Australian Government Passes Law Forcing Tech Companies To Break Encryption

from the nice-one,-idiots dept

The Australian Parliament has passed a law ordaining compelled access to encrypted devices and communications. The legislation was floated months ago and opened up for comment, but it appears the Australian government has ignored the numerous complaints that such a law would violate civil liberties and otherwise be an all-around bad idea. But that’s OK. It’s completely justified, according to the Prime Minister.

Scott Morrison, Australia’s prime minister, told local radio on Thursday that encryption laws were necessary to target Islamist terrorism, paedophile networks and organised crime. “These laws are used to catch the scum that try to bring our country down and we can’t give them a leave pass,” he said.

Sure, and if innocent people find their communications compromised by government-mandated holes, so be it. The law was rushed through Parliament in a late evening session since every moment wasted was just one more leave pass for scum. Legislators promise to review the law in 18 months to ensure it hasn’t been abused or created more problems than it’s solved, but let’s be honest here: how often does legislation like this get clawed back after a periodic review? It’s never happened in the history of the laws governing our surveillance programs, even after leaked docs exposed unconstitutional practices and widespread abuse of surveillance authorities.

Here’s a short summary of the new powers the legislation hands over to law enforcement and national security agencies:

The law enables Australia’s attorney-general to order the likes of Apple, Facebook, and Whatsapp to build capability, such as software code, which enables police to access a particular device or service.

Companies may also have to provide the design specifications of their technology to police, facilitate access to a device or service, help authorities develop their own capabilities and conceal the fact that an agency has undertaken a covert operation.

This law will go into effect before the end of the year. How it will go into effect is anyone’s guess. The law provides for compelled access — including the creation of new code — but no one seems to have any idea what this will look like in practice. The new backdoors-in-everything-but-name will be put in place by developers/manufacturers at the drop of a court order, with the onus on the smart people in the tech business to iron out all of the problems.

The law only prevents the government from demanding that “systemic weaknesses” be built into devices or programs. Everything else is left to the imagination, including the actual process of introducing code changes in multi-user platforms or targeted devices.

An actual software developer, Alfie John, has put together a splendid Twitter thread pointing out the flaws in the government’s assumptions about software development. Since the compelled participants are forbidden from discussing surveillance court orders with anyone (which would include coworkers, supervisors, the general public, etc.), these requested alterations would have to be implemented in secret. The problem is coding changes go through a number of hands before they go live. Either everyone involved would need to be sworn to secrecy (which also means being threatened with jail time) or the process falls apart. Changes ordered by a court could be rejected by those higher up on the chain. Worse, the planned encryption hole could see the compelled coder being viewed as a data thief or foreign operative or whatever.

Law enforcement is going to have to make everyone involved in the product/device complicit and covered under the same prison threat for this to work. The more people its exposed to, the higher the chance of leakage. And if the code will break other code — or the request simply can’t be met due to any number of concerns — the government make ask the court to hold the company and its personnel in contempt for their failure to achieve the impossible.

To make matters worse, the company targeted with a compelled access request may be monitored for leaks before and after the request is submitted, putting employees under surveillance simply because of their profession.

In some cases, the only weakness that can be introduced will be systemic, which will run contrary to the law. How will the government handle this inevitable eventuality? Will it respect the law or will it simply redefine the term to codify its unlawful actions?

Even if all of this somehow works flawlessly, users of devices and communications platforms will be put at risk. Sure, the compelled access might be targeted, but it will teach users to distrust software/firmware updates that may actually keep them safer. The government may even encourage the forging of credentials or security certificates to ensure its compelled exploits reach their targets. And just because these backdoors theoretically only allow one government agent in at a time, that doesn’t mean they aren’t backdoors. They may be slightly more difficult for malicious actors to exploit, but once the trust is shattered by compelled access, other attack vectors will present themselves.

