After Pushback From Service Providers, Australian Regulators Strip Encryption Breaking Demands From Online Safety Bill
from the when-you-finally-realize-your-proposal-is-unworkable dept
Yet another attempt to mandate broken encryption has been disrupted. The Australian government has long held the belief that broken encryption would be a net win for citizens. Or, at the very least, it’s pretty sure it will be a huge win for law enforcement, which won’t have to deal with encrypted communications or devices.
But, despite declaring only criminals need encryption, proposals to expand the government’s power to include direct regulation of encryption have met with significant pushback. Its efforts began more than a half-decade ago but — after folding in horrible proposals by the UK government and the EU Commission — got a bit worse in recent years.
The new idea was called “client-side scanning.” The aim was to give the government access to illegal content passed around via encrypted services. Since the government wasn’t willing to simply declare encryption illegal, it passed the buck. New regulations would require service providers to undermine the encryption they offered their users, stripping one of the end-to-end encryption so communications can be monitored.
Fortunately, like elsewhere in the world, unified opposition to encryption-breaking mandates has resulted in the Australian government rolling back that particular demand in the final (or so they say) version of its online safety standards.
In November, the eSafety commissioner announced draft standards that would require the operators of cloud and messaging services to detect and remove known child abuse and pro-terror material “where technically feasible”, as well as disrupt and deter new material of the same nature.
[…]
But in the finalised online safety standards lodged in parliament on Friday, the documents specifically state that companies will not be required to break encryption and will not be required to undertake measures not technically feasible or reasonably practical.
That includes instances where it would require the provider to “implement or build a systemic weakness or systemic vulnerability in to the service” and “in relation to an end-to-end encrypted service – implement or build a new decryption capability into the service, or render methods of encryption used in the service less effective”.
This is great news, as long as the “final” proposal remains “final.” It will, of course, be temporary. The calls for breaking encryption aren’t going away. They’re omnipresent but have yet to take a solid foothold because governments can’t actually explain how any proposal like this is possible, much less feasible. They also can’t logically declare that any security flaw introduced by legislation won’t be exploited by the very people it aims to stop: criminals.
Those advocating the hardest for broken encryption are the most disturbed by this rollback. Australia’s eSafety commissioner, Julia Inman Grant, was given space in The Australian to vent her feelings about the success of those pushing back against anti-encryption mandates:
Grant hit back at the criticism of the proposals, saying tech companies had claimed the standards “represented a step too far, potentially unleashing a dystopian future of widespread government surveillance”.
The real dystopian future, she said, would be one where “adults fail to protect children from vile forms of torture and sexual abuse, then allow their trauma to be freely shared with predators on a global scale”.
Right. That’s a pretty hot take on what’s actually happened here. Tech companies can’t undo the laws of mathematics. Governments can’t guarantee their security holes won’t be exploited by criminals. And most rational people recognize there’s a trade-off being made here — one that gives millions of non-criminals additional security and privacy while only inconveniencing the government in rare cases. If that’s the equation, the government has no business demanding companies deliberately undermine the security of all users just so it can go after a very small percentage of them.
Filed Under: australia, client side scanning, encryption, encryption backdoors, encryption bans, online safety, privacy, security
Comments on “After Pushback From Service Providers, Australian Regulators Strip Encryption Breaking Demands From Online Safety Bill”
so, when did the gov figure it out?
That Encryption works both ways.
Asking for it to be Tore down, means that the Encryption THEY use will be removed.
And if they Add a personal version, that they could be arrested for its use.
This is a different law from the one that potentially allows them to jail people for refusing to (secretly) backdoor software[0]? Sounds like they are really busy passing laws that let them demand what ever. If these are different laws, I would imaging their capitulation here has more to do with having other ways to skin the cat than giving up on being horrible.
[0] They can fine corporations, and possibly jail individuals: https://www.wired.com/story/australia-encryption-law-global-impact/
This comment has been flagged by the community. Click here to show it.
https://www.schneier.com/blog/archives/2024/06/new-blog-moderation-policy.html
Looks like Techdirt’s not the only one.
Extra! Extra! Read all about it!
Australian strippers remove cryptic demand for invasive probe. Blame math for failure to think of the children. Attempt to access illegal content thwarted. Police involvement confirmed.
Eventually the governments will bepassing laws that say they can pass laws in total secrecy and have them enforced without anyone knowing. It’s national security. Our lawyers assure us this is totally constitutional, but no, you may not see the legal reasoning, nor may the courts. It’s secret because national security.
Re:
That already exists. They can/do/have write(n) laws that allow non-elected agencies to form rules and regulations that are either preemptively or retroactively given the right to enforce upon the rest of the country. How well that pans out is a mixed bag.
Re: Re:
Literally none of what you wrote relates to secret laws any more than it relates to non-secret laws.
Practice what you preach
The real dystopian future, she said, would be one where “adults fail to protect children from vile forms of torture and sexual abuse, then allow their trauma to be freely shared with predators on a global scale”.
Premise: There is a non-zero chance that the people torturing kids and sharing it with the world are employed by the government, up to and including politicians.
Premise: By their argument any attempt to prevent addressing this no matter the cost is an act in favor of those torturing and abusing kids.
Conclusion: Any and all government electronic devices and properties should be available for on-demand review by members of the public(given the conflict of interest for the government to handle it), with refusal to comply to be taken and publicly noted as support for those torturing and/or otherwise abusing kids.
Technical inaccuracies
Tim, please stop saying that client-side scanning breaks one end of E2E encryption. TechDirt is not done sleaze publication that twists words for dramatic impact.
All that E2E encryption means is that the data is encrypted by the sender, and that same encryption remains intact until the data is decrypted by the sender. Client-side scanning happens either before the sender encrypted the data or after the recipient decrypts it, i.e. outside of what E2E encryption can protect.
That doesn’t mean I’m defending client-side scanning. Criminals will find ways to evade or spoof the scans. The innocent can only hope that the scanning mechanisms don’t start reporting anything the government doesn’t like, such as criticism of its leader.
Re: Sophistry
Sophistry. In effect you do not have encryption.
Re:
That doesn’t mean I’m defending client-side scanning. Criminals will find ways to evade or spoof the scans. The innocent can only hope that the scanning mechanisms don’t start reporting anything the government doesn’t like, such as criticism of its leader.
While that’s certainly a potential concern for down the line if that sort of scanning becomes acceptable you don’t even need that for it to be problematic, as given what governments claim they want it for now and how no tech is perfect the possibility for false positives is very much in play, and while you’d hope that governmental agencies would double-check before busting down someone’s door for them tripping the system that would require restraint from the very groups that consider ‘scan everything, just in case’ to be perfectly fine, so…
Re:
Yes! Thank you! This bugs me in every article I’ve read about client-side scanning and encryption. Scanning is still a really bad idea, but it in no way actually breaks encryption! The message still leaves one device encrypted and arrives at the other, still encrypted and just as secure as it is today. Law enforcement, criminals, or anyone else intercepting such a message still cannot read it, because it’s still encrypted.
Client side scanning is “only” introducing a backdoor in your keyboard/camera/etc, and that’s way better… /s
Re:
Oh, this reminds me of the one time the FBI convinced organized crime that buying a phone made by the FBI was the best way to evade the FBI…