Australian encryption backdoors

As we wrote recently, the Australian government has steadily been working towards forcing tech companies in Australia to open their encrypted communications. Ostensibly, the government wants this to improve public order and counter-terrorism capabilities, and that may be true – but the current global trend towards excessive, big-brother surveillance makes that claim hard to believe.

Another issue with this goal is that it is, in many cases, difficult or impossible to implement without creating glaring vulnerabilities that will severely endanger individuals and organizations that need privacy or security online.

Let’s take Telegram as an example. With the right settings, Telegram provides end-to-end encryption, meaning that even the company itself can’t read users’ messages. In order for Telegram to comply with the law being drafted by the Australian government (there’s no telling if they will), they’d have to open a backdoor into the encryption for any conversation involving any user in Australia.

Any backdoor given to the government can also be exploited by anyone else with the technical know-how to open that same door. What was once an extremely secure end-to-end guarantee of your security and privacy would become nothing but a sweet nut to crack for hackers, hostile governments, and anyone else interested in harvesting the Australian public’s data.

Tech companies respond

The protest letter, which was sent by a digital rights organization called Access Now, doesn’t mince words. The new law, it says, will have a “deleterious impact on internet security, including for government and business officials as well as journalists and human rights defenders. Impacts would also be felt across important sectors, […] with potential consequences seen in increases in online criminal activity and unauthorized access to personal and proprietary data.”

What’s strange is that while the government fights to make the Australian internet less secure, it’s also pushing to launch more and more government services online. The letter clarifies this critical point: “One of those threats would be the increased conscription of out-of-date products into botnets, which could be used for anything from denying user access to critical services (relevant as Australia seeks to provide more government services through the internet) to delivering additional malware to ever-increasing numbers of users or systems.”

To put that in clearer terms, the Australian government is pushing citizens to manage more of their sensitive personal information online while also potentially making it harder for citizens to protect that data.

What happens now?

The problem right now is that it’s hard to say whether or how the law will actually work – we haven’t seen any copies yet. All we know is that it’s being drafted and that its supporters have pledged to make encrypted information accessible to law enforcement. Companies without end-to-end encryption might be compelled to log and hand over user data, while end-to-end encryption companies would have to provide backdoor access.

Companies based outside of Australia would have a much easier time operating without complying with the new law. AmanVPN, for example, is based in Panama, where aren’t legally required to collect user logs. One of our core values is the belief that every user deserves privacy and security online and off. Our service does not log, much less provide, user data in any country it operates in, including China, Russia, and other states with poor online privacy records. We do not plan to ever change this practice.

If you want to do your part to stop the Australian government from drafting this misguided law, click here to sign Access Now’s online petition. In the mean time, you might want to protect yourself with the best VPN for Australia.

UPDATE: On November 22nd, it was reported that Australian Prime Minister Scott Morrisson is calling on lawmakers to rush the changes as quickly as possible, potentially even cancelling a review of the legislation. “Our police, our agencies need these powers now,” Morrison demanded. “I would insist on seeing them passed before the end of the next sitting fortnight.” The time to act is now – sign Access Now’s petition here and contact friends or lawmakers in Australia to get the word out.

UPDATE: On December 6th, the Australian Government has passed the new anti-encryption law with a three-tier approach that allows for “technical assistance requests,” “technical assistance notices,” and “technical capability notices.” The latter can be issued by the attorney general and will require tech companies to build “new capabilities” that will “remove electronic protection, such as encryption.” Failure to comply with these requests will result in fines.

Tech giants such as Apple, Google and Microsoft voiced their opposition and said that the new law “undermines the cybersecurity, human rights, or the right to privacy of our users.”

UPDATE: Privacy Australia have conducted an important survey gauging Australians’ opinions on key privacy aspects following the passage of this controversial law. Here are some of the key results:

67.7 percent of those surveyed reported that they were unsure of what Australia’s privacy and cybersecurity laws actually were;

57.9 percent of those surveyed had very little confidence that companies’ privacy policies would be capable of protecting their privacy;

only 29.2 percent of those surveyed were more concerned about their privacy then they were last year.

For more information about the survey results and methodology, check out their post here.