After months of resistance from tech companies, the Australian government has just made good on their threats to pass anti-encryption legislation. This new legislation not only arms law enforcement agents with more surveillance power but also disarms tech companies in their efforts to provide better privacy and security to their customers. But does it stop there? Can breaking encryption also break society?
I’ve made no secret of my stance on the need for strong encryption. As a security expert, tech consumer and business owner, I am not alone. Ever since Apple went head to head with the FBI over the San Bernardino iPhone encryption debate, many voices have followed in criticizing heavy-handed efforts by law enforcement to force phone makers to comply. At the crux of this compliance stands only end-to-end encryption. This degree of encryption disallows anyone (including the tech companies themselves) to intercept or read any data outside of that encrypted chain without a password so why is legislation getting involved?
Australia’s new Assistance and Access Bill 2018 compels companies to hand over all requested user data. Tech companies have been complying for years when legal warrants are presented and will continue to do so. The problem is that this law also includes end-to-end encrypted data as well. Such data cannot be provided unless each company provides a “backdoor” solution or key to law enforcement essentially breaking encryption. This hurts their business models, their customers’ privacy and only sends criminals, terrorists and anyone requiring absolute privacy to seek out other means of data protection. But those are just the immediate effects on the surface.
“It is insufficient to protect ourselves with laws; we need to protect ourselves with mathematics” – Bruce Schneier
The disturbing trend toward authoritarian governments have typically relied on a public’s fear of uncertainty by forcing citizens to make a choice between their privacy and their safety. Encryption technology offers both privacy and security to all users but that hasn’t stopped law enforcement from creating a divide between these two factors. Police would have us believe that they cannot do their jobs without access to the contents of every suspect’s phone. On the surface, this appears to be sound reasoning but the U.S. Constitution is filled with many hard absolutes precisely for this reason. Countless circumstances more than any law enforcement agency can consider must also fall under this blanket protection. Otherwise, the U.S. would surely become a true police state.
Australia’s new law sends a chilling message to all tech companies but also creates a potential domino effect spilling into many other countries including the U.S. Of course Apple, Google and others can pull their encrypted products completely out of Australia but that would devastate their revenues and existing Australian customers so they would more than likely, eventually (after a few rounds of legal battles) concede just to preserve their own existence. These days, international revenues are necessary for economic survival so can tech companies simply issue special key(s) to law enforcement for each legally obtained warrant?
Cannot Compromise Math
To the average citizen, individually issued decryption keys sounds like a fair compromise or at least a necessary evil. But to the average cybersecurity expert or engineer, the same ones tasked with securing our data and private dealings, this is a disaster in the making. Putting aside the abuses of power, IP theft, state sponsored spying and overall hacking that will likely all proliferate once any decryption key is created, regular users can never go back to total privacy again. Some of us already choose to live in a world where tech companies scrape our data and market it back to us. Others have no problem sharing that data and more with their own government in exchange for physical protections. Respected cybersecurity researcher Bruce Schneier put it best when he said “It is insufficient to protect ourselves with laws; we need to protect ourselves with mathematics“.
This rigid approach might seem too binary to our law makers and media pundits but is as fundamental to end-to-end encryption. We’ve already seen warrantless law enforcement abuse from local police all the way up to massive NSA spying programs. Those abuses of power or sanctioned hacks cannot occur when data is encrypted against all eyes except for the parties directly involved. Once we’re prepared to hand over our innermost secrets to our government and leave personal privacy behind, we have left the United States and entered into a land somewhere between China’s socialist republic and George Orwell’s fictional Oceania from 1984, his seminal novel. And if you think I’m being hyperbolic about China, don’t forget that their social credit system goes fully operational by 2020.
In the U.S., we find ourselves in a strange allegiance with the very same tech companies that facilitate most of the spying and data mining against us. In response to Australia’s new legislation, Apple, Dropbox, Evernote, Facebook, Google, LinkedIn, Microsoft, Oath, Snap and Twitter have penned a letter of protest entitled Reform Government Surveillance. This letter claims that the new mandate seeks to “undermine the cybersecurity, human rights, or the right to privacy of our users.” These tech giants are concerned mostly with preserving their business models and revenue projections but that doesn’t mean that they also don’t want to protect their users’ privacy and data integrity as well. When government seeks to weaken encryption, privacy is the first casualty.