It’s a terrible law justified by the spoken equivalent of a bumper sticker. And it’s going to end up doing serious damage — not just in Australia, but all over the world. Bad legislation spreads like a communicable disease. If one democracy says this is acceptable, other free-world leaders will use its passage as a permission slip for encryption-targeting mandates of their own.

Filed Under: , , , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Australian Government Passes Law Forcing Tech Companies To Break Encryption”

Subscribe: RSS Leave a comment
72 Comments
Ninja (profile) says:

So any security conscious person has to avoid Australia and its products like the plague and cyber criminals know where to make easy money now.

” Bad legislation spreads like a communicable disease.”

Or it’ll produce so much damage it will be that case-study to be mentioned for years that will put an end to any new “going dark” discussion that involves weakening encryption.

Also, sine when Australia became a prototype for totalitarianism?

Uriel-238 (profile) says:

Re: Now we get to see if it wrecks the economy.

My thought exactly, Australia has decided to be the test case for crypto mandates.

I’m curious what happens when a company such as Apple makes a system that is difficult to break (takes decades) and then is mandated to help law enforcement break it.

At any rate, it’s good cause for such corporations to move all assets out of Australia.

Ninja (profile) says:

Re: Re: Now we get to see if it wrecks the economy.

“At any rate, it’s good cause for such corporations to move all assets out of Australia.”

Yeah, this should be another aspect to watch. If it costs them financially it’ll be another incentive not to apply it to other countries.

And also which companies have the spine to simply move out instead of capitulating to the insanity.

ShadowNinja (profile) says:

Re: Re: Now we get to see if it wrecks the economy.

Honestly, it wouldn’t surprise me if some big tech companies would just say “screw it, we aren’t putting our users & employees at risk” and just voluntarily pulled out of Australia.

Australia’s economy is simply not that big, and not that many people live there. They don’t have the clot or money that the entire EU had to effectively enforce GDPR on the planet.

Anonymous Coward says:

Re: Re:

So any security conscious person has to avoid Australia and its products like the plague and cyber criminals know where to make easy money now.

If you haven’t already removed any and all TLS certs issued by Australian CAs from all trust stores* under your control you’re at risk.

Further, if any security agency / CA doesn’t pull out completely from Australia and refuse to abide by any of their requests or send their people there, distrust them as well*.

Also start keeping tabs on Microsoft, Apple, Google, Mozilla , Samsung, any device manufacturer, OS distro developer, etc. If anyone of them start issuing "updates" that contain pre-compromised code, distrust them*, disable automatic updates (you’ve done that already right? And uninstalled Windows 8 & 10?), and make their treachery known far and wide. Shout it from the roof tops if you have to, because preventing this disease from spreading requires a populous to disobey the assholes implementing it. Civil disobedience is the word, and if it’s a fight these assholes want, they’ve found one.

*: Assuming you’re able to with things like Secure Boot and it’s ilk around. God, that’s painful to say. We’re going to need exploits just to get rid of the Australian’s, and soon to come others’, exploits.

Anonymous Coward says:

Re: Re: Re:

Who said anything about ending encryption?

The tech companies can not compete against government.

What the tech companies id provide information on who does provide encryption with out running afield of law.

For example.
XYZ sell you a phone.
XYZ then suggest that you would be better served by downloading, for free, encryption from QRS, WER, ERT, et who are members in the ENC Encryption network.
Also, XYZ makes donation and provides technical expertise to the ENC Encryption network.

XYZ problem is solved. They provided an open phone. The user downloaded and install encryption after they purchased the phone. If there is some problem with this it is between the purcher and government not the manufacturer and government.

Anonymous Coward says:

Re: Re: Re: Re:

Did you miss the bit where the government can demand the manufacturer to update the device. The government says to the manufacturer provide use with the decrypted data from the device using our key by uploading a suitable program to the phone, and it does not matter what encryption is being used.

On possible effect of this law is the Government insisting that the device manufacturers provide an update channel that the user cannot see or turn off.

