To be honest, when Australia’s new encryption law first passed, I was left in an utter state of shock. I didn’t expect it to pass based on feedback I knew had been given by the technology and security industries. I couldn’t believe that we, as a nation, could be so short-sighted and isolationist. And on reflection, I still feel very strongly about it, so I’d like to share my thoughts about why restricting encryption is such a bad idea.
But first, a brief recap on what the law is. The new legislation gives the government’s security and intelligence agencies the legal authority to compel tech companies to break their encryption. It would require tech companies to provide law enforcement and security agencies with access to encrypted communications.
The bill was passed with considerable opposition from IT industry advisors in Australia; there were multiple amendments recommended that could have made the bill a more palatable and intelligent piece of legislation.
What is concerning is that a logistical issue caused the bill to be tied to a completely unrelated issue on refugee immigration policy. This caused it to pass quickly, despite serious concerns. It’s extremely alarming that the Australian government chose to devalue the opinions of experts and the industry body.
I do acknowledge that this law has idealistic goals, but I also feel that it is poorly envisioned and ill-constructed in practice. It’s just that the Australian government doesn’t seem to understand the domino effect, and significant ramifications that this legislation will have on global technology companies. For example, who knows if these companies will decide to allow Australian enterprises and citizens access to world-class highly secure technology?
Global governments are already grappling with poor investment in technology, and daily breaches of supposedly protected sensitive data. And now they want to “control” the internet, which, in turn, will stifle the incredible innovation and growth of the most significant industry civilisation has ever seen—IT/OT related technology. The consequences of stifling this industry with outdated government legislation and controls, even though they may be altruistically aimed at catching a small number of nasty criminals, is very far reaching.
I know of several legitimate technology companies with platforms needed by Australian organisations that will withdraw from the Australian market, or if cloud based, prevent Australian IP addresses from accessing their technology, because of their concerns about the impact of this legislation on larger markets in US, EMEA, BRIC and SE Asia—which due to size are a priority. The risk is that Australian companies and citizens end up with less access to best in class technology to protect sensitive data and communication, and far more breaches for hackers.
For example, it will be interesting to see what happens when an Australian organisation is faced with (for example) a GDPR breach, due to a leak within a government system which had access to information covered by this legislation. The reality is that we are giving corporations, and government agencies, a free pass to get out of responsibility and liability for breaches. Who Dun it? Will be an unsolvable question, when encrypted data can be accessed by so many.
Organised criminals and terrorist groups will still be able to access encryption technology through access to global internet, regardless of a piece of legislation in Australia. In essence this new legislation gives our government a window into a few bad actors with serious criminal intent, at the cost of an extreme loss of privacy of millions of private citizens and the IP value of companies. Hackers must be very excited—any back door that government agencies, which generally leak like sieves, can access, so can they!
Do you agree that governments are qualified to securely manage encryption backdoors?