australia declares war on digital security, demands encryption backdoor

Australian lawmakers stunned the country’s techies by passing a law requiring them to help law enforcement snoop on encrypted data on request, and putting e-commerce and basic digital security at risk.

hacker with smartphone

Australia is one of the internet’s favorite places to joke about thanks to both its long geographic isolation which led to the evolution of unique, and usually venomous or poisonous critters, and its history as a penal colony of the British Empire. But now, there may just be a new topic of recurring memes and gallows humor as the continent nation seems hellbent on sabotaging the integrity of the digital infrastructure we use for the modern world under the guise of fighting the evils of terrorism in its capacity as a member of the Five Eyes intelligence network. This is not an exaggeration. Everything from the privacy of your direct messages to the security of your Amazon account may be at risk if the tech world fails to mount a proper defense.

You see, as last year was coming to a close, Australian lawmakers decided to pass a law which requires tech companies to undermine or bypass encryption used to protect their users despite consultations with a number of computer science experts who painstakingly explained just how bad of an idea that was. Obviously, the Australian tech community is still in shock, and if the government insists on forcing tech companies to sabotage their own products in real cases, with real court orders, refusing to take no for an answer, it may hobble the country’s germinating tech hubs. Why? Because not only will Australia be asking for the impossible, they’ll be punishing comp sci pros for their inability to do said impossible tasks.

why we can’t have encryption backdoors

Encryption is an all or nothing affair because that’s just how math works. Any weakness in the encryption process or algorithm will be available to anyone and can easily be cracked, as was shown by the NSA’s Clipper chip experiment. Meant as a way to allow law enforcement snoop on encrypted communications, it suffered from design flaws that enabled hackers to tamper with said snooping functionality or pose as law enforcement agents and read data which should’ve been safe from criminal eyes. Any encryption backdoor would have to work in much the same way because, again, math says it has to, and be subject to the same weaknesses and ripe for the same kind of abuse.

Even more importantly, programmers generally use the same set of algorithms to encrypt data in their software and creating their own is considered a cardinal sin in computer science. You don’t experiment and risk users’ security and privacy. You use algorithms developed by PhDs in mathematics and thoroughly tested in the wild over the course of many years, updated on a regular basis to keep up with technological advances. Since the same approach protects both your texts and your credit card purchases, if the Australian law is ever expanded to the other Five Eyes member states, it would endanger the nearly $3 trillion global e-commerce market, a market with a greater value than the GDPs of all but four nations.

experts were consulted, then completely ignored

But perhaps the most disturbing thing about this law is that Australia is not the only country demanding the ability to undermine encryption, and after years of consulting with experts, its lawmakers decided that they don’t really care what the experts had to say, they’re going to demand a backdoor anyway, even if it can’t be done. One wonders whether this is a stunt to win cheap and easy points with the technically illiterate segments of the electorate who don’t know and don’t care about their own security, much less that of others, or it’s yet another example of politicians who refuse to understand science and technology, and refuse to believe that what they’re demanding might be impossible or downright harmful.

It’s absolutely understandable that governments want to keep tabs on crimes committed under the cover of encryption, like child porn on WhatsApp and terrorist acts planned on Telegram. At the same time, they don’t want to crater the multi-trillion dollar tech industry which provides tens of millions of jobs and enables other multi-trillion dollar markets to function, and understand that sabotaging it would have dire financial and political consequences. Yet, woefully and willfully ignorant of the challenges, politicians keep banging the table with a list of impossible demands and trying to twist techies’ arms to force the “computer nerds” to fulfill them, playing chicken with experts trying to warm them about the follies of their methods.

is there a way out of this?

There still may be a path to minimizing damage from this law because it specifies a backdoor when “reasonable and proportionate” according to the agency issuing the request. Even though it’s the agency that determines reasonableness, they’ll be in for a shock when tech companies come back with massive reports about the inner workings of encryption algorithms and detailed explanations about why they can’t just hack themselves. Same applies to the proportionate part. Is it worth creating a way for hackers to spy on people across the world to get evidence in a high profile case? Is that truly a proportionate effort? Or can it be accomplished with more police work and talking to confidential informants?

Of course, there’s still the danger that law enforcement agencies will simply refuse to back down and trigger a crisis that will require tech companies to go on a massive PR offensive against the governments demanding they perform a genuine feat of magic and create a security backdoor that would only work for those pure at heart, like in a fairy tale. But that may prove inevitable at the rate we’re currently going, and pivotal to the efforts to keep the internet and our money, 92% of which is now digital, safe from the prying eyes and clutches of criminals whose efforts far too many politicians are unwittingly but obstinately insistent on helping.

# tech // cybersecurity / encryption / government / law

  Show Comments