Some misconceptions about Australia’s “anti-en…

I am seeing a lot of ill-informed discussion of this new so-called anti-encryption law passed by the Australian Parliament. I think that Australian citizens, and affected foreign nationals (more on this below…) owe it to themselves to be properly informed about what they’re discussing. The media is notoriously bad at understanding the law and technology – and in this case, we have a law dealing with technology. Their reporting is as poor as you would expect as a result. I strongly recommend that anyone who wants to be genuinely informed read the material published by the Parliament, including the text of the law itself, here: https://www.aph.gov.au/Parliamentary_Business/Bills_Legislation/Bills_Search_Results/Result?bId=r6195I don’t hold myself out as an expert, but I think I can say I probably have a better understanding of law and technology than many of the media outlets reporting on this. Please note that nothing I say here should be taken as gospel or authoritative, none of it is expert technical or legal advice, and none of it should be a substitute for you doing your own research or due diligence. I just want to have an informed discussion.So, without further ado, some misconceptions I’m seeing in the discussion…The backdoor law, not the anti-encryption lawFirst, calling this law an “anti-encryption” law is misleading and distracts from its real effect. The law is not primarily about breaking encryption. In fact, the law specifically says that communications providers cannot be required to take any action that would “render systemic methods of authentication or encryption less effective”. The law is not principally about requiring providers to hand over end-to-end encrypted communications, because obviously the providers do not have the decrypted communication and cannot obtain it. That is the whole point of end-to-end encryption.The real purpose of the law, it seems to me, is to get access to communications before they are encrypted (e.g. as you type your email into your email client or browser, or as you type your message into WhatsApp) or once it is decrypted by the recipient (i.e. on the recipient’s phone or computer). That is, the real point here is to create backdoors.Let’s take a concrete example. Users A and B are having a WhatsApp conversation. WhatsApp does not know what the content of the conversation is, because all communications between the users are encrypted. User A runs Android on their smartphone, while user B has iOS on an iPhone. Under this law, the government could, for example, require Apple or Google, or A/B’s telcos, to send an “update” to their phones that installs a backdoor (not on all Android or iOS devices).In either case, encryption remains in tact. All that has happened is that the government has a backdoor and can read the communication unencrypted.This law does not apply only to Australians or to companies based in AustraliaThere is a misconception in the discussions I have read that this law is a problem for Australians only, or only affects companies based in Australia. For example, Protonmail has made this comment on a recent blog entry:Does the Assistance and Access (A&A) law impact ProtonMail?Fortunately, there is virtually no way to enforce this law outside of Australia because it has no foreign equivalent. ProtonMail, a Swiss company with datacenters only in Switzerland, is not under Australian jurisdiction. Any request for assistance from Australian agencies under the A&A law would need to pass the scrutiny of Switzerland’s criminal procedure and data protection laws. Tech companies with a corporate presence in Australia however, are more likely to be impacted.But just because this particular law does not affect ProtonMail and ProtonVPN does not mean we are indifferent. A&A is one of the most significant attacks on digital security and privacy since the NSA’s PRISM program. But the Australian measure is more brazen, hastily forced through Parliament over the loud objections of every sector of society, from businesses to lawyers groups. We thoroughly condemn the new law, and as the world’s largest encrypted email provider, we remain committed to protecting our users anywhere in the world, including in Australia.*This is simply wrong. The law applies to entities that are defined as “designated communications providers”. The term is defined in section 317C of the new law, and I encourage all of you to read it. It is at pages 18-21 of this pdf: https://parlinfo.aph.gov.au/parlInfo/download/legislation/bills/r6195_aspassed/toc_pdf/18204b01.pdf;fileType=application/pdfThe definition is extremely broad. In short, it includes virtually every hardware, component or equipment maker, technology and communication service providers, software developers or providers, data centre operators or providers, and persons or entities that service these up and down the supply chain. It virtually certainly also includes email service providers, web hosts and website providers, including those based overseas who have even a single Australian user.I am not aware of anything preventing the relevant Australian official from giving Protonmail, or other overseas entities, requests or notices under the legislation. I also can’t see any reasons why those requests or notices couldn’t also be in relation to non-Australian users. For example, if the Australian government suspects that person A is plotting a terrorist attack in Australia, and is frequently communicating with person B who is based in America, I’m not aware of anything in this law that would prevent the Australian government from asking for access to person B’s device/communications, even though they may be American and have no connection to Australia.Under the law, these notices can also be issued to assist with the enforcement of foreign criminal laws. So, it seems at least possible that if the US government had concerns that an American was planning to carry out a terrorist attack in the US, it might be possible for it to ask the Australian government to assist, and it might be possible for the Australian government to issue a notice and get access to the communications of an American citizen, and to provide them to the US government. I am not sure whether, on close scrutiny of the terms of the law, this would be allowed. But this is something foreign nationals who think this doesn’t affect them might want to think about.If anyone has questions, or has any thoughts or comments after actually reading the documents, it’d be great to have some informed discussion.