As the world watches, the Australian government is trying to help eliminate its citizens’ online security and privacy by introducing backdoor access to encrypted communications. A collection of tech companies have addressed an open letter to the government detailing why their initiative is utterly misguided.
As we wrote recently, the Australian government has steadily been working towards forcing tech companies in Australia to open their encrypted communications. Ostensibly, the government wants this to improve public order and counter-terrorism capabilities, and that may be true – but the current global trend towards excessive, big-brother surveillance makes that claim hard to believe.
Another issue with this goal is that it is, in many cases, difficult or impossible to implement without creating glaring vulnerabilities that will severely endanger individuals and organizations that need privacy or security online.
Let’s take Telegram as an example. With the right settings, Telegram provides end-to-end encryption, meaning that even the company itself can’t read users’ messages. In order for Telegram to comply with the law being drafted by the Australian government (there’s no telling if they will), they’d have to open a backdoor into the encryption for any conversation involving any user in Australia.
Any backdoor given to the government can also be exploited by anyone else with the technical know-how to open that same door. What was once an extremely secure end-to-end guarantee of your security and privacy would become nothing but a sweet nut to crack for hackers, hostile governments, and anyone else interested in harvesting the Australian public’s data.
The protest letter, which was sent by a digital rights organization called Access Now, doesn’t mince words. The new law, it says, will have a “deleterious impact on internet security, including for government and business officials as well as journalists and human rights defenders. Impacts would also be felt across important sectors, […] with potential consequences seen in increases in online criminal activity and unauthorized access to personal and proprietary data.”
What’s strange is that while the government fights to make the Australian internet less secure, it’s also pushing to launch more and more government services online. The letter clarifies this critical point: “One of those threats would be the increased conscription of out-of-date products into botnets, which could be used for anything from denying user access to critical services (relevant as Australia seeks to provide more government services through the internet) to delivering additional malware to ever-increasing numbers of users or systems.”
To put that in clearer terms, the Australian government is pushing citizens to manage more of their sensitive personal information online while also potentially making it harder for citizens to protect that data.
The problem right now is that it’s hard to say whether or how the law will actually work – we haven’t seen any copies yet. All we know is that it’s being drafted and that its supporters have pledged to make encrypted information accessible to law enforcement. Companies without end-to-end encryption might be compelled to log and hand over user data, while end-to-end encryption companies would have to provide backdoor access.
Companies based outside of Australia would have a much easier time operating without complying with the new law. NordVPN, for example, is based in Panama, where aren’t legally required to collect user logs. One of our core values is the belief that every user deserves privacy and security online and off. Our service does not log, much less provide, user data in any country it operates in, including China, Russia, and other states with poor online privacy records. We do not plan to ever change this practice.
If you want to do your part to stop the Australian government from drafting this misguided law, click here to sign Access Now’s online petition.