(Image: Adobe)

In the government’s latest attack on privacy and cybersecurity, agencies like Border Force and the Australian Federal Police will be given the power to force tech companies to plant viruses and other malware on phones and other IT devices in an effort to undermine encryption.

The government this morning unveiled the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018, designed to radically expand government powers to spy on Australians by forcing tech companies, whether in Australia or overseas, to help it defeat encryption.

The bill proposes a new three-tier framework that would:

  1. Enable tech companies to provide “voluntary” assistance to ASIO, ASIS and the ASD without incurring legal liability.
  2. Enable spy agencies to force tech companies to “give assistance they are already capable of providing that is reasonable, proportionate, practicable and technically feasible.” This would cover services such as cloud services where the company is able to decrypt or provide access to information it controls.
  3. Most controversially enable the Attorney-General to issue a “technical capability notice” that would force tech companies “to build a new capability that will enable them to give assistance”.

While the government insists “a technical capability notice cannot require a provider to build or implement a capability to remove electronic protection, such as encryption”, that is a legal fiction, because the government can force a company to implement a government-built capability to go around such protection. The bill makes clear that tech companies will be forced to “install, maintain, test or use software or equipment given to a provider by an agency” and “facilitate access to devices or services.”

That is, companies will be forced to help spy agencies plant malware in targeted phones or computers.

This is how it would work, in a hypothetical scenario. A former intelligence official, Witness J, embarrasses the government by revealing ASIS has broken the law by spying on another country to help an Australian resources company. Knowing that Witness J uses an iPhone and communicates with his lawyer via Signal, ASIS asks ASIO to monitor his privileged conversations with his lawyer. ASIO secures the approval of the Attorney-General, who has just threatened retribution against J and his lawyer in parliament, to issue a technical capability notice that enables it to force Apple not to break encryption — Apple can’t break its own end-to-end encryption, let alone that of Signal, a separate platform — but to help it plant some malware on the iPhone, purchased from Italian cybercrime company Hacking Team, that records the contents of J’s communications before they’re encrypted and after they’re decrypted.

And if this scenario isn’t plausible, imagine they might do it to a journalist who embarrassed the government by reporting on the level of rapes and assaults in Australia’s detention centres — there is no protection for journalists, lawyers or politicians who rely on confidentiality to do their jobs. And the law comes with a gag order to prevent anyone from ever revealing what the government does.

Will multinationals like Apple — which is in the firing line given it makes both devices and provides services — or platforms like Facebook, comply with the law? Almost certainly they will comply with measures to access cloud services or other non-end-to-end encrypted services, and likely already do. But it’s hard to see them complying with a demand to help plant malware on a phone or computer. It will be catastrophic for their brand if it is ever revealed.

But here’s why this idiotic scheme will undermine cybersecurity. Imagine Apple in fact cooperates and helps plant malware on a suspect’s iPhone. That malware in now out in the wild, beyond the control of its manufacturers or controllers. It’s malware that can take everything on a phone and send it to somewhere else. Once in the wrong hands, it will be a deadly weapon that can wreck cybersecurity for that device. Don’t think malware can escape into the wild? It already has.

For all the “this is no backdoor” window-dressing by the government, it’s exactly the same global village idiot mentality.

Do you think the government is right to expand its powers in this way? Write to [email protected] and let us know.