The increasing reliance by consumers worldwide on encrypted messaging platforms, Virtual Private Networks (VPNs), and data protection algorithms at personal and business levels has prompted a backlash from several governments, in the form of draft legislation and some currently active sets of anti-encryption laws.
It’s claimed that these statutes are being proposed in the public interest, as the same sets of encryption tools proving so popular with the masses are also available to criminals, cyber-criminal networks, and terrorists. And the use of encryption technology by perpetrators like this has been frustrating the efforts by law enforcement and government agencies to do their jobs, and keep an eye on what suspects are communicating.
But while empowering agencies to break the cone of secrecy being exploited by human trafficking rings, terrorist cells, and other wrongdoers sounds great in principle, the practical methods being proposed have met with deep concern over how these anti-encryption laws may be structured, and what impact they’ll have on honest citizens.
Anti-Encryption Precedents in Russia
We only need to look back a couple of years to find precedence for the state imposition of anti-encryption laws. An “anti-terrorism” bill passed by the Russian Duma in 2016 was allegedly drafted as a means of curbing the activities of the terrorist network ISIS, and its use of a secure messaging app to aid communication between its members and supporters.
The law required software companies operating in Russia to build “workarounds” for encryption (some would say “back doors”) that would allow the Russian state security apparatus FSB (formerly the KGB) to view the plain text version of any message sent via the app. Fines for non-compliance of up to $15,000 could be imposed.
Besides forcing the inclusion of “backdoor” mechanisms that may ultimately weaken encrypted messaging software, the Russian legislation also has the potential knock-on effect of exposing the communications of political activists, journalists, and regular citizens – not only to government surveillance but to the work of hackers and cyber-criminals, as well.
The Crisis in Australia
Despite objections like this, efforts at curbing the use of strong encryption in business and consumer-level software and platforms have continued in other places. Moves in this direction by the government of Australia have been creating quite a furor, in recent days.
As long ago as July 2017, the Australian government stated an intention to introduce new legislation which could force companies to decrypt secure messages. With telecom companies in the nation already offering a degree of assistance to law enforcement, the proposed anti-encryption laws – whose details have only been coming to light this year – will also target large tech firms like Apple, Google, and Facebook, and their related encrypted messaging services.
The proposed Australian bill will request a degree of cooperation from any tech company that operates within Australia, or whose services are made available in the country, in accessing devices or messages run on their platform. And a released draft of the Assistance and Access Bill 2018 offers close to 200 pages of amendments to legislation regarding cyber-security and law enforcement.
Of particular relevance is Part 15 of the Telecommunications Act (titled “Industry Assistance”), which will empower certain high-ranking security officials to formally request access to encrypted communications, from the providers of those services. These calls may come in the form of compulsory notices to give technical assistance, or as “voluntary requests” all defined as:
- Technical Assistance Notices: Compulsory notices for a communication provider to use an interception capability they already have.
- Technical Capability Notices: Compulsory notices for a communication provider to build a new interception capability, so that it can meet subsequent Technical Assistance Notices.
- Technical Assistance Requests: These attract no criminal or civil penalty for non-compliance, but contain very few limits as to what kind of assistance can be requested.
Although it’s intended to create a framework for providing access to endpoint devices, the Australian government insists that the new legislation won’t create backdoors for encryption.
Critics like University of Melbourne School of Computing and Information Systems lecturer Dr. Chris Culnane argue that any of the alternative entry points into target systems or encryption protocols that the law prescribes qualify as back doors of some kind. And the lack of oversight attached to the government’s so-called voluntary requests is troubling.
Anti-Encryption Laws Elsewhere
The moves by Australia to enshrine a formalized policy on data interception and deciphering are part of a larger and collective movement towards anti-encryption laws.
A meeting on Australia’s Gold Coast late in August 2018 of government delegates from the United States, the United Kingdom, Canada, Australia, and New Zealand (the so-called “Anglosphere” nations) also emphasized the “mutual responsibility” that IT and telecommunications vendors and service providers have to offer “further assistance” to law enforcement agencies, in cases where encryption makes access to relevant information difficult to achieve.
The Five Country Ministerial (FCM) meeting of homeland security, public safety, and immigration ministers from the five Anglosphere nations put this view forward in their Statement of Principles on Access to Evidence and Encryption. The document promises “freedom of choice” in how service providers who “voluntarily establish lawful access solutions” may proceed in giving access to encrypted data that crosses their platforms. But it ends with a warning that “Should governments continue to encounter impediments to lawful access to information necessary to aid the protection of the citizens of our countries, we may pursue technological, enforcement, legislative, or other measures to achieve lawful access solutions.”
This development comes in the wake of revelations in May 2018 by The Washington Post that the FBI had lied to the US Congress about the number of encrypted devices that the agency was unable to unlock during the course of its criminal investigations. Presenting evidence to the legislators to advance its war on encrypted devices, the FBI (according to The Washington Post report) “grossly inflated statistics to Congress and the public about the extent of problems posed by encrypted cell phones, claiming investigators were locked out of nearly 7,800 devices connected to crimes last year when the correct number was much smaller, probably between 1,000 and 2,000.”
Anti-Encryption Laws – From the User’s Perspective…
Reactions from the press and digital rights advocacy groups like the Electronic Frontier Foundation (EFF) have largely come down on the side of privacy rights and civil liberties.
Regarding the Australian legislation, leading security experts have voiced concerns over the undermining of security for end-to-end encryption if “workarounds” become standard practice for the industry, with one going so far as to say that “it has such little regard for people’s basic right to privacy that it’s becoming increasingly difficult to distinguish from fiction.”
Brad Poole, Consumer Security Expert at HideMyAss! goes further, saying that “Wiping out terrorism, organized crime and pedophilia should always be prioritized, but it shouldn’t take legislation that snoops on everyone and everything to achieve it.”
For their part, users the world over are continuing to turn to encrypted communication apps and VPN services to preserve and protect their online privacy, irrespective of the legal wrangling.
And some of the lawmakers are taking a more cautious and user-centric approach. For example, even though legislators in Europe are producing bills that will fine Facebook, Google, Twitter, and other tech companies if they don’t remove illegal content from their services within a specified time-frame, they have been careful not to push the issue of backdoor creation and anti-encryption laws.
Share this Post