Australia’s Embarrassing Crackdown on Its Own Information Security

Alan McQuinn December 19, 2018
December 19, 2018

(Ed. Note: The “Innovation Fact of the Week” appears as a regular feature in each edition of ITIF’s weekly email newsletter. Sign up today.)

The last few decades have seen a steady stream of technological advancements that have improved the information security of businesses and consumers, especially through encryption.

But now, one country stands athwart progress.

The Australian parliament recently passed a new law that requires companies to provide law enforcement and intelligence agencies with access to encrypted data. In effect, Australian authorities will be able to compel tech companies, such as Apple and Google, to put backdoors into their phones and secure messaging applications. Companies that refuse to comply face fines of up to A$10 million. This law, if enacted without changes, will have dramatic negative consequences for Australia, damaging its competitiveness and leaving Australians vulnerable.

Putting aside the privacy and government overreach issues that arise from this new vehicle for government demands for data, there are two major consequences of this law. First, limiting encryption exposes law-abiding citizens and organizations to more attacks on their data. While law enforcement may wish there was an alternative solution available where only law enforcement gets extraordinary access to data, no such technological solution exists. Any feature that gives data to a third party, like law enforcement, can and will be abused by malicious actors. For example, over 100 senior members of the Greek government had their electronic communications intercepted by still-unknown parties for 10 months during 2004 and 2005 through a vulnerability created by government-weakened encryption.

Second, in a market where security is king, Australian products and services will be less competitive. Will global customers want to buy products from Australian companies, knowing that they have been designed from the ground up to provide the Australian government access to customer data? Indeed, Australia only needs to look to itself to see the potential impact—this year, Australia banned ZTE and Huawei from providing 5G equipment to the country because of a Chinese law requiring government access to customer data. Because of this law, some companies will likely pull out of the Australian market entirely or start creating Australian-specific versions of their products with fewer features and weaker security.  

This law is also confusingly vague. For example, the law is unclear about when and how investigators can make data requests. In addition, the only exception in the law’s requirements is confusing. The statute says that companies cannot be compelled to introduce a “systemic weakness or vulnerability” into their software or hardware as part of these orders. However, the law does not adequately define these key terms, which creates a lot of uncertainty for users and businesses. Moreover, the very act of creating back doors introduces such vulnerabilities.

Further, the government requests created by this law lack transparency. Orders issued by Australian authorities are secret by default, so companies cannot tell the public when they have received one. The law also enables law enforcement officials to directly approach key individuals—such as software engineers or system administrators—to order them to covertly program surveillance features directly into a product or service’s code, without the knowledge of senior executives in the company itself. In practice, this means that a company’s head of security may not even know if a routine update of a product will undermine its security. And individuals that refuse to comply with these orders face criminal charges.

If Australian authorities use this law to compel employees to introduce vulnerabilities through automatic software updates, it could generate distrust among consumers and discourage them from installing software updates. This would lead to a race to the bottom as users fail to patch known security vulnerabilities on their devices, making them even less secure.

It's understandable that Australian law enforcement and intelligence agencies, used to a world where they can monitor phone calls and emails easily, are nervous about strong encryption. However, these agencies must accept the premise that some communication networks, especially those used by the most elite criminals and terrorists, will inevitability be inaccessible. If the Australian government insists on backdoors in domestic products, criminals and terrorists intent on avoiding surveillance will simply use devices made in countries that allow strong encryption or make the encrypted software themselves. So rather than fight progress in security, Australian law enforcement should work to find viable alternatives, such as by investing in cyber forensics and establishing clear rules for government hacking.

Australia still has time to change this badly-written law. The law will take effect after it is approved by Australia’s governor-general, and many observers expect that lawmakers will introduce amendments to it in the next parliamentary session in February 2019.

Unfortunately, the Australian parliament does not seem have taken any lessons away from when the United States tried to pass similar limits on encryption in the 1990s. The United States and likeminded countries should not repeat Australia’s mistakes and should instead embrace strong encryption—not try to cripple it.