Last week the Australian Government passed the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018, which allows certain government agencies to issue secret notices compelling Australian IT workers and software developers to insert secret malicious code into any software or computer systems, for the purpose of gaining access to the content of encrypted messages on the computers and smartphones of their users. This law is in effect right now. The next time you download an update for the banking app on your smartphone, or operating system updates for Windows and MacOS, or a firmware update for your modem/router, or a game update on your Playstation, your device might also be implanted with a secret backdoor enabling remote access and monitoring. I could be forced to add malicious code to this blog and it would be illegal for me to refuse, or to warn you about it. You can no longer trust any computer hardware or software that is created, configured, or sold by someone living under the legal jurisdiction of Australia. This is kind of a big deal.
Until now it has been reasonable to assume that software and hardware makers will do their best to ensure the safety and security of the products they sell to you. As a user of these products you accept the small risk that accidental security vulnerabilities could exist, but they will be fixed as soon as possible after discovery. Downloading and installing software and firmware updates was how you protected your privacy.
Privacy in the purest definition is easy – if you keep a secret to yourself and never share it, there is zero risk. In the context of digital communication what we really need is confidentiality (the ability to exchange messages with the assumption that no one else can intercept those messages) and integrity (assurance that the messages will arrive as they were sent, without tampering). This is made possible thanks to end-to-end encryption which has been available for anyone to use since the introduction of PGP for email in 1991, and OTR for instant messaging in 2004. Encrypting the contents of a device at rest (to protect the data on a stolen device) has been possible since FileVault was released in 2003, and TrueCrypt and LUKS in 2004. Of course there is one huge caveat when using encryption: you must trust your digital devices.
Under Australia’s new law, you must assume that most of your internet-connected devices are potentially untrustworthy. An intimate secret typed into a messaging app on your smartphone might be captured by the on-screen keyboard software and sent to the government. Your voice-enabled devices (smart speakers, game consoles, children’s toys) could be accessed remotely to listen to your conversations. The VPN software you were using to bypass the Australian government’s website blocking and data retention could now be forced to provide a backdoor into your home network. It might be time to stop using online password managers.
This is part of an ongoing campaign by the Five Eyes to access and analyse the digital communications of every person on Earth. The NSA’s PRISM surveillance program collects personal data and metadata as it travels through corporate networks and servers. In the United Kingdom, the Investigatory Powers Act 2016 permits the police and intelligence agencies to hack into computers or devices to access their data. The 2017 WannaCry ransomware outbreak was made possible thanks to hacking tools created by the NSA. Australia’s mandated software weaknesses could be similarly exploited by criminal hackers.
So, is privacy dead? Not quite. The Free Software Foundation promotes the universal freedom to study, distribute, create, and modify computer software. By using only open-source software you can protect yourself against hidden backdoors and other malicious code. Even if you don’t personally read the source code, you know it’s possible for someone to read it and eventually discover and fix security problems. Check out the list of free operating systems for your computer. Almost every Windows PC or Mac can be made to run a free operating system. Consider installing coreboot, Replicant, or LineageOS if your hardware is compatible. Use software that aims to protect your privacy such as Firefox, Tor, RetroShare, Ricochet, and GnuPG.
Wired: Australia’s Encryption-Busting Law Could Impact Global Privacy
The Guardian: Australia’s war on encryption: the sweeping new powers rushed into law
ABC: ‘Outlandish’ encryption laws leave Australian tech industry angry and confused
SBS: Tech companies could leave Australia over Dutton’s encryption bill: Lobby
The Register: A crypto-busting super-snoop law passes just in time
New York Times: Australia Wants to Take Government Surveillance to the Next Level
ZDNet: What’s actually in Australia’s encryption laws? Everything you need to know
TNW: Australia’s horrific new encryption law likely to obliterate its tech scene
EFF: In the New Fight for Online Privacy and Security, Australia Falls: What Happens Next?
First Dog: Why we are governed by idiots and you should be worried
Reddit: Discussion