Bergman (profile) says:

Re: Re: Re:2 Re:

Yeah, but how would the manufacturer of the device decrypt the data when they don’t have a key to it, never had a key to it and never will have a key to it?

At worst the manufacturer might be able to give the government the encrypted files, but they’d already have that from seizing the device itself.

Anonymous Coward says:

Re: Re: Re:3 Re:

If they can force code onto your machine they have access to the decoded data, and can also capture keys when entered etc. Also, they can bypass any encryption that you have installed. The more locked down the operating system, the easier it is for them to take over your machine and control what it does, and what it send to whom.

That is to say encryption becomes an illusion if somebody else can control your machines.

For text only email an offline encryption decryption system based on the likes of Arduino would be very hard to compromise, as you control all the code from reading the SD card upwards, and changes in program size when you compile, on an offline Raspberry pi would also be visible.

Uriel-238 (profile) says:

Re: Re: Re:4 Re:

If they can force code onto your machine they have access to the decoded data…

This assumes the government knows what encryption the end user has installed, which is true if it’s default.

If it’s not default then they’re likely to get garbage, or worse, brick the phone.

While this may catch some people off guard, any business operating in Australia larger than a mom-and-pop store is going to need to replace the default data encryption software with something else from outside Australia, or install a different operating system on the phone.

Either that or risk being succeptable to attacks from rival companies, let alone Australian law enforcement.

Anonymous Coward says:

Ok, you go first

So, I have said this before: why don’t we start with the dear members of parliament that have voted for this nonsense.

Force them to use backdored versions of e-mail programs, web browsers, instant messaging, photo sharing, etc.
All the things they use for private communications.

And, if there are no problems, complaints, leaks or stolen identities, the general population will follow in a couple of months…

John85851 (profile) says:

Just wait until it happens to them

The only way this law will get clawed back is if something bad happens to them.
Let’s say Google actually installs a government-mandated back door in the Android operating system. How long will it be until “bad guys” (meaning anyone against this dumb law) takes advantage of the back door and hacks into every government phone?

And like you said, bad laws spread. How long will it be until China, Iran, or even England says US companies have to install back doors for use in their countries as well?

Anonymous Coward says:

Re: Re: Just wait until it happens to them

how would they exclude govt stuff? are they going to require google write a separate version of android without the vulnerability they required google to build into android, or do these tech-illiterate bureaucrats plan on sitting down and writing their own operating system to be used on all government electronics?

Dan Under says:

Re: Re: Re:2 Just wait until it happens to them

The Australian Government isn’t going to write their own operating system because, as with every other technology they seem to use, they just buy it in from elsewhere, usually from the USA.

Those drongos haven’t coughed up the brass razoos to support anything home-grown like that in the past and they won’t do it now.

Now if they could only install backdoors in bushfires, floods, cyclones, coal seam gas-caused water poisoning, and dust storms, they’d be on a winner.

TruthHurts (profile) says:

Re: Re:

I work for a large global corporation that employs thousands of Australians.

They are already looking at what it will take to exit Australia entirely because following Australia’s “phakencryption” law will make us liable to global lawsuits and security audit findings that could cost us billions in fines.

ie – Most countries outside of Australia require “real” encryption that cannot be broken by outside entities.

Australia has just made itself the bane of global corporations.

Uriel-238 (profile) says:

Re: The "Bad Guys"

The actual bad guys might, but if Australian law enforcement is like US law enforcement they don’t really want to catch them. Rather they’re going for the low-hanging fruit of people who post their ill-gotten gains on Facebook.

Actual terrorists with real encryption, real guns and real agendas? Better to just let that fire burn.

Uriel-238 (profile) says:

Re: Forcing open source

Considering the rules requiring that the companies must give law enforcement access to the code and standards, this will encourage the companies who do comply to make their standards resistant to exploitation.

Given enough eyes, all bugs are shallow. But when some eyes are known to be adversarial, we might be even more driven to find and fix exploits.

