New legislation from Australia could have global consequences for security and privacy on the internet. Controversial laws have been passed which oblige tech companies to allow the police to access encrypted messages, undermining the privacy of encryption.
End-to-end encryption is used by apps like iMessage, WhatApp, Telegram, and Signal to keep messages between users private. It works by taking the message that you are sending and using a string of digits, called a public key, to turn this message into scrambled characters. These scrambled characters are then sent to the recipient, who uses another string of digits, called their private key, to turn the message back into readable text. This means that if your message is intercepted at any point, all that the hackers will be able to see is the scrambled characters. The only person who can read the message is the recipient, who is the only one holding the private key required for decryption.
The high level of security that this system offers has made end-to-end encryption the most popular way to keep messages private. However, government intelligence agencies and police forces around the world have been frustrated by encryption which they say prevents them from doing their job of investigating suspicious persons. To address this issue, the Australian government has now created a new form of “computer access warrant” which allows law enforcement agencies to obtain information directly from a device like a smartphone, and to compel technology companies to help them access this information.
Exactly what this complex legislation will mean in practice is still being debated, but critics from the tech industry have made it clear that they are not on board with governments having this kind of power. Many have interpreted the bill as obliging tech companies to offer backdoor access in their security systems to the government, which is potentially disastrous for security. The bill does have a safeguard which says companies are not required to build “systematic weaknesses” into their software, but the term “systematic” was not defined, meaning that the actual legal requirements are unclear. A further concern with the bill is the lack of judicial oversight in this process. Law enforcement agencies need a warrant to oblige tech companies to comply with them and break the encryption, but after this warrant is issued then there is no further oversight of the system.
Due to the global nature of most tech companies, ordering backdoors built into encryption in Australia could have an impact around the world. As human rights lawyer Lizzie O’Shea points out, “The truth is that there is simply no way to create tools to undermine encryption without jeopardizing digital security and eroding individual rights and freedoms. Hackers with bad intentions will do their utmost to take advantage of any such tools that companies are forced to provide the government.”
