Australian data access bill a sign of the times (on the blockchain)
The proposed bill raises a lot of questions, but as a whole might be best answered with a hard no.
Last week the Australian government proposed a new data access bill, as it's called. The draft bill is specifically intended to "amend the law relating to telecommunications, computer access warrants and search warrants, and for other purposes."
The gist of it is that companies will be obligated to give ASIO (the Australian secret service) assistance accessing customer data and other information when asked. The bill might be seen as formal recognition of the slow collision between the need for authorities to access communications to catch criminals and the fact that everyone is now carrying military grade-encryption in their pockets.
"Over 90 per cent of data being lawfully intercepted by the AFP now use some form of encryption. Effectively all communications among terrorists and organised crime groups are expected to be encrypted by 2020," the Department of Home Affairs explains.
One can't help but wonder about all those terrorists who apparently aren't yet using encrypted communications given how easily accessible it is.
In its current state, the bill has been widely regarded as equally ambiguous, unsatisfactory, unable to please everyone and unable to accommodate the current reality of encryption technologies, to say nothing of the next generation of decentralised systems and blockchain technologies.
"These powers cannot be used to introduce so-called 'backdoors' or require a provider to disclose communications content or data," the Australian government explains. "The Australian Government has no interest in undermining systems that protect the fundamental security of communications... so-called 'backdoors' weaken the digital security of Australians and others."
"This bill is attempting to encourage providers to build backdoors into their systems," Noah Abelson-Gertler, digital rights expert and CEO of ShareRoot explains. "If pressured enough the companies will cave under pressure."
The apparent discrepancy might not be as discrepant as it might seem. The bill might not explicitly call on companies to build backdoors into their systems, but still lays out a set of obligations that are most feasibly fulfilled through the use of backdoors.
The draft bill explicitly says that companies can, among other things (section 317E, page 6), be ordered to start:
- "Removing one or more forms of electronic protection that are or were applied by, or on behalf of, the provider".
- "Facilitating or assisting access to... customer equipment... an electronic service... software..." and much more.
- "Modifying, or facilitating the modification of, any of the characteristics of a service provided by the designated communications provider".
Under the bill, companies can also be ordered to conceal the fact that they did anything at all.
The reason backdoors are such a bad idea overall is because they're a deliberate vulnerability. Just because they're intended to only be exploited by good guys doesn't mean the bad guys can't use them to. The same issue was prominently on show in the USA when lawmakers were grappling with the exact same issue.
"It's impossible to build a back-door for just the good guys – if somebody at the Genius Bar could figure it out, so could the nefarious folks in a van down by the river," said representative Jason Chaffetz (R-Utah) at the time.
The end result might be that companies will simply choose to withdraw from the relatively small Australian market, rather than wade into all the obligations of the bill and handle the pressure of being strongly encouraged, if not explicitly ordered, to install backdoors. The reality of the current state of encryption technology, and the markets which are currently driving it, might be at odds with what the bill is intended to accomplish. Factor in the accompanying cost to consumer privacy and the bill starts looking even harder to justify.
Abelson-Gertler doesn't think it has to be that way.
"Does this mean that our position is that governments shouldn't prevent crime? Absolutely not," he said. "On the contrary, our belief is that when the situation or crime calls for it, governments find ways to get access to the data and information they need, and this is how it should be."
"We would all be fooling ourselves if we thought that the Australian government has not bent existing rules to prevent crime, and instead of arguing whether or not that should happen, our argument is: don't reduce the bar for consumer protection and privacy so that when the government bends the rules again the bending is at a much larger cost to consumer privacy."
Historical precedents don't inspire a lot of confidence either.
A retrospectively slippery slope
The broad claim being made by the bill is that the government needs to have more access to online communication to prevent crime. The problem, Abelson-Gertler says, is that it's so far been difficult to untangle the connections between businesses having access to user data and governments having access to user data.
Much like how you can't install backdoors without creating vulnerabilities, there's so far no indication that it's possible to detach government access and use of consumer data; and business access to and use of consumer data.
"If we look back to 9/11 what we find is that the US government got on its soapbox and insisted that not only in the US, but also throughout the rest of the world, it was imperative that governments have the ability to survey their citizens online in order to keep them safe," Abelson-Gertler says. "Well, fast forward only 10–15 years and what you will find is that when the rest of the world agreed to this approach in 2001 and 2002, they started down a path that led to governments being able to spy on their own citizens, companies having carte blanche access to any consumer data they wanted, and many other issues around consumer data and privacy protection that not only privileged governments but also businesses."
"So, based on the course of history, when a bill like this is proposed, we can see how it can lead to negative outcomes even if the initial pitch delivered preaches a government's ability to stop crime."
The legitimisation of this kind of surveillance, ostensibly for the protection of nations and their citizens, paved a road that recently led to the Facebook Cambridge Analytica scandal and the accompanying US election tampering. The measures initially intended to ensure the protection of the United States against bad actors and hostile foreign powers may have backfired dramatically and had the exact opposite effect.
As far as abject lessons in unintended consequences go, that's an absolute banger.
Growing dependence on top-down enforcement
Apple has started designing encryption systems that it can't override, even if it wants to. The main reason might be because the alternative is to deliberately build a vulnerable and sub-par system. Another reason might be because it's an accurate and valid reason for Apple to shrug and say "no can do" when asked to perform the kinds of actions described in the Australian data access bill.
At the same time, Apple as a company is a distinct entity and any identifiable entity can be pressured. It's the one that designs, builds and manages its systems, so with sufficient application of pressure its encryptions can still be popped open.
Decentralised systems are a separate issue. Here, there's no one to apply pressure to. There's no one to threaten with fines or jail time for resisting requests to install backdoors or grant authorities access to someone else's communications. In these cases it's straight up not possible to enforce the kinds of actions described in the bill because there's no one to enforce them and even if there were that person wouldn't necessarily have the power to do it.
With unintended consequences in mind, it may be worth considering what happens if ASIO starts leaning on the powers described in the bill and starts building systems dependent on being able to exercise them, only to discover that the current frontier of technology has moved on.
This isn't some distant hypothetical either. It's already happening.
The data access bill carries some monumental downsides, even without cracking open the very wriggly can of worms that is the right to privacy and the idea of individuals being in control of their own data.
Is there any way for it to end except for the bill to be roundly ignored and unused? Or for companies and products to end up divided between the unsecure, unsafe and legal and the secure, safe and illegal? Just like the bill itself, the right answer is still up for debate.
Tough questions prompted by new technological developments, with lots of opinions and little certainty, are a sign of the times. If nothing else, one should at least look back at historical cause and effect before rushing into anything.
Disclosure: At the time of writing the author holds ETH, IOTA, ICX, VET, XLM, BTC, ADA
- Libra has no intention of competing with any sovereign currencies, lead says
- Treasury Secretary Mnuchin: We are concerned by Bitcoin’s speculative nature
- Blockchain ID system coming to Korea by 2020
- Bitcoin falls below $10,000 again, takes ETH and XRP with it
- Tether accidentally prints $5 billion USDT in “token decimals” issue