TruthHurts (profile) says:

Re: Re: Forcing open source

backdoor = exploitable, period, end of discussion.

There aren’t enough eyes, hell, there haven’t been enough eyes on the combined numbers of humans ever alive to make “backdoored” encryption safe.

It’s statistically impossible to do with software (which includes software tokens, and hardware tokens are just customized hardware running software token code).

At some point in the distant future, when they’ve stabilized n-factor qubits, they may be able to send physical encryption/decryption keys, one with vendor, one with device/software, one for NSA, one for KGB, one for 5-eyes, etc, drek-cetra, one thousand for hackers round the world for a pittance of the proceeds.

Uriel-238 (profile) says:

Re: Re: Re: Backdoor = exploitable

Sure, for the backdoored layer of encryption.

But we already have public-access unbreakable encryption, and a number of open source implementations.

So any business that wants to stay in business in Australia will either replace default backdoored crypto with available secure crypto, or will layer the secure crypto underneath it.

When the postern only gets you into the gatehouse, it makes the sabotage mission really short.

Scary Devil Monastery (profile) says:

Re: Re:

"The "companies" affected by this will do whatever it takes to maintain the highest possible profit margins, that is their mandate to the shareholders, that is how it works."

Yup.

And in this case that’ll mean pulling out of australia if any part of what they do involves IT. Because if a multinational corporation has a branch in australia this new law now demands the entire corporation works without IT security.

Anonymous Coward says:

Re: Re: Response to: Anonymous Coward on Dec 10th, 2018 @ 11:52am

Actually due to meiosis, Reproductive cells only have half the chromosomes of a normal cell.

So it’s more like .5+.5=1

Twins and any higher counts of fetuses in the womb won’t help that map match your numbers.

for three babies, it would be .5+.5+.5+.5+.5+.5 = 3
Or 3(.5+.5) = 3

Anonymous Coward says:

Re: Re: Re: Response to: Anonymous Coward on Dec 10th, 2018 @ 11:52a

Considering it was an “ICE Enforcer” that posted the comment you responded to, you’re allowing yourself to be pre-occupied by refuting their attempt at distorting reality to uphold their own bullshit.

Please stop that. Much like them the only thing productive you’re doing is creating hot air.

TruthHurts (profile) says:

Re: Re:

Hmmm – perhaps they were thinking string, then string to binary conversion?

“1” + “1” = 11 (binary) – convert to “3” (decimal)??

That seems to be the level of unthinking that the Australian government is shooting for.

Maybe they’ll call that OzBinDecMath? I’d think it would better to call it “MethMath” as only someone on drugs would think that was right.

Has anyone checked the Australian government peeps homes for meth labs in their basements?

ECA (profile) says:

REALLY??

“Scott Morrison, Australia’s prime minister, told local radio on Thursday that encryption laws were necessary to target Islamist terrorism, paedophile networks and organised crime. “These laws are used to catch the scum that try to bring our country down and we can’t give them a leave pass,” he said.”

1. do you think your Gov. reps will adhere to this, or walk around the Checkpoint??
2. IF’ I dont want you to scan my Phone, I wont take it.. I have this little compartment in my shoe, want a smell?? How many Micro SD do you think I can stuff in there..forget that, 1-256gig will do.
3.Pedophilia?? Im more worried about your sheep..(old joke)
4. Pedo..Generally its a family thing, unless you are Rich and can afford Slavery..A good lawyer, and your OWN PLANE.. and Bangkok is Right over there..

This is just Justification, created by the Music/movie boards.. Anything to give the right/ability to Charge you with other crimes to circumvent the true USE/MEANING, that they will ADD to the end of this law.

Australia is an international port..They are in the middle of ALL OF IT.. From Bollywood to Hollywood.. and the RIAA has created some interesting Agencies in other countries, JUST to get control of ALL the music created around the world..
Which is strange, because FEW nations acknowledged OTHER countries COPYRIGHTS..

