Politics

Everything You Should Know About The Government’s New Encryption Laws

“The people we’re most worried about will circumvent it and the ones who most need it are the ones who are going to lose their privacy.”

In a press conference this Friday Prime Minister Malcolm Turnbull announced the Government’s intention to introduce new encryption laws that would compel tech companies to provide Australian security agencies with access to encrypted messages. The laws are intended to make it easier for law enforcement to access the messages of suspected terrorists and criminals.

Unfortunately, Turnbull also used the press conference to demonstrate a deep misunderstanding of how encryption works. Specifically, he said that the laws of mathematics are “very commendable” but do not apply in Australia. This did not inspire confidence.

Given the importance of encryption for security and privacy, and the enormous potential consequences of inserting so called “backdoors” in software, people are understandably pretty freaked out. The UK laws the Australian laws are supposedly based on have also been roundly criticised as an invasion of privacy, and have been nicknamed the “Snoopers’ Charter” for that reason.

For the time being, though, it’s not totally clear exactly what the Australian laws will entail, whether they’ll work, and whether they’ll be much of a threat. Here’s what you need to know at the moment:

What Did Turnbull And Co Say?

Apart from that the laws of mathematics don’t apply down under? Not much.

Basically, Turnbull said the government is concerned about making sure “the rule of law applies online as well as offline” so that “the internet is not used as a dark place for bad people to hide their criminal activities from the law”.

Attorney-General George Brandis emphasised that the new laws are “not changing any existing legal principle. It has always been accepted that in appropriate cases, under warrant, there can be lawful surveillance of private communications”. He characterised the new laws as bringing these up to date with technology.

As far as how the government plans to ensure this, we got vague mixed messages. Turnbull insisted that “the legislation will require [tech companies] to provide assistance”, except “not through backdoors, but legitimately, appropriately”.

The problem? It’s not clear what this means, or whether it’s possible.

Backdoors? Decryption? What Does All This Mean?

End-to-end encryption, which is used by messaging applications like WhatsApp, works by scrambling a message as it’s transmitted such that it can only be unscrambled by the intended recipient. The Guardian has an excellent explainer on how encryption works here, but the basic takeaway you need is this: the service provider (i.e. WhatsApp), cannot unscramble the message.

This is the point on which the government’s vague press conference doesn’t make a lot of sense. The law may compel companies like WhatsApp to provide assistance, but there’s not a lot that WhatsApp can do. In the words of independent cybersecurity researcher Troy Hunt, “you can’t break the mathematics in that way, it’s just not how it works”.

This brings us to the question of backdoors. A backdoor is a method of bypassing security or encryption, which can end up in a program by design or by mistake. One way that the government could hypothetically obtain encrypted messages is if they were able to compel an encrypted messaging provider to remove encryption, or to implement some kind of backdoor allowing messages to be retrieved from a device.

The problem with inserting backdoors, as Troy Hunt puts it, is that you can’t ensure they’ll only be used by legitimate forces. “Once there is a way of exploiting devices, sooner or later it tends to fall into the hands of people it’s not meant to,“ he told Junkee.

The global WannaCry ransomware attacks several months ago, for example, were the result of a backdoor in Windows operating systems being exploited by malicious hackers. When security is compromised through backdoors or the removal of encryption, everybody loses.

Of course, Turnbull was adamant that no backdoors would be used. But given that he was cagey on how exactly the laws would work, people are a bit worried.

So What Might Happen?

Troy Hunt told Junkee what the laws might actually mean in practice. 

He thinks that rather than trying to compel services like WhatsApp to remove their encryption, we’re more likely to see the government “proactively pursue intercepting messages at the end points, for example by using exploits to gain access to it on phones of suspects, which makes a lot more sense technically than what some of the headlines say at the moment.”

This would entail trying to work with companies like Apple and Samsung to break into their devices — something that has received huge pushback from such companies in past. Given that in the past tech companies have stood their ground, and ultimately it took the FBI “paying about a million bucks to get some exploit tool” to get in, Troy isn’t particularly worried about the Australian government’s use of backdoors becoming particularly widespread in practice, even if that’s their tool of choice.

While it might be unlikely that the government manages to force tech companies to bypass encryption, Troy cautions that it wouldn’t be great for most of us if they did.

“If they managed to do that, we still have all of these mechanisms of encryption that are outside the scope of any one company or service — we still have things like PGP mail. And all of these channels will still exist for people who want to use them and keep their messages private.”

“The people we’re most worried about will circumvent it and the ones who most need it are the ones who are going to lose their privacy.”

Basically, at the moment what the government’s proposing is pretty unclear, and sounds a bit dodgy, but nothing’s actually been finalised. The takeaway for now is that this is one to watch — further details of the actual laws will emerge as the bills themselves are drafted.

Sam Langford is Junkee’s Staff Writer. She tweets at @_slangers.