Aussie Surveillance Law Imperils Secure Comms

Written by

Australia has followed the UK in passing its own draconian surveillance laws which could force technology providers to engineer de facto backdoors into their end-to-end encryption products.

The opposition Labor Party stood aside at the eleventh hour to let the bill pass, on the understanding that its amendments would be passed in the new year, something the government now says it will only “consider.”  

As is the norm, the government had argued that law enforcers and security services needed to be able to access specific communications to fight serious crime and protect national security.

“This ensures that our national security and law enforcement agencies have the modern tools they need, with appropriate authority and oversight, to access the encrypted conversations of those who seek to do us harm,” attorney-general, Christian Porter is reported to have said.

On the other side, experts warn that any attempt to introduce vulnerabilities into such systems would ultimately undermine security for the majority of law-abiding citizens, especially as it’s likely to be done in secret.

“This could have a devastating knock-on effect around the world. Creating a backdoor for law enforcement will never assure that no-one else will be able to access the database or files, and criminals will learn to exploit these vulnerabilities,” said ESET security expert, Jake Moore.

“If you break the fundamental way that encryption works, you risk breaking the internet and eradicating any trust and security."

According to the Electronic Frontier Foundation (EFF), the Australian Assistance and Access Act can be seen as an attempt to mimic the controversial UK Investigatory Powers Act (IPA).

“Both countries now claim the right to secretly compel tech companies and individual technologists, including network administrators, sysadmins, and open source developers, to re-engineer software and hardware under their control, so that it can be used to spy on their users,” explained EFF international director, Danny O’Brien.

“Engineers can be penalized for refusing to comply with fines and face prison; in Australia, even counseling a technologist to oppose these orders is a crime.”

The UK’s GCHQ is already looking to wield its powers to demand that messaging providers allow government snoopers to be secretly added to conversations so they can eavesdrop. It’s described not as an encryption backdoor but a “virtual crocodile clip” — although the plan was described as "absolute madness" by Edward Snowden as destroying trust in the privacy of online services.

Already, the UK government has warned parliament that GCHQ is evolving the way it snoops on targets under the IPA. Bulk “equipment interference” (EI) — also know as bulk hacking of devices — was originally intended to be limited to overseas “discovery” operations only: the exception rather than the rule.

However, in a letter this week, security minister, Ben Wallace, admitted that GCHQ will need to “conduct a higher proportion of ongoing overseas focused operational activity using the bulk EI regime than was originally envisaged.”

The reason, it appears, is the growing use of end-to-end encrypted communications.

“The communications environment has continued to evolve, particularly in terms of the range of hardware devices and software applications which need to be targeted,” the letter noted.

“In addition, the deployment of less traditional devices, and usage of these technologies by individuals of interest has advanced significantly.”

What’s hot on Infosecurity Magazine?