Last week the Australian Government passed the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018, which allows certain government agencies to issue secret notices compelling Australian IT workers and software developers to insert secret malicious code into any software or computer systems, for the purpose of gaining access to the content of encrypted messages on the computers and smartphones of their users. This law is in effect right now. The next time you download an update for the banking app on your smartphone, or operating system updates for Windows and MacOS, or a firmware update for your modem/router, or a game update on your Playstation, your device might also be implanted with a secret backdoor enabling remote access and monitoring. I could be forced to add malicious code to this blog and it would be illegal for me to refuse, or to warn you about it. You can no longer trust any computer hardware or software that is created, configured, or sold by someone living under the legal jurisdiction of Australia. This is kind of a big deal.
Until now it has been reasonable to assume that software and hardware makers will do their best to ensure the safety and security of the products they sell to you. As a user of these products you accept the small risk that accidental security vulnerabilities could exist, but they will be fixed as soon as possible after discovery. Downloading and installing software and firmware updates was how you protected your privacy.
In this context my definition of privacy is: the ability for two people to exchange messages with each other over the internet using a smartphone or personal computer with reasonable confidence that no one else can read those messages. This kind of privacy is possible thanks to end-to-end encryption which has been available for anyone to use since the introduction of PGP for email in 1991, and OTR for instant messaging in 2004. Encrypting the contents of a device at rest has been possible since TrueCrypt and LUKS were released in 2004. Today encryption has evolved to become easier, safer, and nearly ubiquitous.
Under Australia’s new law, you must assume that most of your internet-connected devices are potentially untrustworthy. An intimate secret typed into a messaging app on your smartphone might be captured by the on-screen keyboard software and sent to the government. Your voice-enabled devices (smart speakers, game consoles, children’s toys) could be accessed remotely to listen to your conversations. The VPN software you were using to bypass the Australian government’s website blocking and data retention could now be forced to provide a backdoor into your home network. It might be time to stop using online password managers.
This is part of an ongoing campaign by the Five Eyes to access and analyse the digital communications of every person on Earth. The NSA’s PRISM surveillance program collects personal data and metadata as it travels through corporate networks and servers. In the United Kingdom, the Investigatory Powers Act 2016 permits the police and intelligence agencies to hack into computers or devices to access their data. The 2017 WannaCry ransomware outbreak was made possible thanks to hacking tools created by the NSA. Australia’s mandated software weaknesses could be similarly exploited by criminal hackers.
So is privacy possible anymore? Maybe.
Richard Stallman’s Free Software Foundation promotes the universal freedom to study, distribute, create, and modify computer software. By using only open-source software you can protect yourself against hidden backdoors and other malicious code. Even if you don’t personally read the source code, you know it’s possible for someone to read it and eventually discover accidental or deliberate security problems. Check out the list of free operating systems for your computer. Almost every Windows PC or Mac can be made to run a free operating system. Consider installing coreboot or Replicant if your hardware is compatible. Use software that aims to protect your privacy such as Firefox, Tor, RetroShare, Ricochet, and GnuPG.
And never let an Australian contribute to your open-source project without thorough code review.
Wired: Australia’s Encryption-Busting Law Could Impact Global Privacy
The Guardian: Australia’s war on encryption: the sweeping new powers rushed into law
ABC: ‘Outlandish’ encryption laws leave Australian tech industry angry and confused
SBS: Tech companies could leave Australia over Dutton’s encryption bill: Lobby
The Register: A crypto-busting super-snoop law passes just in time
New York Times: Australia Wants to Take Government Surveillance to the Next Level
ZDNet: What’s actually in Australia’s encryption laws? Everything you need to know
TNW: Australia’s horrific new encryption law likely to obliterate its tech scene
EFF: In the New Fight for Online Privacy and Security, Australia Falls: What Happens Next?
First Dog: Why we are governed by idiots and you should be worried
“There was of course no way of knowing whether you were being watched at any given moment. How often, or on what system, the Thought Police plugged in on any individual wire was guesswork. It was even conceivable that they watched everybody all the time. But at any rate they could plug in your wire whenever they wanted to. You had to live-did live, from habit that became instinct-in the assumption that every sound you made was overheard, and, except in darkness, every movement scrutinized.”George Orwell, 1984