The ‘TLDR’

The recent bill that passed in the Australian parliament is a bad deal for everyone. It won’t do what the politicians said it will do, and in fact it’ll just be a bad deal for all. Let’s start talking about it, let’s start asking questions of the politicians that are supposed to represent us and are supposed to be informed. Let’s hold them accountable!

Ah what’s this all about?

On the 8th of Dec 2018 the “Telecommunications and other legislation amendment (Assistance and Access) Bill 2018” became law in a rushed final sitting of Parliament. It was passed under the false pretence that “we need it now to stop the terrorists”.

The current makeup of Parliament means the Coalition must rely on the crossbenchers to ensure that their bills pass and become law. Alternatively, they can negotiate with Labor to ensure it passes. The Coalition put the Bill to Parliament, and Labor submitted to the Government. They were scared to be called ‘soft’ this close to an election. They were scared of certain media organisations calling them out. But let’s now look at the bill and what it means for technology and for consumers (us).

What’s the gist of the new law?

It enables law enforcement agencies to “request technical assistance from technology companies to access encrypted data”. Encrypted data is data that can’t easily be understood without some secret (such as a password, pin code, or biometric scans).

For the purposes of this discussion, let’s look at the Facebook-owned WhatsApp messenger as an example. WhatsApp sends encrypted messages between two or more people. Only the device that it was sent from and sent to can read the data and make it human readable. This is achieved using a system of encryption that is one of the backbones of the secure internet, and underpins secure online transactions. WhatsApp can’t see what you’ve typed. They can see data that is encrypted, but without the correct keys it is meaningless to the company. Remember I’m just using an example of WhatsApp other messaging platforms work differently.

The Government has now passed legislation that allows law enforcement agencies to request WhatsApp (and hence Facebook) to help read the messages. But given this is not possible on the current platform, WhatsApp would need to be updated to remove this encryption. Alternatively, they would need to enable a security loophole to allow law enforcement to gain access. This could be done, but since the Whatsapp team would not know who it is for you, they would need to implement this for all users.

There are provisions that allow the tech company to push back. They can say ‘we can’t do this’ without compromising security for everyone, but because the Bill was rushed, there is no clarity on what this means and how it will be implemented.

So put simply, the Government wants to force technology companies to create loopholes in their platforms, allowing law enforcement to gain access to encrypted data and then decrypt to read. These security loopholes would need to be built into the respective applications and websites.

We are giving the government a key to our houses, and hoping no one will try and steal it from the government. We’re hoping the government will use the keys to our house correctly. We’re hoping that rogue foreign governments won’t try and steal it. We’re hoping for allot, for little gain.

Why is this bad?

There are many reasons! But I’ll try and explain them, and also the questions that might arise from them.

The first issue is creating a security loophole in turn creates a security weakness that applies to all. It gives hackers and those trying to exploit the system a single point to try and attack. In security, the system is only as secure as its weakest component. We’re asking tech companies to make a weak part — we’re asking them to leave the window just a bit open. The fact that new code must be written and implemented and then pushed out makes the rush to pass the Bill quite strange. To update the app, push it out and then hope the end-users update their apps is not something that can happen in a few days. It would take months not days. But the government said it must be passed before Christmas. The Government needs to pretend they are tough. Not because it’s going to help, but because it looks like they are doing something.

The Government relies on the fact that people don’t understand it. They rely on you being scared. Part of the reason for me writing this is to try and address that point. Let’s get more educated. The Government wants to win the next election. That’s all really. What they are doing here doesn’t make sense and I’d like to explain why throughout this article and answer questions to make us all more educated and more informed.

But Anand, there isn’t really a single point of failure, the government will make sure it’s all safe.

Let’s assume that the Government will only use this for the reasons they’ve said (which is another issue altogether). Let’s now say they’ve asked WhatsApp to build the security hole and WhatsApp have complied. Given how security works this means there will be an override key or information stored somewhere (most likely with WhatsApp) that provides the backdoor into messages.

If you’re a bad actor (hacker, foreign governments, etc) then you’re going to do everything you can to locate this code / information. Once you’ve got it, you have access to everything. You can have very personal private information, passwords and pins (which plenty of people share on WhatsApp etc.). A single point of failure means just that. Once its broken, the flood gates open. They may be able to patch it and fix it, but the damage is already done. The information is out there and available — to sell or to use in other nefarious ways.

I haven’t talked about the technical issues of attempting to even implement this in a quick way. This is part of the lie. This stuff takes time. We were told that the threats are imminent, and it must be passed before the Christmas — New Year break. But changes in software take time! It is on us to ask how this can be even done. Ignorance to how things work is not an excuse the politicians can use, but they do use it and the media in Australia seem to accept it.

But Anand, the government is after the bad guys, won’t someone think of the children!

