Landmark laws will give security agencies new powers to obtain the encrypted communications of criminal suspects. How far do the powers go? And what do they mean for you? Here’s what you need to know.
Tech giants such as Apple, Google and Facebook can be forced to help Australia’s law enforcement agencies read our private messages under new laws designed to ensure wrongdoers can’t hide behind encryption.
What is encryption and how does it work?
Encryption is an important technology that you use every day. It protects your security and privacy when browsing the web, sending email or banking online.
The technology basically works by scrambling messages in such a complicated way that is it virtually impossible to unscramble them unless you know the decryption key.
This ensures that your messages can’t be read by someone who intercepts them in transit, which is why it’s known as “end-to-end” encryption.
Think of it as a secure envelope that can only be opened by the intended recipient so not even the postie can steam it open to sneak a peek at your letter.
Why does the government want these laws?
While encryption is great for protecting sensitive information such as banking details, the technology can also be used for more nefarious purposes.
The likes of terrorists, drug smugglers and paedophiles can take advantage of encryption to hide their activities from prying eyes. This has become more of an issue for law enforcement agencies as more online communication tools are beefing up their security.
End-to-end encryption is no longer used only by security-focused smartphone apps such as Signal and Wickr. Today, end-to-end encryption is also available with popular services such as WhatsApp, Facebook Messenger and Apple’s iMessage. These tech giants can’t even read the messages sent across their own networks because they don’t have the encryption keys.
Do the new laws force companies to “break” encryption?
No, the laws say that tech companies can’t be forced to add a “systemic weakness” to their security. The idea isn’t to weaken encryption algorithms, nor to force tech companies to create a way for law enforcement agencies to decrypt messages and secretly open those secure envelopes while they’re in transit.
So how will they read my encrypted messages?
Instead of breaking encryption, law enforcement agencies are looking for ways to sneak onto your devices to read messages before they’re encrypted, or read them once they’re decrypted on the other end. They basically want a way to look over your shoulder to see what you’re writing before your letter goes in the secure envelope.
The law doesn’t specify exactly how tech companies should do this, just that they’re obligated to assist when asked to help find ways to read messages. Sneaking onto a device to snoop on messages before they’re encrypted could require assistance from a handset-maker such as Apple or Samsung, or from a software maker such as Apple or Google who control iOS and Android. Alternatively, it might require co-operation from a telco such as Telstra or Optus, as well as an app maker such as WhatsApp or Viber.
It remains to be seen whether tech companies co-operate. It is possible they could add extra security features to foil efforts to access encrypted messages, just as they ramped up their end-to-end encryption efforts to hamper US National Security Agency surveillance.
Will the government have unfettered access to my communications?
No more than they did before. They still require a warrant to intercept your encrypted messages; the law does not allow a mass surveillance program.
Will I know if investigators are reading my encrypted messages?
No. The tech company that helps investigators intercept your messages is not allowed to tell you. It’s possible that law enforcement agencies could even force software developers within these companies to assist without telling their boss.
Why are security and privacy advocates concerned about this bill?
Even though the bill does not propose weakening encryption itself, any efforts to thwart encryption could potentially affect everyone’s privacy and security.
Security and privacy advocates are concerned that the new laws are too vague, particularly as they do not define terms such as “systemic weakness”.
History also tells us that once tech companies and law enforcement agencies have ways to intercept messages, this power is open to abuse. It is also possible that the technology could fall into the wrong hands, making it easier for hackers to steal sensitive encrypted information.
The government has been pushing hard to have their Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 rushed to parliament, just a day after the joint parliamentary committee finishes reviewing the draft legislation and listening to experts on what the impacts, positive and negative, of the proposed laws might be. But will the new laws actually be passed?Read more