Junk Explained: Here’s Why Peter Dutton’s Encryption Laws Are So Terrifying
The laws could pass this week, but they're not ready.
There are just three sitting days left in the Parliamentary year, and the government is still pushing for its encryption bill to be rushed through. If you keep seeing the word encryption tossed around with increasing urgency but aren’t quite sure what’s going on, it’s time to get up to speed, because this one will certainly affect you if it’s passed. It could even have global consequences.
To recap, it’s been a year and a half since the government first announced its intention to introduce these so-called encryption laws, which aim to give law enforcement greater powers to force tech companies to help them access the communications of suspected criminals. The government claims it needs the laws to help prevent terror attacks, but security experts and tech companies warn that the laws will likely end up reducing security and privacy for everyone.
We’ve published explainers on these encryption laws before, but a lot has changed since the early stages of the bill, which started off dangerously vague (you might remember then-Prime Minister Malcolm Turnbull telling us that the laws of mathematics were “very commendable” but do not apply in Australia). Over time we’ve learnt more, and the detail hasn’t been encouraging.
Here’s everything you need to know about encryption, and the laws the government is proposing.
Explain Encryption To Me Like I’m A Small Child, Please
Encryption, in a nutshell, just means scrambling up information in a way that only allows the intended recipient of the information to descramble it. That’s it. It’s not scary.
Let’s use the example of sending messages to illustrate. Encrypted messaging apps like Signal or WhatsApp use something called end to end encryption, which basically means your message gets scrambled up with a special password when you send it, and it can only be descrambled at the other end by someone with the right password.
If you imagine the message you’ve just sent as a letter, end to end encryption means that if your postie was to get curious and open the envelope for a look, or if your letter got delivered to a neighbour by accident, its contents would just look like a bunch of gibberish. Only the person you meant to send the letter to would be able to descramble it so it makes sense.
Encryption is more complicated than that in practice, and there are lots of different kinds of encryption (here’s a more detailed encryption explainer, if you want to level up), but that’s the basic idea you need to understand to get your head around the government’s proposed decryption bill.
Understanding end to end encryption, for example, helps explain why tech companies often say they can’t actually give law enforcement the data it needs. If you’re using end to end encryption, the tech company (e.g. WhatsApp) is the equivalent of the postie in the above scenario: it has the scrambled data, sure, but it doesn’t have the key that will make it make sense.
Understanding what encryption actually is also helps demonstrate why it’s important. We send lots of information via the internet every day, ranging from personal messages to passwords, bank details, you name it. There’s no bulletproof way to avoid to avoid getting hacked or having some of your information fall into the wrong hands, but having some level of encryption involved can be the difference between a stranger seeing your personal information and that stranger just seeing a scrambled up string of letters and numbers that could, perhaps, be descrambled into your personal information.
What Does The Encryption Bill Actually Force Tech Companies To Do?
Peter Dutton has been banging on about how we need this new decryption bill to help take down terrorists and other criminals. He’s not the only person making this argument — around the world, police departments and intelligence agencies have been increasingly complaining about “going dark” because encryption has made it harder to intercept criminals’ messages.
The encryption bill (which is formally known as the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 if you’re looking for it on the Parliament site) aims to enable law enforcement agencies to access these communications by forcing tech companies to help them out.
Part of the problem with the bill is that it’s still not too clear what, precisely, it will force tech companies to do. The government claims that the bill will not be used to create a systemic vulnerability (one that will affect everyone who uses the app or technology in question), but experts have pointed out that the legislation doesn’t really tell us what the government considers to be a systemic vulnerability, or what kind of actions would cross that line.
To get an idea of how dangerous that could be, consider the example of encrypted messaging we explained above. In a situation where a suspected terrorist is using an app like WhatsApp, WhatsApp doesn’t actually have the power to just jump in and grab particular messages for law enforcement. The tech company could, however, stop using end to end encryption, or add a so-called “back door” to the system allowing law enforcement to access the messages anyway.
The problem is that whatever backdoor they add will affect everyone using that app or tech service, and that backdoor can potentially be discovered and abused by anyone. If the government’s new bill forces tech companies to make this kind of change, then everyone’s security will be put at risk, with potentially global repercussions. In fact, some tech companies have suggested they might just leave Australia if the laws are passed, rather than risk losing the trust of their customers around the world.