Great point Mrs. Lovejoy. Sure, people who are worried about using apps developed by big tech companies will just go more underground. I can write an encrypted point to point messaging application in a few hours. In fact, this task is a common assignment given to students in their first year of university! In my opinion it's easy to get around, and use some other custom made applications. I can’t help but ask again, why are we doing it?

Often breakthroughs are made when the bad guys make mistakes, letting their guard down, cutting corners. This legislation pushes them to even more underground methods and means they are potentially less likely to be found and caught. Again, the farce of protecting us is likely making us less safe.

I think the bad guys aren’t really worried about this. It might delay things for them, but the real people affected are consumers of the technology (us). The scare tactics don’t make sense. The government is scaring the uninformed into thinking they are being protected. When in fact they are making things less safe in the medium and long term. And maybe that’s the point, the government only cares about the short term (until the next election).

But Anand, put your tin foil hat away this is not going to happen.

Sure it might seem like that. But why do we need this. I don’t think the Bill has been explained at all. It’s been rushed. It means that huge tech companies will think twice about operating in Australia. It means all tech companies need to be ready to obey the law. The cost of doing business in Australia was so large before and now it’s even larger and why would you want to me in this market.

The other issue I have is: what’s stopping the government using this loophole for other needs? Maybe the ATO needs access to ensure people aren’t lying about their taxes. It’s also interesting to note that corruption watchdogs such as ICAC don’t have access to it. The politicians are safe to still use things without ICAC finding out about their dodgy dealings.

In writing this part I remembered a quote from The West Wing , “Threats to civil liberties only ever come a few dollars at a time.” (S4.E12). I think the message applies here. If we accept this, how many more little things do we forgo in the name of our protection.

But Anand, the tech companies use our information already how is this different?

This is a really good point, and one I’m not sure I have a good answer to. The tech companies already are going through things, and have a lot of information about us. The difference here is they can be held accountable by their share price and customer sentiment.

If they start to use the data incorrectly the consumer can act (thanks to free market capitalism). It’s not the same with the Government. The Government itself can’t be held to the same level of scrutiny.

But Anand that’s what elections are for. But elections are far and few between, and company share prices have a much more immediate impact. And unlike political polls, share prices relate to tangible outcomes (money).

Another reason this is different is the privacy and protection of our rights are supposed to be protected by the government. If the government is the one abusing and dismantling those rights, what are we supposed to do.

But Anand, surely people are blowing this out of proportion.

I think this is a fair question. What happens when the Federal police ask Facebook (the owners of WhatsApp) for access to personal messages and Facebook say “no we can’t”. Does Facebook get fined? Does Facebook get blocked in Australia (since we already have ISP level URL filtering)?

I guess this might seem a bit far fetched, but that’s the point we need to understand what the end game of all of this is. We need to discuss is NOT rush things through. We need to work out the implications as much as possible and make informed decisions.

Why wouldn’t you just leave the Australian market? It’s too small for huge companies to care about. It might lead to a niche of Australian only players, maybe we’ll finally get “YouBeautChat”. Just like China has its China only tech platforms such as WeChat. They conform to the government mandated privacy (or lack of privacy) policy. But the same argument doesn’t work in the small economy of Australia.

I do think it’ll lead to tech companies pulling out of Australia or not supporting certain functionality. It takes one large scale hack to have all of our data all over the internet. It takes one hack to lead to our privacy being devalued. This is the first small step towards to an Orwellian reality, we need to ask ourselves: Is this worth the price?

But Anand, this Bill was passed with support from Liberals, Nationals, and Labor what can you do?

This is where I’m not sure how to answer it. Labor have come out saying they’ll change things in the New Year. But we’re not sure why they offered their initial support. I think the reason here is Mr. Murdoch, who is telling people that Labor will ‘have blood on their hands’ if something does happen.

But like I’ve said this makes NO sense. Maybe there will be change. But let’s be honest, the government wants you to be scared, and only really wants an election win. I know this is ultra cynical. But I think given what the media is doing, this is the plan, they want an election win. That is their end goal. Being scared, being afraid is there path to it. Underlying all of this the public are not being informed. This is how they succeed.

So what can we do?

Talk about it. Raise it with people you know. Ask questions, get more involved! I’ll try answer questions, try to help you if you want to know more. But most importantly share the issue. Make people realise that this is not something that is acceptable for a government to do.

We’re coming up to a lot of elections. The Federal election most likely will be in May. There will be lots of politicians out and about, why not ask them about it. Why not ask them about their positions, and tell them that the encryption bill is something you are concerned about. Let us get more educated on this and other matters.

Let’s demand that those voting on bills that become laws are more educated on matters and more accountable! If you don’t agree with me, that’s fine let’s talk about it. But let’s not let our representatives get away with not being informed and demand they are better.