The questionable AA bill passed with bi-partisan support, but with the government now able to access our encrypted data, should we feel safer – or more at risk?
It might have been overshadowed by the furore surrounding the fate of those on Manus and Nauru, but the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 passed both houses with bi-partisan support.
Ostensibly, if individuals and companies possess encrypted data that the government cannot access, the bill allows the government to force the issue, lest their target be hit by financial penalties.
Only law enforcement bodies (including ASIO), can issue aforesaid notices. Which these bodies need to obtain warrants to glean information, the bill looks to move well charges of terrorism of child abuse material. One of the more questionable aspects is the ability to intercept encrypted messages on apps such as WhatsApp, iMessage and Telegram.
The bill was motivated by the fear of the populace encrypting obviously criminal behaviour. Labor MP Peter Khalil disclosed the following to Parliament:
We’ve heard … that members of the Parliamentary Joint Committee on Intelligence and Security have heard evidence from security, intelligence and law enforcement agencies about the risks of the surveillance environment going dark because of some of this technology where terrorists, paedophiles, organised crime and drug traffickers all utilise encrypted technologies and applications for their communications and their planning.
But, according to Robert Merkel of Monash University, “…this type of spyware relies on accidental security flaws in Android and iOS, which may be fixed by updates from Google or Apple at any time.”
The immediate risks, however, are harder to draw. According to the law, only law enforcement and intelligence agencies will be able to gain access. The law also denies the creation of loopholes that might allow hackers to gain access to the problem, otherwise known as “systemic vulnerabilities”.
The problem, according to Merkel is that “…it is extraordinarily difficult to create mechanisms that allow law enforcement to gain access to information about specific people from specific systems, while posing no risk that anyone else can use the same mechanism to gain unauthorised access to other information.”
In other words, the system in place used for protection could also be used as a window. It’s worth mentioning that similar tools used by similar intelligence agencies have been stolen in the past. The ‘WannaCry’ ransomware attack in 2017 is a fairly obvious example of how it could go wrong.
To believe that we’re above the same mistakes, is naive and ignorant of the environment we live in.