That One Guy (profile) says:

'Can't let those amateurs show us up after all.'

Scott Morrison, Australia’s prime minister, told local radio on Thursday that encryption laws were necessary to target Islamist terrorism, paedophile networks and organised crime. “These laws are used to catch the scum that try to bring our country down and we can’t give them a leave pass,” he said.

Great, so when can the australian public expect you to be arrested and fined extensively if not thrown into jail?

… oh, you meant scum attempting to bring the country down other than yourself. I see.

Anonymous Coward says:

Re: For eff's sake, we just HAD the state election...

This legislation had bipartisan support. So which of the party animals would you now trust. In the last few years, all the stupid draconian legislation had bipartisan support.

Few, if any, of these politicians have any actual concern for the citizens of Australia.

I have privately proposed that the way any legislation be passed is that it is mandatory for each member of parliament take each piece of legislation back to his or her electorate and get a response back from the electorate. An actual count of the Yes/No/No Response. From this, he or she will present this to parliament and a national count take place. Legislation only passes if the number of Yes votes exceeds the number of No votes and no Responses.

One additional thing is that all legislation be fitted with a mandatory 3 year expiration clause that requires it to actually come before Parliament for renewal for another 3 years. again via the process of taking it to the electorate.

Somehow, I think much legislation would never get passed and would simply disappear from the books. It would certainly make the pollies work for their quid quo pro.

TruthHurts (profile) says:

Say goodbye to technology companies Australia

Technology companies, insurance companies, accounting companies, any company that relies on encryption (including encryption at rest / encryption for backups / encryption for databases) will be saying goodbye to Australia.

Global fortune 100s, 250s, 500s, will all be shuttering operations in Australia because they will not be able to use “real” encryption. They’d only be allowed to use “phakencryption” which would violate all kinds of global laws that require real encryption to protect personal information like financial transactions, health information, identification information, etc.

I can’t wait for all their government secrets to be exposed because they switched to “phakencryption” for all of their services to use.

That One Guy (profile) says:

Re: Say goodbye to technology companies Australia

No worries, I’m sure a mass-exodus of companies from the country will in no way cause a massive hit to the economy, or have any other significant impact at all. And really, if they’re so determined to ‘try to bring [the] country down’ as to be that dedicated to working encryption then Australia will surely be better off without them anyway.

idiots says:

the idiots we had to have

sco mo is doing badly at the polls and are going to be wiped out. this is the last ditch stand that they thought could give them traction at the next election. unfortunately for them labor also supported this bad legislation. they are doomed at the next election and now dont have an ace up their sleeve like they thought they would have. this is why the world is not safe.

Anonymous Coward says:

I find it highly amusing that anyone would still think that making any sort of encryption workaround or side access won’t come back to bite them.

People, groups, and nation states are CONSTANTLY attempting to break into things… as of right now, all the time… affecting devices that are considered secure… and many times succeeding. Once it is known that exploits or external/”public” keys exist the bad people attempting to break in to anything/everything will see an exponential growth in success.

Regardless of who controls or maintains the code/keys/software/etc. someone will eventually figure it out and exploit it. Look how long it normally takes for new DRM to be cracked and circumvented, or how ridiculously quick the Pwn2Own tournaments produce root level access to devices. And the Aussie government wants to make it even easier??

