The new law is a sizeable step forward for the Australian government on its long-standing quest to undermine encryption, forcing individuals and organisations into weakening their systems to comply.
First Published 14th December 2018
The world is watching Australia closely.
4 min read | Reflare Research Team
On the 6th of December 2018, the lower house of the Australian parliament passed a law that mandates individuals and organizations turn over encrypted data of a user in a decrypted format if a warrant is issued for said data. While the upper house still has to pass the law, current public statements issued by the political parties indicate that there will be little resistance.
The law has been strongly opposed by privacy advocates and the technology industry. While Australia is the first western country to pass such legislation, lawmakers in other countries - most notably the U.S. and U.K. - are pushing for similar laws.
Why pass such a law?
While the reaction to the law from the tech industry has been overwhelmingly negative, it would be imprudent to gloss over the real-world issues caused by the relatively recent availability of strong encryption to non-technical end-users. Until around a decade ago, only technically versed individuals were able to encrypt their data and communications. Since then however, encryption has become a standard feature in many use cases. In the current times, most modern smartphones, communications platforms and web services are encrypted by default.
This creates problems for law enforcement as criminals can no longer easily be wiretapped or otherwise eavesdropped on. Of course, sophisticated or technically inclined criminals were able to encrypt their communications before. But as with many things, this is a problem of scale. If a technology leads to 10% of suspects being un-surveilable, it is merely a nuisance. If the technology evolves to make 90%+ of suspects un-surveilable, it turns into a problem.
Such, legislation demanding that companies create backdoors that allow them to decrypt data for law enforcement seems reasonable to non-technical users.
What is the problem from a technology perspective?
Non-technical people often think of encryption in terms of physical keys. And why shouldn’t they? After all, we call the information needed to decrypt and encrypt data “cryptographic keys”. Sadly, this analogy is rather poor. Let’s compare a locked room to an encrypted file.
The lock has a “known” solution. Namely the right key to open the lock is built into the lock itself. We can technically deduct the right key by disassembling and analyzing the lock. At the same time, the door is only a physical barrier that restricts access to the otherwise perfectly normal room. When you think of encryption in these terms, then asking for a “master key” seems perfectly reasonable.
However, that is not how encryption works. There is no equivalent to the lock and door when dealing with encrypted data. The “room” doesn’t stay normal either. Rather, the closest correct analogy would be that the physical room itself is getting warped around the key. Without the key, there is no room. It doesn’t exist. There is no “known” solution that can be deduced either. And this creates a problem.
To comply with the government’s request, technology companies would have to reduce the security that they currently offer to their customers to the level of the 'broken lock' analogy. And this drop is significant. While the encryption methods currently deployed give users a reasonable expectation of privacy and confidentiality, the pseudo-encryption that presents the only viable solution to the law’s mandate will effectively expose users not only to their own government but also to any other government and even technically versed criminals.
The tradeoff is much larger than non-technical people including politicians realize. This point is perhaps best illustrated by a quote from then prime minister of Australia Malcolm Turnbull when he said the following in 2017 after being told that the laws of mathematics make complying with such a law securely impossible:
"Well the laws of Australia prevail in Australia, I can assure you of that. The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia."
While few legislators would claim that the laws of their nation override the law of gravity, the relatively complex nature of cryptography means that many fail to see the same problem when dealing with the mathematical laws governing it.
What will happen next?
No one is sure at the moment. To comply with the laws, technology companies will have three options, none of which are appealing.
The first is to create dedicated hardware and software for the Australian market. While this would represent a significant overhead, many companies already have China-specific models in their lineups to comply with Chinese legislation, making this solution easier than it appears to form a supply-chain perspective.
The second solution is to adapt all devices globally to comply with Australian legislation. This would be the cheapest solution but would also likely lead to a significant backlash among the consumer base as media companies report on the issue.
The third solution would be to pull out of the Australian market. Depending on how much of a company’s revenue flows through Australia, this can be the most effective solution in some circumstances.
We expect that companies will adapt one of the above strategies based on their circumstances. The actions of technology giants such as Apple, Alphabet and Samsung are unclear at this point in time but are sure to heavily influence how this new law will be seen in a historical context.