Internet Security Blog - Hackology

Australia Breaks All Sorts of Encryption : Assistance and Access Bill



Nicknamed Anti-Encryption Bill is the latest bill passed by Australia’s House of Representatives and its official name is Telecommunications Assistance and Access Bill 2018. This bill would now allow law enforcement agencies to force all organizations /companies including Google, Facebook, WhatsApp, Signal etc to help them access encrypted communications. Thus Australia has successfully managed to break all sorts of Encryption by the help of those who know nothing about technology i.e. Politicians 

Why Australia passed AA Bill ?

Australian government believes this new Bill is important for national security and an important tool to help law enforcement agencies and security apparatus to fight serious crimes such as, terrorist attacks, drug trafficking, smuggling and sexual exploitation of children.

AA Bill Illustration
Illustration of AA Bill backdoor

What Assistance and Access Bill Permits

You can read the complete 228 pages of legislation here or let me present to you the points which matter to us all. the Assistance and Access Bill could give Australian government and law enforcement agencies over citizen’s digital privacy, The bill requests companies to provide “assistance” in accessing encrypted data which is divided in 3 categories, as explained:

  • Technical Assistance Request (TAR): A notice to request tech companies for providing “voluntary assistance” to law enforcement, which includes “removing electronic protection, providing technical information, installing software, putting information in a particular format and facilitating access to devices or services.
  • Technical Assistance Notice (TAN): This notice requires, tech companies to give assistance they are already capable of providing that is reasonable, proportionate, practical and technically feasible, giving Australian agencies the flexibility to seek decryption of encrypted communications in circumstances where companies have existing means to do it. It is to bring those companies which are not already utilizing the best encryption techniques in the government trap of complying.
  • Technical Capability Notice (TCN): This notice is issued by the Attorney-General requiring companies to “build a new capability” to decrypt communications for Australian law enforcement.

I am sure you must be shocked by what you read, so Australian government be like ,

Mate! Show us what you got, if you can’t make something so you can

Does the Bill Allow Weird Stalking Rights

BIG YES, You can read the complete PDF I linked above or let me present some excerpts from the same for your shock

The Bill could allow the government to order the makers of smart home speakers to install persistent eavesdropping capabilities into a person’s home, require a provider to monitor health data of its customers for indications of drug use, or require the development of tool that can unlock a particular user’s device regardless of whether such [a] tool could be used to unlock every other user’s device as well…

and after stating that in the final approved bill, it has the audacity to mention this as well

While we share the goal of protecting the public and communities, we believe more work needs to be done on the Bill to iron out the ambiguities on encryption and security to ensure that Australian are protected to the greatest extent possible in the digital world.

Government Supports Encryption – For Others Only

The Bill states that tech companies can not be compelled to introduce a “systemic weakness” or “systemic backdoor” into their software or hardware, or “remove electronic protection” like encryption to satisfy government demands. The bill failed to explain what systemic might exactly mean in term of powers vested with authorities.

All the Ways Government may Spy
Australian Government inspired by this meme made for US Government

The new legislation requests measures at facilitating lawful access to information through two available options “decryption of encrypted technologies and access to communications and data at points where they are not encrypted.

It is yet to see how companies comply with the government requests because it is absurd.

Top 5 Reasons why AA Bill is Not Good

  1. The bill is bad for security because encryption keeps us safe from criminals. This bill will make it easier for them to hack us. Although the bill doesn’t ask to weaken the encryption or put backdoor, but they ask to allow special access to government. Enabling it prone to Social Engineering attacks.
  2. The bill is bad for jobs because software companies will choose not to work in Australia, as this bill is fundamentally incompatible with GDPR.
  3. The bill is bad for workers, as it opens up all sorts of penalties if we conscientiously object to being drafted into the security services.
  4. The bill is bad for democracy as it will make it easier for a sitting government to access the private communications of journalists, opposition politicians, unions, businesses, etc.
  5. The bill is bad for the economy because global consumers will choose digital services that come from countries that are not threatened by Australian legislation.
Must Read:  Utopia - Revolutionary Decentralized P2P Ecosystem

I agree with these points as shared by Tom Sulston , this not ‘all’ that is bad with AA Bill but the most important ones.

What Next

Open Source Renaissance

Another remedy for people who perceive this legislation as overreach is to use Open Source software (and hardware); after all, who would a TAN or TCN be served upon?

Against this is the impracticality of OS for the majority of people, and momentum in the other direction from “cloud” services.

Going Incognito

The other obvious countermeasure to things like #aabill is to use encryption prolifically; not only “on the wire”, but “end to end” – i.e., between you and the people you’re communicating with, and not anyone in between.

Again, we’re already seeing this, in messaging apps like Signal and Wire. Unfortunately the design of e-mail makes it impractical for everyone to do it there; for things like file storage, it hasn’t caught on very well, and the way the Web works means you have to trust the server.

Less is More

the instruments in this legislation that the “interception agencies” really want to be using are the TARs and TANs – Technical Assistance Requests and Notices. “Assistance” means that they’re just asking for data or a capability that the provider already has lying around.

Some of that is unavoidable; such as, a Web store is always going to know what you buy, so they’ll be able to give this if they’re served with a TAR or TAN – which have a lower bar for oversight, as compared to TCNs.

That said, a lot of what’s collected isn’t what you do, it’s extra information – sometimes called “metadata” – that helps them run their services, or is just collected in the normal process of business. Interestingly, it’s not at all clear what kind of oversight applies to metadata.

If consumers get nervous about these powers being misused, it might create a market for services and software that intentionally limits data collection.

Australia Gets Clayton’s Security

An international company that serves Australia and wants to stay has another choice; it can create special, Australia-specific products and services; that way, if an “intercepting agency” asks for access to a non-Australian version, the company can tell them to get f**ked (this is Australia, after all).

That Australian product (or service) is likely to have fewer guarantees around privacy and security, because it is operating in an environment that’s perceived as unfriendly to them.

Outsourcing Our Mates

Australian companies who serve global markets, especially when they have products or services that handle lots of sensitive data (whether that be military, corporate, government or personal). After this bill companies outside of Australia will think twice before hiring someone from Australia , because that Aussie can always share the code or data with the government (he will go to jail if he doesn’t)

Somebody Pulls Out

Some hardware vendor, software author, or service provider might perceive the risk of continuing to do business in Australia – therefore making them subject to this law – as too high, and as a result pull their business fully out of this country.

What risk? The thinking goes that being subject to this legislation means that they are “tainted”; there might be an overreaching TCN or TAN applied, and its very limited oversight and transparency combined with the onerous secrecy measures means that overseas buyers will lose confidence.

Non Compliance to AA Bill

In case a company decides not to comply (which is really unlikely) that company could face massive financial penalties for not complying with the new law. This new bill would force tech companies to modify their existing software and service infrastructure to provide means for the government to have access to the required information.

Conclusion

Australia has made itself the guinea pig of the world in testing a regime to circumvent encryption. It is a highly technical experiment being conducted in real time with a legislative process yet again asked to catch up with the messiness and uncertainty of the world of crime and its concealment. It might even lower the crime or the government might come up with show-cases that due to this bill they have been able to achieve success, but what about the loopholes ? Should we let it go and see where it goes? How to know how the data is being handled who is being spied, will every data request will be only in nation’s interest or maybe personal or political as well ?

2 comments

This site uses Akismet to reduce spam. Learn how your comment data is processed.



Get Wise

Subscribe to my newsletter to get latest InfoSec / Hacking News (1 Email/week)
Brave Browser Message

Pin It on Pinterest

Shares
Share This