIsgjtfNTAcYMlU2m1
mhMd8nhOvr8TCS44kNOk
UGk6LKxvCUA3tBdk8SVh
8pkuYxaUOW57lucivpzC
o8jpLgSk3Rzmng1cuV1x
yi3pYBmIlivp4GV2pHfb
BH4sGD9QnqTDgGFqJwkk
[ link to this | view in chronology ]
A bunch of technologically illiterate morons sound the klaxon call of the four horsemen of the apocalypse; pedophiles, terrorists, drug dealers and criminals (I would have have thought they all fall under the heading of criminals, but no matter).
Then the legislation needs to be passed "to keep us all safe over Christmas/New Year". What a steaming pile of merde. No one is going to actively back door their hardware or software in the next 2 weeks. Ain't gonna happen.
Do I really need to go on?
It'll break the Internet, maybe not tomorrow or next week, but it wiil.
Also, hang you head in Shame, Bil Shorten.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
STEP1 Open Australian bank account.
Step2 wait for website backdoor to be compromised
Step 3 sue the bank and the Australian goverment for malfeasance.
Also sue the prime minister personally since you can BET he has people taking advantage of these back doors for
illegal
profitt.
[ link to this | view in chronology ]
Always amusing to see unrealistic views!
1) No large corporation is going to pull out of Australia for this or any other gov't law.
2) Corporations do not share your weenie concerns, are totally amoral. Only motive is profit. If reduced, that'll annoy, but it'll be short term at most.
3) Technically, won't require much beyond a master decryption key. Do-able, even easy. Refer to 2 above for the zero that corporations care about your privacy.
4) You don't know that corporations haven't prepared for / are doing this already, direct cahoots with gov't. You just assume not.
5) You should by now know that most "smartphones" can be gotten into by new gadgets, within hours. It's practicaly moot, anyway.
Examples prove my view: Apple and Google, two of the largest corporations in world, which preen themselves on purity of liberal / libertarian / free speech / democracy and whatever else their PR departments put out, are TIGHTLY connected to Communist China, the most brutal and repressive gov't on earth. Apple for hardware built in factories that require suicide nets, and Google customizing the "Dragonfly" engine specifically to report dissidents.
[ link to this | view in chronology ]
Re: Always amusing to see unrealistic views!
[ link to this | view in chronology ]
Re: Always amusing to see unrealistic views!
1) Yes they will. See, any company operating in australia must now operate without IT security - worldwide. Australia has now become a potential disaster without mitigation.
2) Correct. Corporations are completely amoral. Hence why a law which mandates that NO corporate secret, price list, cost pricing, GM calculation and internal revenue sheet can be kept confidential will FORCE every company out of australia.
3) You, sir, are an idiot. A master key means the second it leaks or is hacked for, EVERY encryption in australia is wide open to whoever holds a copy. Banks, Army, Government citizen indexes, etc. And that master key will be hot goods. Enough to be worth a billion USD in up front cash. It WILL leak.
4) On the contrary, corporations will NOT operate with government on this. They can't. And by that I mean they literally can't. See above. Any company operating under this needs to accept having no secrets. At all. For any reason. Worldwide, if they have so much as a branch in Australia.
5) Not really true. A smartphone is one thing because most people just won't secure it with more than a 4-digit pin or an easily subverted fingerprint reader. But smartphones aren't the issue here.
"Apple and Google, two of the largest corporations in world, which preen themselves on purity of liberal / libertarian / free speech / democracy and whatever else their PR departments put out, are TIGHTLY connected to Communist China..."
Not really true. Google and Apple are able to operate in China because they have agreed to screw their customers over with product limitations. If they had to issue a master key to their actual encryption then they'd have to leave. China knows this which is why no such master key has been requested. China, being paranoid, also does not want insecure encryption.
Now go back and take a look at what lunacy Australia has demanded. That's right - an ubiquitous encryption backdoor which NOT EVEN CHINA was insane enough to ask for.
[ link to this | view in chronology ]