There are also plenty of ways this bill could potentially force tech companies to make really scary changes that don’t involve breaking encryption, but might still become a huge problem.
“For instance, the bill could allow the government to order the makers of smart home speakers to install persistent eavesdropping capabilities into a person’s home, require a provider to monitor the health data of its customers for indications of drug use, or require the development of a tool that can unlock a particular user’s device regardless of whether such tool could be used to unlock every other user’s device as well,” Apple wrote in its submission to a parliamentary committee looking into the bill.
“All of these capabilities should be as alarming to every Australian as they are to us,” Apple warned, pointing out that it’s also super concerning that the bill will force tech companies to keep the modifications they make secret, so users have no way of knowing the service they rely on has just become weaker.
— Seano (@SeanBradbery) December 1, 2018
As tech company Senetas told a parliamentary committee on Friday, it’s not always clear what kind of features will become a systemic weakness until someone uses them to do damage. For example, in April 2017 a secret exploit the US National Security Agency had been using to break into devices was stolen by hackers and made public. Since it was made public, the exploit has been used to hack people in a whole bunch of different ways — just last week, researchers discovered a new way it was being used.
Tech companies aren’t the only ones opposing the bill at the moment. The Law Council of Australia has released a statement saying that while it supports the need to keep Australians safe, “this unprecedented bill is far too complex to be rammed through parliament in its entirety in just four days”. Labor also wants more time to look over the bill, and offered to support a less extreme interim bill in the meantime while the details are worked out.
Oh, And The Government’s Rushing Into This For No Reason
To top it all off, the government’s claim that this bill must be passed before Christmas for vague and urgent national security reasons is totally unfounded.
There’s no rush, and here’s why. Firstly, the government has been sitting on this legislation for a long time. As Labor MP Tim Watts points out in this excellent Twitter thread, the government first announced vague plans to target encrypted messaging back in June 2017. It was July 2017 when Turnbull gave his infamous press conference claiming that the laws of mathematics do not apply in Australia.
The government then blew through a series of tentative deadlines to reveal the actual details of the bill. At first, they indicated it would be done in late 2017. Then they suggested a draft would be ready in the first quarter of 2018. In reality, it took them until August this year — more than a year after first announcing the legislation — to release a draft.
That draft was super problematic, and given that it proposed a massive expansion of the powers available to law enforcement agencies, people naturally wanted a chance to look at the details. The bill was referred to the Parliamentary Joint Committee on Intelligence and Security (PJCIS) for a closer look, and the public was given less than a month to submit feedback.
Even with that short timeframe, the PJCIS received a tonne of submissions, and at the time we were writing this article, the committee still hasn’t released its report on the bill. In short, the committee isn’t finished checking over the bill to consider whether there are any problems with it, e.g. whether it might actually weaken security for all Australians.
So even if the PJCIS released its report right now, members of Parliament would have at most three days to take a look at its findings and decide whether they want to support the encryption bill (that’s because Parliament finishes up for the year on December 6). That’s nowhere near enough time to thoughtfully consider a massive piece of national security legislation.
The government has been claiming that’s too bad, saying that the bill needs to be passed urgently to prevent terror attacks. But when you look at all those dates above, you’ll see that it’s been eighteen months since the government first said it wanted this legislation, and nothing has gone to shit during that time. There have been terror attacks, sure, but the law enforcement has also managed to foil quite a few terror attacks during that time.
This is ridiculous hyperbole of course. There have been 11 foiled plots in Australia proven in court since 2014 without these laws.https://t.co/tz5T961ROd
— Tim Watts MP (@TimWattsMP) December 2, 2018
In short, there’s no guarantee that passing these encryption laws quickly will prevent terror attacks. There is, however, a fair bit of evidence suggesting that passing these encryption laws quickly could introduce flawed new powers that could result in weakened security for all Australians, possibly even technology users worldwide.
As the Law Council of Australia put it, “Parliament must proceed carefully to ensure we get it right. Rushed law can make bad law.” And whatever your stance on the bill itself, with three days of Parliament left it’s hard to deny that it’s rushed.