The proposed legislation on cyber powers raises some questions that need to be answered. The debate has been rhetorical and has not addressed the technical or legal aspects of the legislation in any detail. Has the implementation been thought through by all concerned? We don’t have all the answers but wonder if the Government does either. The political debate is on the level of kindergarten abuse instead of dispassionate discussion of the issues. There are serious problems in implementing the legislation and it may well fail because it is impractical.
The politics of the proposed cyber legislation are pretty obvious and represent the oldest trick in the political book. You create public fear of a threat and then tell people you will save them from it. According to the Government it is necessary to protect us from terrorists and paedophiles. Presumably they will all be on holidays over the Christmas New Year break so it was safe not to get it passed last week! The Opposition sensibly demanded answers to some important questions but then Shorten caved in for cheap political reasons. Hopefully good sense will prevail in February but this is wishful thinking. As the election gets closer the standard of political debate will get even less related to reality..
There are a number of areas of doubt which need to be addressed and some of these are set out below:
- It will be very difficult to implement. Firms cannot weaken their encryption systems on a selective basis. There is no way they can select for individuals without weakening the whole system which will make it easier to hack everyone on that system. The law requires firms to help the government break their own encryption but doesn’t specify how to do it. One thing they can do is ask the firm to give a compromised version of software to an individual. This could be done with most software when it updates automatically for existing customers. However all of the ways for complying have problems for the firms, for the government and perhaps for the users which is no doubt why Tech companies and others oppose it. It’s likely that many companies would choose to leave Australia rather than compromise the security of their software.
- If the government were to request a firm to create a backdoor in their software, the firm would then be violating the European GDPR data privacy laws. EU citizens’ data can hardly be considered “private” if the Australian government and the firm in question are snooping on it. Companies will therefore have to choose which law to follow. Most companies will presumably choose the larger European market. Big overseas companies may well choose to leave Australia. Does the Government have a solution to this problem and if so what is it?
- The next question then is how does the Government inform the firm? If they do it online they make it easier for hackers to send a fake email unless they make a public statement that they will never use the internet to contact firms they want to comply with the law. Hackers can impersonate the government to get data anyway. Will terrorists and paedophiles simply stop using the internet if they see a threat of exposure from this legislation? After all, terrorists and paedophiles were active long before the internet was invented so it is not essential to their activities. Similarly, criminals (the smart ones) will just switch to a different communication method if the one they use gets compromised; the Mafia ran successful operations long before the internet..Some encrypted communication methods (like Signal) have their inner workings publicly available, and so are difficult be backdoored by the government without it being obvious.
Perhaps the Government has thought through all these problems and has answers but it would be helpful to know what the answers are..
Cavan Hogue is a former public servant, diplomat and academic. Alex Hogue is a cyber security professional.