Australia’s new encryption legislation has red flags beyond the usual encryption debate, Eric Wenger, Cisco's director of cybersecurity and privacy for government affairs, tells Codebook.
Wenger recently testified in front of lawmakers Down Under about the bill, which is facing a vote in parliament within weeks, per Reuters.
Why it matters: Think of Australia as the first domino in a global move toward encryption legislation. Its bill — which would give law enforcement access to encrypted data without the consent of the owner — would likely be a model for the U.S. and others.
- The "Five Eyes" intelligence alliance — Australia, Canada, New Zealand, the U.S. and U.K. — recently released a coordinated statement on the need for governments to have access to encrypted files. Soon after, Australia introduced its legislation.
- "It would make sense there's an expectation that the other countries in the group would want to try to follow Australia’s example," Wenger says.
- Many products are designed with U.S., Canadian and U.K. markets in mind, given their size. Legislation from those countries is mimicked around the world.
The Australian bill is the next link in a chain of legislation dating back to 1994, when the U.S. passed the Communications Assistance for Law Enforcement Act (CALEA), Wenger says.
- CALEA requires digital telephone carriers to be compatible with wiretaps, but it doesn’t apply to encrypted chat apps that use the same networks.
- The U.K.’s Investigatory Powers Act took CALEA a step further, requiring manufacturers to help law enforcement decrypt devices and communications if the manufacturer has access to do so.
- The Australian law allows the attorney general to order technology providers to redesign a product to provide law enforcement with access.
There are safeguards written into the bill, but Wenger says Cisco sees ways they might fall short:
- "The way we read it, the Australian law could require us to build a capability to surveil but not disclose it. ... We want to be able to disclose any new features."
- The bill specifically bars the attorney general from demanding a "systemic vulnerability," but doesn't define what that means.
- Law enforcement agencies suggest defining "systemic" as affecting all copies of a device. "That seems broad."
- Cisco worries there is no court process to challenge an order.
Even if all these issues are addressed, there may be unintended consequences. The easiest way to add a surveillance system may be through a tainted system update. But that might lead users to abstain from updating systems, causing catastrophic security problems.
The bill explicitly permits the government to hack systems for surveillance. While the U.S. has a process for determining if the benefit of hoarding hacking techniques outweighs the risks of not allowing manufacturers to patch vulnerable products, many governments — including Australia — do not. Wenger thinks such a process should precede any hacking by a government.
The bottom line: These concerns are above and beyond all the traditional, familiar arguments about the dangers of circumventing encryption — and suggest just how big a fight the coming encryption debate could become.