It seems scarcely a week has passed in 2018 without a fresh revelation about how consumers' digital data privacy is being undermined, or how consumer data is being misused, with Facebook in particular dominating the headlines. The closing days of the year have been no different, with the UK government's seizure and publication of a series of internal Facebook emails that disclosed further details about how the social network intended to share its users' data with third parties.
But overshadowing even the momentous Facebook revelations during 2018 was the rushing into legislation of Australia's Assistance and Access Bill 2018 (AA Bill) on Friday, December 7 – the last sitting day before the parliamentary summer holidays. The AA Bill seeks to compel the communications industry to assist Australia's security and law enforcement agencies by allowing these agencies to monitor encrypted communications services. Australian MPs had very little time to debate the bill, much less absorb the hundreds of submissions made by individuals as well as companies such as Apple, Mozilla, Cisco, Kaspersky, Telstra, and Optus, and organizations such as the Australian Information Security Association, the Global Digital Foundation, and the Australian Communications Consumer Action Network.
One of the key concerns around the AA Bill (and there are many, many concerns) is that it would allow Australia's security and law enforcement agencies to require that technology companies provide access to encrypted messages, on services such as WhatsApp, Facebook Messenger, and iMessage. The Australian government's rationale is that obtaining access to these messages will help it better combat terrorism and crime; and politicians' fears about potentially avoidable attacks happening during the 2018 festive holiday season helped fast-track the AA Bill into law.
The AA Bill is the first successful attempt by a government to introduce a type of legal interception within communications apps. It is an outcome of the fear and frustration felt by security and law enforcement agencies in Australia – and in other countries – where there is significant penetration of communications apps that enable end-to-end encryption (E2EE). Security and law enforcement agencies are afraid or rather, well aware, that these communications apps are being used to organize terrorist attacks or commit other heinous crimes. The agencies are also frustrated that they are legally unable to monitor messages sent via these platforms so that they can thwart the perpetrators of these activities.
Australia is not the only "Five Eyes" government to propose such laws: the intelligence agencies of the UK and the US are seeking the introduction of similar legislation. But in passing the AA Bill, Australia sets a potentially dangerous global precedent. Other governments might at best take a watch-and-learn stance and, at worst, seek to implement similar legislation. Technology companies may now have to compromise their encryption capabilities to enable security and law enforcement agencies to access encrypted messages on communications apps. According to Ovum's Digital Consumer Insights 2018 survey, communications apps are the fifth most trusted type of service provider for consumers' personal data, behind banks, healthcare providers, government departments, and utilities, but ahead of telcos and social networks (see Figure 1). It hasn't been made clear exactly how the access will be enabled, which means there is also uncertainty around how far encryption will be compromised. It's possible that Australian intelligence and law enforcement bodies may push for something similar to the "crocodile clips" approach put forward in the UK, which would allow them to eavesdrop on conversations without necessarily weakening encryption.
Figure 1: Communications apps are the fifth most trusted service for consumer data
Source: Ovum's Digital Consumer Insights 2018 survey
But in trying to crack down on the darker uses of encrypted messaging, the AA Bill 2018 puts at risk the encryption that safeguards legitimate online communications and transactions. From there it is a slippery slope into a world where ordinary consumers become fearful, frustrated, and distrustful – fearful that their communications apps are being monitored, frustrated that they can't share information or conduct transactions securely, and distrustful of those companies whose apps they are using. Meanwhile, those who are using communications apps with malicious intent will likely find the means to circumvent the new laws by, for example, moving to lesser-known apps with E2EE or using virtual private networks (VPNs) – thus rendering ineffective the Australian government's attempts at oversight.
Straight Talk is a weekly briefing from the desk of the Chief Research Officer. To receive this newsletter by email, please contact us.