Encryption & Key Management , Governance & Risk Management , Privacy
Australia's Crypto-Cracking Law Is Spooking Big Tech
Microsoft's Brad Smith Says Companies Don't Want to Store Data ThereMicrosoft Chief Legal Officer Brad Smith says Australia's new encryption-busting law is causing companies and governments to look elsewhere to store their data.
See Also: OnDemand | Identity Crisis: How to Combat Session Hijacking and Credential Theft with MDR
The fear is that the Australian government may use broad and opaque legal powers to force technology companies to undermine their own encryption, or in other cases, engineer new software to unlock encrypted data.
"When I travel to other countries I hear companies and governments say 'we are no longer comfortable putting our data in Australia', so they are asking us to build more data centers in other countries," says Smith, according to the broadcaster ABC. Smith was in Canberra on Wednesday.
Smith's comments reinforce the views of other technology companies that have said the law, which went into effect in December, has undermined trust in their local operations (see: Australia Passes Encryption-Busting Law).
According to the ABC, Smith says Microsoft has not yet changed its operations in Australia, but the law is causing concern.
"We will have to sort through those issues, but if I were an Australian who wanted to advance the Australian technology economy, I would want to address that and put the minds of other like-minded governments at ease," Smith says.
Government: Encryption Threatens Public Safety
As in the U.S. and U.K., Australian authorities have asserted that encrypted communications are hampering investigations, increasing the risks to public safety. End-to-end encryption is implemented in messaging systems such as Facebook's WhatsApp, Signal, Wickr and Apple's iMessage.
The decryption keys are only held on the end-user devices, which means, in theory, that law enforcement would need unlocked devices in hand for a chance at recovering unencrypted messages.
The New York Times reported in January that Facebook is considering implementing end-to-end encryption in its Messenger product and within Instagram, covering two of the most popular software services on mobile devices.
"When I travel to other countries, I hear companies and governments say 'we are no longer comfortable putting our data in Australia', so they are asking us to build more data centers in other countries."
—Brad Smith, Microsoft
Known as the Assistance and Access Bill 2018, the law gives the Australian government new tools to pressure technology companies into aiding investigations into terrorism and organized crime.
Under the law, an organization can be served with a technical assistance request, which asks for voluntary cooperation. The next level is a technical assistance notice, which compels an organization to decrypt content if technically feasible. The most concerning potential action is a technical assistance notice, which could force a company to engineer a way around encryption or otherwise subvert it.
The government maintained that the law would not compel software companies to install backdoor or systemic weaknesses that would undermine the security of all users. Encryption experts derided the claim, saying it's impossible to make software weaker for just select users.
Smith addressed the systemic weakness claim.
"There is this wonderful phrase about enabling companies to avoid creating a systemic weakness but that phrase is not defined," he said. "Until it is defined. I think people will worry, and we will be among those who will worry because we do feel it is vitally important we protect our customer's privacy."
Law Under Review
Australian technology companies maintain the law is generating anxiety among their clients, which, in turn, may hurt their businesses. It comes as Australia continues to nuture a homegrown cybersecurity industry, part of a national cybersecurity strategy launched in 2016.
Fastmail, an email provider, and Senatas, an encryption company, submitted sharp opinions to the Senate's Parliamentary Joint Committee on Intelligence and Security, which is studying the law. Both companies expressed concern over the impact, and the committee is due to release a report next week (see: Tech Industry Pushes for Australian Encryption Law Changes).
The Assistance and Access Bill 2018 was passed during a flurry of legislative horse trading on the last day of Parliament's session, Dec. 6. Due to the widespread opposition, the government committed to revisiting it, but maintained the legislation was needed to counter threats over the holiday season.
But the pass-it-first, fix-it-later approach to such a sensitive topic with economic and security consequences didn't sit well with many.
On Wednesday, Parliament announced that the Independent National Security Legislation Monitor, which reviews national security laws, would conduct an inquiry. But the review won't be complete until 2020.
In the meantime, companies have expressed concern that their employees could be targeted by national security orders to undermine their software. Those who disclose orders could face criminal penalties, making whistleblowing about potential abuse risky.