If the Australian government was hoping its encryption legislation would have a smooth run, it'll probably be disappointed. Not only has the exposure draft landed with a political storm, reactions from technologists range from guarded to sharply critical.
On the political front, the Australian Greens came out most strongly against the proposed laws. The party's digital rights spokesperson Jordan Steele-John highlighted the potential for law enforcement agencies to demand installation of malware on user devices as a danger.
“Regardless of what Minister Taylor claims, installing software or legislating some other means to capture data as it is unencrypted on the receiving device undermines the very principle of end-to-end-encryption,” Steele-John said in a statement.
He also criticised the legislation's “pre-crime” aspects, saying the legislation “will ultimately diminish the presumption of innocence and the privacy of all Australians online”.
Labor cyber security spokesperson Gai Brodtmann was more careful, but called for an extensive consultation. The Australian Labor Party has, however, generally support the government's national security measures.
Technologists The Register interviewed are generally concerned about the legislation.
Nigel Phair, director of the University of New South Wales' Canberra Cyber program, said the laws demonstrate the age-old principle that “you can't legislate your way out of online problems … We can't legislate our way to an 'arrest now' button”.
“Holistically, I agree with the need for legislation”, Phair said (a sentiment echoed by many of the people The Register spoke to), but he felt this implementation is too vague and too broad to be useful.
Phair said he would prefer to see governments better engage with the industry: “It's not legislation or ten million dollar fines, it's working with companies on next product suites so there can be lawful interception.”
Australia on the cusp of showing the world how to break encryptionREAD MORE
The drafting is problematic, Phair said, in particular the government's use of the expression “systemic vulnerability”, which he believes will be difficult to quantify.
Dr Vanessa Teague of Melbourne University said there's a gap between how the government explains the legislation in its Explanatory Memorandum, and the reality:
“Most of the firm guarantees and comforting protections described in the explanatory memorandum do not actually appear in the bill, or appear only in a weakened, ambiguous or limited form,” she told Vulture South in an email.
The government has repeatedly asserted that the legislation will not require encryption backdoors. However, Teague said, “However, this distinction isn't translated into the bill”.
Teague also noted that the bill is vague in what it refers to as a technical capability (probably borrowed from the UK's Investigatory Powers Act): “If a service provider has the keys, but doesn’t currently have a program that does the decryption and provides it to law enforcement, then they have a ‘capability’ in the sense that it’s possible for them to do it, but they don’t have a ‘capability’ in the sense that they already have a program for doing it.”
She also drew attention to the gap between “no backdoors” rhetoric, and the draft, which says providers won't be required to build systemic vulnerabilities into products or services.
“Are companies obliged to re-engineer some individually-targeted part of the system, if that re-engineering puts other users at increased risk? For example, would Apple have been obliged to undermine the PIN-based device security of the iPhone in the San Bernadino case, or could they have argued based on this clause that it would have 'render[ed] systemic methods of authentication or encryption less effective'?"
“It seems to me that this has been the key question all along, and that it still hasn't been clarified,” she wrote.
She added that the secrecy provisions in the legislation, which the explanatory memorandum says will make sure “any assistance is provided on a confidential basis and information”, and protect commercial secrets, will also get in the way of open debate about the laws' impact.
“Would the secrecy clause (317ZF) render the kind of open public discussion that occurred between Apple and the FBI illegal in Australia?” she asked. “Information 'about' is hugely different from information 'obtained under' a notice or request.
“Revealing information about a request could be a vital part of whistleblowing, government accountability, or arguing about the appropriateness of a request,” she told us.
Yes, Virginia, there is a backdoor, it's just not in the encryption. It's everywhere else
Paul Brooks, chair of the Internet Society, Australia (ISOC-AU), was also harsh in his criticism of the bill.
For a start, Brooks told The Register, there's no way for anyone to know if they're compliant with the demands of the bill, and little way for someone to assess the legality of a notice from law enforcement.
“The legislation is so vague in terms of what it could or might require a service provider can do – there's no way to know whether a service provider is compliant, or needs to do something,” he said.
He also highlighted how the government's conveniently-narrow definition of “backdoor” is belied by the reality: yes, the bill specifically forbids measures to weaken encryption, but the practical impact of a compromised device is indistinguishable from a backdoor in its effect.
While there are “a lot of good statements” in the explanatory memorandum, he said, “this legislation absolutely allows backdoors to be put into devices, rather than into the encryption algorithms.”