Smartassicus the Roman says:

Justa Thought

mSsBXb3CgQc7h50qb6pq
vEkc9JOGVkdvGEhIsJyF
6R1oxQyNRAHNcTS9h1nI
qUcXeedsID2N8c8eGNBY
JzWQo0gkRfmxLhNMfGl1
KMLbIIzdUvfuj5Sqakba
izCLPZIMbo4zGEumDS7j
uzDNtjjptlbZC2B6org4
f4a1iAlh3Wx54ahqNFN5
zjDt8IbHRm9jjcwRYnCW
AT6oBtSNoWzLC4Wi3zkG
0scQyNzt9yWusn0FB6RO
gNmIotRFvFVJB4gUpaps
lQMIsgjtfNTAcYMlU2m1
mhMd8nhOvr8TCS44kNOk
UGk6LKxvCUA3tBdk8SVh
8pkuYxaUOW57lucivpzC
o8jpLgSk3Rzmng1cuV1x
yi3pYBmIlivp4GV2pHfb
BH4sGD9QnqTDgGFqJwkk

The Central Scrutinizer (profile) says:

Prime Minister Scott Morrison, un-elected king of the muppets.
A bunch of technologically illiterate morons sound the klaxon call of the four horsemen of the apocalypse; pedophiles, terrorists, drug dealers and criminals (I would have have thought they all fall under the heading of criminals, but no matter).

Then the legislation needs to be passed “to keep us all safe over Christmas/New Year”. What a steaming pile of merde. No one is going to actively back door their hardware or software in the next 2 weeks. Ain’t gonna happen.

Do I really need to go on?

It’ll break the Internet, maybe not tomorrow or next week, but it wiil.

Also, hang you head in Shame, Bil Shorten.

T March-Hare ("I'm Late!") says:

Always amusing to see unrealistic views!

1) No large corporation is going to pull out of Australia for this or any other gov’t law.

2) Corporations do not share your weenie concerns, are totally amoral. Only motive is profit. If reduced, that’ll annoy, but it’ll be short term at most.

3) Technically, won’t require much beyond a master decryption key. Do-able, even easy. Refer to 2 above for the zero that corporations care about your privacy.

4) You don’t know that corporations haven’t prepared for / are doing this already, direct cahoots with gov’t. You just assume not.

5) You should by now know that most "smartphones" can be gotten into by new gadgets, within hours. It’s practicaly moot, anyway.

Examples prove my view: Apple and Google, two of the largest corporations in world, which preen themselves on purity of liberal / libertarian / free speech / democracy and whatever else their PR departments put out, are TIGHTLY connected to Communist China, the most brutal and repressive gov’t on earth. Apple for hardware built in factories that require suicide nets, and Google customizing the "Dragonfly" engine specifically to report dissidents.

Scary Devil Monastery says:

Re: Always amusing to see unrealistic views!

1) Yes they will. See, any company operating in australia must now operate without IT security – worldwide. Australia has now become a potential disaster without mitigation.

2) Correct. Corporations are completely amoral. Hence why a law which mandates that NO corporate secret, price list, cost pricing, GM calculation and internal revenue sheet can be kept confidential will FORCE every company out of australia.

3) You, sir, are an idiot. A master key means the second it leaks or is hacked for, EVERY encryption in australia is wide open to whoever holds a copy. Banks, Army, Government citizen indexes, etc.
And that master key will be hot goods. Enough to be worth a billion USD in up front cash. It WILL leak.

4) On the contrary, corporations will NOT operate with government on this. They can’t. And by that I mean they literally can’t. See above. Any company operating under this needs to accept having no secrets. At all. For any reason. Worldwide, if they have so much as a branch in Australia.

5) Not really true. A smartphone is one thing because most people just won’t secure it with more than a 4-digit pin or an easily subverted fingerprint reader. But smartphones aren’t the issue here.

"Apple and Google, two of the largest corporations in world, which preen themselves on purity of liberal / libertarian / free speech / democracy and whatever else their PR departments put out, are TIGHTLY connected to Communist China…"

Not really true. Google and Apple are able to operate in China because they have agreed to screw their customers over with product limitations.
If they had to issue a master key to their actual encryption then they’d have to leave. China knows this which is why no such master key has been requested. China, being paranoid, also does not want insecure encryption.

Now go back and take a look at what lunacy Australia has demanded. That’s right – an ubiquitous encryption backdoor which NOT EVEN CHINA was insane enough to ask for.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...