Australia: Undermining Encryption Creates Unacceptable Security Risks
by Rose Dlougatch, Senior Research Associate, Freedom on the Net
Australian Prime Minister Malcolm Turnbull. © Dept. of Defense photo by Navy Petty Officer 2nd Class Dominique A. Pineiro/Released.
Weakening internet users’ privacy to aid law enforcement would likely do more harm than good.
An Australian parliamentary inquiry on emerging information and communications technologies has sparked renewed debate in the country over encryption, and whether law enforcement agencies should have easier access to users’ private communications.
The inquiry came after then attorney general George Brandis said last year that Australia needed to introduce laws that would allow “law enforcement or intelligence to decrypt a communication” in order to help apprehend terrorism suspects and other criminals. In response to criticism of the proposed laws, Prime Minister Malcom Turnbull insisted that while “the laws of mathematics are very commendable … the only law that applies in Australia is the law of Australia.”
However, this focus on empowering law enforcement tends to ignore not just the laws of mathematics and the fundamentals of encryption technology, but also the fact that undermining encryption would do real harm to ordinary Australian citizens and businesses. Communication tools and services that feature end-to-end encryption are now an essential part of most Australians’ daily routine. Popular messaging apps such as WhatsApp are end-to-end encrypted, ensuring that only the users at either end of the conversation have the “key” to unlock messages sent through the platform. Even the managers of the platform itself cannot access the content of user communications.
Everyone needs privacy
But why should the public be worried about law enforcement having the power to access our chats or emails when necessary, especially given the government’s promises of reasonableness and proportionality? If access to encrypted communications could help expose a terrorist cell or stop a crime, shouldn’t we be all for it? Proponents of such access argue that it ought to be of little concern to ordinary Australians with nothing to hide.
The problem, of course, is that law enforcement agencies with good intentions are not the only ones seeking private information. Everyone has something to hide from cybercriminals and other malicious actors. Troublingly, however, a recent government survey revealed that the majority of Australians do not take steps to protect their personal privacy online.
Cybersecurity experts and cryptographers have consistently maintained that deliberately introducing vulnerabilities into technologies used by millions of people every day is a bad idea. If the state has access to some kind of encryption key, it is only a matter of time before it falls into the wrong hands. In recent years, hackers have successfully obtained incredibly sensitive, heavily guarded information from security agencies in both Australia and the United States. Chinese hackers, for example, have targeted the Australian Security Intelligence Organisation, managing to steal blueprints of the agency’s building security and communications systems.
A backdoor encryption key not only exposes regular users to security threats, but it is also unlikely to prevent tech-savvy wrongdoers from finding other ways to communicate anonymously. As the Berkman Klein Center has noted, the generative nature of the modern internet means that communication channels resistant to surveillance cannot be stamped out except with technology that is only employed by the most despotic regimes. The expansive surveillance practices of authoritarian states like Russia and China, which frequently invoke the threat of terrorism as a justification for ever-more-intrusive measures, should serve as a warning—and not a source of emulation—for liberal democracies such as Australia.
Indeed, Australian authorities already have extensive access to user data. Telecommunications companies are required to store customer metadata for two years, and law enforcement and security agencies have almost unfettered access to these records. Metadata do not include the content of user communications—for example, the text of an email will remain private. Such information nevertheless paints a detailed picture of an individual’s life—the people she contacts and her location when making a call, for instance. And we know that Australian authorities have sometimes breached the very loose constraints on their power to access user metadata.
Australia clearly has a responsibility to protect the privacy and security of its own citizens. But it has an added interest in maintaining its status as a democratic leader in the Asia-Pacific region. It must avoid undermining its own moral authority to hold its neighbors accountable to international democratic standards, including countries that are rated Partly Free in Freedom House’s Freedom on the Net report, such as Singapore and Indonesia, as well as China, the worst-performing country, where space for anonymity online has all but vanished. Promoting the rule of law and other democratic norms in neighboring countries ultimately bolsters Australia’s own security.
Encryption is also central to the operations of modern businesses and will only continue to grow in importance as digital technologies contribute more to Australia’s gross domestic product. A recent memorandum published by Access Now outlines the necessity of effective encryption for Australia’s future economic success. Limiting the effectiveness or availability of strong encryption will push companies that rely on the technology to invest elsewhere, placing Australia at a competitive disadvantage in a global digital economy.
The Australian government should resist using the threat of terrorism as an excuse to introduce bad laws with negative security and economic implications for all Australians. Compromising encryption would undermine privacy and security for ordinary users, while legitimate surveillance targets would inevitably migrate to alternative communication channels. As technology advances, we must remain vigilant and ensure that the rights and freedoms expected in a democracy remain protected—both for their own sake and for the practical benefits they confer on the country as a whole.
Analyses and recommendations offered by the authors do not necessarily reflect those of Freedom House.
Almost as troubling as the recent revelations about the U.S. government’s sweeping collection and analysis of the personal information of law-abiding internet and phone users are the inadequate “just trust us” response to the outrage and the administration’s lack of decisive action to regain the faith of a tense American public and wary netizens abroad.
Recent developments shed light on the phenomenon’s immediate and long-term implications.
A recent study conducted by Freedom House and the Broadcasting Board of Governors evaluated a comprehensive range of mobile technologies—from smartphone devices including iPhone, Nokia, and Droid, to the applications and security protocols that are installed on them—to determine how secure one can really be on a mobile phone. The purpose of the effort was to assess the dangers of using mobile phones in countries where privacy rights are not respected, and where the rule of law and due process are faulty or nonexistent. Mobile phones, rather than internet-enabled computers, are often the communications method of choice in these countries, which makes them a top priority for government surveillance. The findings of the study were quite worrying.