“A backdoor in a device … is still a backdoor”, Brooks said.
When's a backdoor not a backdoor? When the Oz government says it isn'tREAD MORE
The legislation also represents a considerable step beyond how we understand lawful intercept: once the domain of the telecommunications industry working with law enforcement, the encryption laws stretch into every device in the home.
The bill reaches all the way from silicon to websites, and that's likely to make Australia an unattractive online destination, he said.
“Manufacturers and suppliers of devices – phones, broadband modems, printers, smart TVs, voice assistants – it enables authorities to require them to make changes to how the software operates.” Brooks said.
“This is a lot more than gaining access to the content of messages that might have been encrypted on the way through. It's the capability to subvert, and install malware, onto devices in the house.”
He cited the possibility that law enforcement could ask a website to “silently” disable HTTPS for a group of users. An organisation like Facebook might decide it's better to simply block Australians than comply.
The risk for such organisations is that if they complied, the code could leak and expose “a larger group of users than it's intended to.”
And in the other direction, he said, international customers could be driven away from Australian services, because they can't guarantee sites hosted here are trustable or secure.
ISOC-AU is hosting an encryption event in Canberra on August 20, to let people hear from experts.
Internet infrastructure also at risk
Mark Nottingham, member of the Internet Architecture Board and member of the office of the CTO of Fast.ly, spoke to The Register on a personal basis, and is similarly worried about the gap between the explanatory memorandum and what the legislation enables.
There are some good aspects, however: “The amount of work they've don: it's comprehensive … and not nearly as hand-wavy as we've seen in the past,” he said.
"However, the catch-everything breadth of the legislation is a concern: “It has a large amount of access that affects a large number of people, apps, websites, platforms – it touches all of them, even infrastructure like DNS or PKI” [the Domain Name System, and Public Key Infrastructure – El Reg].
The idea that it allows law enforcement to demand someone reveal source code is also troublesome. Yes, someone could “go to Huawei or Microsoft and ask them to disclose vulnerabilities”, but why would anyone comply?
While Australia has a decent reputation for oversight, Nottingham said, this legislation needs very strong oversight if it's to succeed.
Also unclear is who gets to decide what justifies a technical capability notice – and whether that decision is informed by an understanding of technology.
“Who is the decision maker to determine feasibility, technical capability, and are they the right person to do that?” Nottingham asked.
It's perfectly feasible, he said, that an agency could issue a technical capability notice which the recipient cannot comply with, putting both companies and individuals in jeopardy.
“How do you appeal a technical capability notice?” he asked. “If this becomes law, the request becomes lawful, whether or not the person is able to [comply].”
A recipient could receive a notice, not knowing whether or not it's lawful or feasible, and find themselves unable to talk to anybody to get help. “I don't know if Australia wants to become that country”, Nottingham said.
Like others, Nottingham highlighted the risk to technology businesses in Australia: “Are we going to see software moving overseas?” he asked.
And while Australia has 20-plus years of contributions to cryptography, Nottingham said this legislation doesn't just impact crypto software: "It's all software,” he said.
“If I can't sell to customers X, Y or Z because it was developed in Australia, this is a big stone thrown into the pond.”
Tech needs to get good at political engagement, fast
Steve Wilson of Lockstep told The Register debate over lawful intercept is important, but too many on both sides retreat into a “slanging match.”
Given the size of the legislation, “you'd probably have to concede the government has listened to technologists,” he said.
The government seems to be saying “if you're running a technological service, if at some point in the chain you have access to unencrypted messages, then under the right legal circumstances, you're obliged to give us information.”
“Reasonable law enforcement access should be technology neutral,”, he added.
“I don't think we in tech can complain about that, per se, but we need a dialogue about it”.
Shortcomings in the legislation show just how difficult it has been to make that dialogue happen, he said, and “puritans on both sides” are part of that problem.
On the one hand, the argument that “encryption gives paedophiles somewhere to hide” is overblown. “I don't really know that crypto makes law enforcement impossible. Where's the academic research into that?
However, defending encryption by “yelling 'maths!'” holds back dialogue from the other side, partly because instead of giving government a comprehensible explanation of technology, “we're stuck with these stupid analogies about locks.”
It's not obvious to the layperson how the legislation would break encryption, Wilson said, and the only way to protect peoples' security and privacy is to “find a place at the table.”
Alas, Australian technologists have a long history of getting that engagement wrong. ®