Academics weigh in on decryption Bill

Technology experts from academia are divided over the threat Australia’s proposed decryption Bill poses to citizen privacy and the integrity of digital services.

The draft Telecommunications Assistance and Access Bill 2018 has been strongly opposed by representatives of the global technology sector, with Apple calling the draft Bill “dangerously ambiguous” and stating that the powers proposed should “alarm every Australian”.

In a submission to the public consultation on the proposed legislation, Apple said the Bill could require device makers to create a tool to unlock a particular device regardless of whether the tool could be used to unlock every other user’s device.

The legislation could even allow the government to order smart home speaker manufacturers to install persistent eavesdropping capabilities into a person’s home, or to force providers to provide real-time interception of messages or internet-based audio or video calls, Apple warned.

Katina Michael, professor at the Arizona State University School for the Future of Innovation in Society and the School of Computing, Informatics and Decision Systems Engineering, agreed that the legislation could have serious consequences.

“What politicians and law enforcement agencies have not realised is that by creating rules that allegedly minimise the risk of cyberterrorism via encrypted messaging, that they are encroaching on organisational security, and on every individual citizen’s right to privacy,” she said.

“Privacy is a human right, and one way that right can be maintained in today’s digital transactions is through encryption.”

But she hinted that big tech companies such as Apple’s motives for opposing such legislation may not be as pure as they present them to be.

“The complexity here is in the fact that private corporations like Apple, Google, Facebook, Amazon and Microsoft are amassing so much personal data that citizen data rights are being equally eroded by corporations themselves who share the data with third parties,” she said.

“We need to take a step back as Australians and ask ourselves why are these private corporations fighting this government Bill together? One answer has to do with products and services that offer encryption in their operating systems and platforms as a competitive advantage, but another might be that private corporations want to maintain their power on governments.”

Monash University Faculty of IT Associate Professor and Director of Oceania Cyber Security Centre Dr Carsten Rudolph warned that the legislation threatens to undermine the security of a wide range of digital processes.

“Cryptography and security protocols are fundamental for many digital processes from e-commerce, banking, payments, to supply chains, control of critical infrastructures and others. Thus, it mainly protects our data, prevents crime and enables digitisation of our economies in the first place,” he said.

“Building any kind of third-party access into our systems undermines this security. Even worse, it might push criminals into other less visible and actually secure communication channels.”

But Curtin University School of Information Systems Adjunct Professor Dr Richard Adams said that while technology vendors have an obligation to protect their customers’ data from unauthorised access, they also have an obligation not to hinder law enforcement and intelligence services investigations.

“The challenge is for manufacturers to meet the needs of both groups rather than adopt the best stance from a marketing/cost perspective,” he said.

“The proposed legislation leaves the technical decisions to the manufacturers and service providers for how they implement strong encryption for data protection while allowing ‘special case’ access. The onus is therefore on them to develop a viable solution rather than to fall back on claims that it is ‘too difficult’ or that it will open up everyone’s data to ‘snooping’ by the security services, presumably on the assumption that they don’t have anything better to do.”

One solution could be to store all data on a device twice, and to individually encrypt each set of data, protecting one with a user key and one with a complicated manufacturer key that could nevertheless be used by the manufacturer to provide access for investigators as required.

“Obviously there would be push-back on the additional storage required and reduced battery life but the point is that from a purely technical standpoint it could be done relatively easily,” he said.

Image credit: ©stock.adobe.com/au/monsitj

Please follow us and share on Twitter and Facebook. You can also subscribe for FREE to our weekly newsletter and quarterly magazine.