New Encryption Laws May Have Unintended Consequences

With the government’s assault on privacy continuing as it tries to push through legislation that will give it powers to overcome strong encryption, it’s worth looking at how badly worded legislation can result in unintended consequences. And there is a precedent to consider.

Once of the curious aspects of the “Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018” is that “encryption” is mentioned just once in the new laws. On one hand, this is fairly typical. Governments don’t want legislation to be written so that it only applies to a narrow set of criteria. Particularly when it comes to technology, things can change and you want laws that can be applied to new technologies without having to be rewritten.

But there’s another line that should have us concerned.

In the definitions part of the draft legislation, access to a system “that is subject to a pre-condition (for example, the use of a password)” is also covered. So, it’s possible that an approved agency (and I’ll get to that shortly) could simply force an individual or a service provider to either hand over a password or the tools to decrypt a hashed and salted set of user credentials that can be broken.

In other words, they may not need to break encryption. The government could simply access your keys and work around it. This might not need anyone to weaken encryption. And given key management for encrypted systems is a significant blindspot in many organisations and very complex, the government may be relying on access to passwords as a tool for bypassing encryption.

When the government introduced the “Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014” – the metadata retention law – the initial list the Attorney General of the time, George Brandis, said access to the data would be limited to 22 agencies. That list of 22 agencies swelled to dozens and even though the government says their list has been pared back, they are being bypassed as agencies that want access are using state laws to get around the limits of the federal rules.

In other words, agencies not on the federal government’s list are accessing potentially sensitive information.

What’s to stop the same thing happening with the new encryption laws? While the vast majority of police officers and others with the potential to access sensitive data do the right thing there are many cases when some abuse that power. Like these two officers in New South Wales, or this copper in Victoria, or another in Queensland and this story today.

The counter argument is simple. Bad guys use encrypted data. Police can’t investigate or prosecute them because the data is encrypted. Ergo, they need to find a way around encryption.

That’s an easy argument to make and arguing against it can make you sound like you’re against law and order. Back when the metadata retention laws were being debated, I had the opportunity to hear former senator Scott Ludlam argue against the laws, before they were passed and Assistant Commissioner of the Australian Federal Police, Tim Morris argue for them.

I’ll be honest, Morris made the clearer argument. But, in hindsight, many of the arguments have been shown to be wrong. He argued for limited access with oversight. That isn’t the case today. And a central tenet of his argument was the trustworthiness of our police forces. Well, with massive allegations of corruption over the years in Queensland and New South Wales, as well as numerous instances of individual officers doing the wrong thing, his argument has fallen apart.

But while it’s being debated, it’s important that we all remain aware and informed. You should write to your local member and express your views. I recently did this over a local matter, to both my state and federal members, and received personal responses within 24 hours from both.

Privacy is an important right and it is being eroded in all sorts of ways. The new laws being proposed by the government are another step towards reduced privacy for individuals. Perhaps you think that’s a reasonable price to pay for increased security. If you do, that’s OK. And if you think it’s an unreasonable price – that’s also fine. But be informed and tell your local member what you think. Phone calls are great but putting your views in writing carries more weight. Send an email, write a letters – strap a note to a pigeon!

But be informed and be involved.


2 responses to “New Encryption Laws May Have Unintended Consequences”

Leave a Reply