A state’s capacity to spy on its citizens has grown exponentially in recent years as new technology has meant more aspects of our lives can be observed, recorded and analyzed than ever before. At the same time, much to the frustration of intelligence agencies around the world so has the ability to keep digital information secret, thanks to encryption.
That’s why the main intelligence agencies of the Anglophone world are now hoping that Australia will lead the charge in developing ways to get decrypt information at will and to tap into data that was previously kept secret. A proposed law, the draft of which was released last month by the cybersecurity minister, is an aggressive step in that direction.
We should all be worried because it’s not just criminals or terrorists who use encryption, but every one of us. We use encryption to buy things online, manage our finances, and communicate personally and professionally. Hospitals, transportation systems, and government agencies use encrypted data.
Creating tools to weaken encrypted systems for one purpose weakens it for all purposes. If Australia succeeds in doing so, it could be your bank account or your medical records that are compromised in the end. This particular bill has been more than a year in the making. At the June 2017 meeting in Ottawa of the Five Eyes — the intelligence alliance made up of the United States, Britain, Australia, Canada, and New Zealand — Australia made a point of the need for states to find ways to overcome encryption. A joint communiqué that came out of the meeting noted that encryption can “severely undermine public safety efforts” and committed Five Eyes members to work with technology companies to “explore shared solutions.” The Australian government set about translating this objective into law.
The release of the bill, which came just before the latest meeting of the Five Eyes in Australia last month, which confirmed the strategy. No doubt Australia’s intelligence and law enforcement establishment were thrilled with this proposal. Australia, which has no bill of rights, is a logical place to test new strategies for collecting intelligence that can later be adopted elsewhere. Among other things, the proposed law would create a process for “designated communications providers” — defined so expansively that it covers any business hosting a website — to assist intelligence and law enforcement agencies to do almost anything to give them access to encrypted communications. For example, providers may have to build tools, install software or keep agencies up-to-date with developments.
In essence, state agencies will be able to circumvent encryption, either with the cooperation of tech companies or by compulsion. The government has been quick to claim that this is not a back door, and the bill prohibits requests to companies to create “systemic” weaknesses. But this prohibition is ambiguous, and the reporting and accountability safeguards are minimal. The truth is that there is simply no way to create tools to undermine encryption without jeopardizing digital security and eroding individual rights and freedoms. Hackers with bad intentions will do their utmost to take advantage of any such tools that companies are forced to provide the government.
There are good reasons to be deeply wary of granting powers to state agencies to build and hoard tools that weaken technological infrastructure. Last year, the WannaCry ransomware threw Britain’s National Health Service into chaos. The attack exploited a vulnerability in Microsoft software. According to Microsoft, the United States National Security Agency had discovered the vulnerability well before the ransomware was released, but decided against disclosing it to Microsoft to fix, and thereby protect the information systems used by the health service.
Industry figures and experts argue that the N.S.A. was seeking to accumulate a kind of digital arsenal — it could use the vulnerability for its own intelligence purposes while it remained unpatched. The problem was that at some point, intelligence about the vulnerability was apparently stolen. Only then did the N.S.A. tell Microsoft about its existence. As Microsoft pointed out, this was the equivalent of a Tomahawk missile going missing. British patients paid the price. Seemingly in response to such criticisms, the bill in Australia prohibits the government from preventing a company from repairing such a vulnerability. But this is the cold comfort: The N.S.A. didn’t need to prevent Microsoft patching the problem because Microsoft didn’t even know it existed.
The WannaCry attack illustrates how intelligence agencies prioritize their own interests. If we give state agencies more power to build tools to circumvent encryption, not only do we expose ourselves to the risk that they can be stolen, we are forced to trust that these agencies will behave responsibly. The evidence to date suggests the opposite. Worse still, the Australian government hardly has the best reputation for keeping things safe.
In recent times, it has lost control of medical data; one of its military contractors was hacked and lost “large amounts” of data; a cabinet full of secret documents even turned up this year in a secondhand furniture store. Just think about how easily sophisticated criminals might be able to get their hands on any digital tools for getting access to encrypted communications.
When Edward Snowden revealed in 2013 that the American and British spy agencies had tried to weaken encryption so that they could tap digital communications, cryptography scholars voiced their shock that these agencies would act “against the interests of the public.” “By weakening all our security so that they can listen in to the communications of our enemies,” they wrote, “they also weaken our security against our potential enemies.”
The same is true today. The Australian government is testing the limits of our democracy by seeking to empower the surveillance state, and what it learns will have implications globally.We need to take a stand against this power grab by state agencies and reject the idea that encrypted communications undermine security. Quite the opposite: They are complementary.