Juha Saarinen: Australian encryption law a bad move for New Zealand

Warrantless snooping on encrypted messaging apps like WhatsApp, Vyber, Signal, Telegram and others could happen under the proposed law, telcos say. Photo / 123RF

COMMENT: Despite being told in no uncertain terms that it's a hugely bad idea, the Aussies are pushing for a law that would force the breaking of encryption, a move that could jeopardise data security on both sides of the Tasman.

It's the now old notion that bad people use encryption, therefore Governments should be able to force decryption of data, to see what nefarious deeds are being talked about.

Seems fair enough at first glance, doesn't it?

The only problem with that notion is that there are only two types of encryption — strong and weak. What the Aussies propose is to weaken strong encryption, as that's the only way to provide access to the data it protects.

Except, the decryption capabilities are to be done without backdoors and breaking encryption that introduce dangerous systemic weaknesses that bad actors would exploit at the tip of a hat, and only target one or a small number of devices when needed.

If that sounds illogical and impossible, it's because it is. Nobody knows how to break encryption safely, least of all the Australian Government which is leaving that mission impossible for telcos, internet providers and tech companies to figure out.

Australia's Assistance and Access Bill 2018 tries to hide all that with convoluted legal twists and turns, and even criminalise the disclosure of weaknesses used to decrypt scrambled data.

Telstra and Optus have both panned the bill as a disaster in the making, which they fear will make them liable to customers and suppliers for vulnerabilities that the law will force them to quietly introduce to their networks.

Warrantless snooping on end-to-end encrypted messaging apps like WhatsApp, Vyber, Signal, Telegram and others could also happen under the proposed law, the telcos say.

The Law Council that represents the country's lawyers say the bill, as it stands, would make Australia the weakest link in the Five Eyes alliance, and end up as a funnel for data requests.

Crypto experts have also slated the bill, saying it will weaken systems elsewhere, especially if other countries copy Australian law.

For New Zealand, this should be a major concern as we're closely integrated with Australia.

That's a small sample of the opposition to the bill, which has netted around 14,000 submissions in its public consultation round.

Many companies fear they'll be caught between a rock and a hard place and lengthy court morasses as the proposed law collides with other legislation.

How does a country end up in a situation like this?

InternetNZ chief executive Jordan Carter has a simple answer. Encryption is framed as a one dimensional security issue by officials.

What this means is the discussion ends up as a techies versus bureaucrats gabfest largely hidden away from those the outcome will affect the most — the public.

"If we're going to do this, we need to have a broader discussion beyond security around the consequences of breaking encryption," Carter said.

Carter is right. The issues need to be framed in a way that explains what's at stake.

The point of encryption is to protect our privacy, financial systems, critical infrastructure and government services against criminals and nation state hackers.

Do we really want to make it simpler for criminals and our enemies to attack us, and to make the online services we rely on far less reliable and useful, by weakening and breaking encryption? I doubt the answer to that question is "yes".