Cracking Down on Personal Information: Legitimacy for Backdoors and Anti-Encryption

In the last few days before the end of the year (December 8, 2018), Australia moved forward with a new piece of legislation that gives more power to the government for investigative security purposes. Entitled Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018, it allows law enforcement and government entities to effectively circumvent most (if not all) encryption put in place by prominent technology vendors to protect users’ personal information and gain direct access to that data. This will affect any new market entrants, as well as existing players, forcing even technology giants like Google, WhatsApp, and Facebook to conform to the new regulatory measures and, to put it bluntly, “unlock” almost every piece of Personal Identifiable Information (PII) and consumer data for governmental agencies that request access to it.

The Australian government is moving ahead with this new law, which is expected to be in effect within the first couple of months of 2019, having gained the support of both major political parties. The bill was introduced to the House of Representatives on September 20, 2018 and aimed to significantly decrease the necessary requirements for obtaining warrants for cybersecurity and computer access endeavors in order to legitimately conduct a lawful search. The purposes of these cyber-trail searches can range from instances concerning drugs, illegal substances, firearms, and human trafficking, and even national security issues.

So, why cancel the related procedures of obtaining a warrant prior to an in-depth investigation? One well-known investigative aspect is that speed is one of the major factors when it comes to cybercrime. Political discourse in Australia argues that obtaining a warrant will invariantly slow down the legitimate process, compromising law enforcement strategies. Thus, even though the use of encryption will still be mandatory for tech-related software and products, enforcement and electronic crime units will just be able to bypass it because cryptographic features in leading products are also stacking against the race with time. These initiatives are outlined in the bill as “Technical Assistance Notice” and “Request and Technical Capability Notice” and the bill requires all technology companies, their products, and platforms to conform with Australian law enforcement and the Attorney General’s mandates regarding methods of decrypting or direct access to any information contained therein.

Such bills, however, are effectively two-bladed weapons: they assist governmental agencies, law enforcement, and cyberattackers (we will get to that last in this section), but they also hinder every other single link in the security value chain. This is not the first time that the issue of encryption and access of personal information has been entangled with law enforcement procedures. In the past years, the U.S. Federal Bureau of Investigation (FBI) was urging Apple to unlock a suspect’s iPhone, which was locked with a fingerprint sensor. The FBI went as far as to request that its personnel, along with other law enforcement agencies and the Central Intelligence Agency (CIA) should have direct access through backdoor systems in all major tech platforms. Other tech giants (including Microsoft, Google, Facebook, Yahoo, and many others) stood by Apple and the governmental mandates, which forced them to not only lose credibility in the eyes of their customers, but also lowered their overall security posture.

But why is that? Why would the government (or any third party, for that matter) having access through backdoors created in major tech platforms be problematic? That is because establishing a backdoor for a third party is not a one-way street: if one entity is able to exploit it, then that means that every other entity would be able to exploit it (or at least part of it). In short, tech companies would have to effectively create insecure products and processes that can have their encryption bypassed during their very development and support phases. For every new security protocol put in place, tech vendors would have to create new contingency options just for the entity requesting direct access. The Internet of Things (IoT) ecosystem, in general, is in desperate need of cryptographic features, but one of the few technology segments where encryption is used (albeit with varying degrees of success), with some of the verticals aimed at user interaction (e.g., Voice over Internet Protocol (VoIP), messaging, etc.). Any regulations that lower this capability will put all related markets at risk. On the other hand, cybercrime, espionage, and fraud is gaining momentum at an alarming speed and these new bills are attempting to shed more light on this digital darkness. As with most security-related discussions, there is no clear-cut answer, with numerous trade-offs to consider. Time will tell if this experiment will work and if online privacy and consumer protection is a thing of the past.