by Danny O’Brien, Electronic Frontier Foundation
With indecent speed, and after the barest nod to debate, the Australian Parliament has now passed the Assistance and Access Act, unopposed and unamended. The bill is a cousin to the United Kingdom’s Investigatory Powers Act, passed in 2016. The two laws vary in their details, but both now deliver a panoptic new power to their nation’s governments. Both countries now claim the right to secretly compel tech companies and individual technologists, including network administrators, sysadmins, and open source developers – to re-engineer software and hardware under their control, so that it can be used to spy on their users. Engineers can be penalized for refusing to comply with fines and prison; in Australia, even counseling a technologist to oppose these orders is a crime.
We don’t know — because it is a state secret — whether the UK has already taken advantage of its powers, but this month we had some strong statements from GCHQ about what they plan to do with them. And because the “Five Eyes” coalition of intelligence-gathering countries have been coordinating this move for some time, we can expect Australia to shortly make the same demands.
Ian Levy, GCHQ’s Technical Director, recently posted on the Lawfare blog what GCHQ wants tech companies to do. Buried in a post full of justifications (do a search for “crocodile clips” to find the meat of the proposal, or read EFF’s Cindy Cohn’s analysis), Levy explained that GCHQ wants secure messaging services, like WhatsApp, Signal, Wire, and iMessage, to create deceitful user interfaces that hide who private messages are being sent to.
In the case of Apple’s iMessage, Apple would be compelled to silently add new devices to the list apps think you own: when someone sends you a message, it will no longer just go to, say, your iPhone, your iPad, and your MacBook — it will go to those devices, and a new addition, a spying device owned by the government.
With messaging systems like WhatsApp, the approach will be slightly different: your user interface will claim you’re in a one-on-one conversation, but behind the scenes, the company will be required to silently switch you into a group chat. Two of the people in the group chat will be you and your friend. The other will be invisible, and will be operated by the government.
The intelligence services call it “the ghost”; a stalking ghost that requires the most secure tech products available today to lie to their users, via secret orders that their designers cannot refuse without risking prosecution.
So this is the first step, after this Australian bill becomes law. We can imagine Facebook and Apple and other messaging services fighting these orders as best as they can. Big tech companies are already struggling with a profound collapse in trust among their customers; the knowledge that they may be compelled to lie to those users will only add to their problems.
But what about other services, who refuse to compromise their users’ security? What about the open source projects that will ask their Australian contributors to stop working on their security code, and businesses who will choose not to employ Australian developers, or decline to open offices in that country?
There can be only one step after you’ve compelled the big companies to agree to your back-doors, and that is to criminalize those truly secure services who prefer to follow the “laws of mathematics” instead of “the laws of Australia”.
Somewhat more quietly than the passage of the AA bill, the Australian Internet Parliament this month also voted for an expansion of the country’s already wide-ranging website blocking powers. Australia continues to work to establish another precedent: that even supposedly open and democratic states should be able to censor and filter the Internet. If the country continues to walk down this road, then it’s only a matter of time before only back-doored communication tools run by compliant multinational tech companies are permitted in Australia; and all other services and protocols will face government-mandated blocking and filtering.
That world is still only a potential future. There will be opportunities for companies, lawyers, activists, technologists, and Australian voters to keep a filtered, insecure Australian Net from becoming a dystopian reality. But this month, thanks to Australia’s lawmakers on both left and right, that reality is a giant step closer.
© 2018 Electronic Frontier Foundation, CC BY 3.0 US