How will Australia’s encryption bill affect the startup ecosystem? And should you be worried?

Intimate

Intimate.io co-founders Leah Callon-Butler and Reuben Coppa. Source: Supplied.

Australia’s Assistance and Access Bill 2018 — also dubbed the encryption bill — has officially been introduced into parliament and referred to the Parliamentary Joint Committee on Intelligence and Security for inquiry. But there are still concerns the bill could have serious unintended consequences — including for the startup community.

The bill is intended to give law enforcement access to encrypted communications they believe may contain criminal activity.

For the most part, it’s intended to help law enforcement catch terrorists, child sex offenders and criminal organisations. However, voices from the industry claim, while the intention is good, the bill as it stands could be harmful in other ways.

A public consultation on the bill has received more than 300 responses, in which bodies such as the Australian Human Rights Commission have expressed concern about the bill’s effect on people’s rights to privacy.

Even the Office of the Australian Information Commissioner called on the government to “strike an appropriate balance between any privacy impacts and law enforcement and national security objectives”.

It also draws attention to the possibility of information requests requiring a vulnerability or weakness in environments that require robust security.

The concern is that by allowing a way for law enforcement to access encrypted data, any business dealing with such data would have to allow a way for them to do so — effectively building a ‘back door’ into the system, which could be exploited.

The explanatory document on the bill provided by the Department of Home Affairs expressly states this is not the case.

“A technical assistance notice or technical capability notice has no effect to the extent it requires a designated communications provider to implement or build a systemic weakness, or a systemic vulnerability, into a form of electronic protection. Electronic protection includes forms of encryption or passcode authentication, such as rate limits on a device.

“This limitation ensures that providers cannot be asked to implement or build so-called ‘back doors’ into their products or services.”

However, Josh Jessop-Smith, co-founder of blockchain startup Loki, says that’s not the case with blockchain startups, which are built on encryption.

“It would 100% undermine the entire project we have here,” Jessop-Smith says.

For Jessop-Smith, what all this means is entrepreneurs — especially those building their business around the value of encryption — may start taking their startups elsewhere.

He calls the bill “dangerous”, saying it’s “going to definitely stifle Australian innovation around tech”.

While for larger companies it’s in their best interest to “just play along and do what they’re told”, he says, “if you’re a startup thinking of starting a brand new system … you’re definitely not going to start it here”.

Loki is keeping a very close eye on developments.

“We’ve seriously been considering doing the majority of our work elsewhere,” Jessop-Smith says.

“It’s unsettling having to potentially install software that puts back doors into our systems.”

Security vulnerabilities

In an open letter to Minister for Home Affairs Peter Dutton, Paul Brookes, chair of Internet Australia, said the bill “clearly risks creating unintended security vulnerabilities across Australian and global communications networks”.

However, while Brookes accepted it is important for law enforcement to find ways to improve their capabilities for intercepting criminal activities through the communications sectors, “they must not do so via hastily enacted legislation which fails to consider the legitimate concerns and advice of global technology experts, and carries the very clear risk of creating more problems than it solves”.

Leah Callon-Butler, co-founder of adult blockchain startup Intimate, draws parallels with the Fight Online Sex Traffickers Act (FOSTA) and the Stop Enabling Sex Traffickers Act (SESTA) bill in the US, which passed in April this year.

FOSTA-SESTA removed Section 230 of the Communications Decency Act, which gave protections to commercial entities hosting user-generated content.

Section 230 acknowledged imposing screening restrictions on messages and posts on these kinds of platforms would have stunted the growth of the internet, Callon-Butler says.

“And this is exactly what happened when Section 230 was canned this year. In a knee-jerk reaction, a slew of adult dating and personals forums were closed down,” she adds.

Under the new rules in the US, Google, for example, would be held responsible for allowing images of sex-trafficking victims to be saved in a Google Drive, Callon-Butler says.

“Obviously, it’s not possible for Google to investigate the nature and origin of all its user data, so it seems the safest risk minimisation strategy is to restrict everything of adult nature,” she explains.

“FOSTA-SESTA is meant to stop sex traffickers by preventing them from advertising their victims on the internet, but instead, it restricts adult content of all kinds, effectively implying that consensual sex work and illegal trafficking are the same thing.”

The US bill clearly has a different purpose to Australia’s encryption bill, but Callon-Butler is concerned “it too will be misused to target, monitor and exploit the vulnerability of assailable groups, such as sex workers, but also journalists, human rights defenders and whistle-blowers,” she says.

“Perhaps even startup entrepreneurs,” she adds.

For Callon-Butler, the bill is ambiguous in the power it instils in the authorities, and requires clearer definitions and boundaries when it comes to protecting human rights.

“Privacy is important to different people for different reasons, and given the highly stigmatised nature of our industry and human sexuality in general, the desire for privacy is both understandable and legitimate,” she says.

Data challenge

Jessop-Smith also notes the bill by definition makes data more accessible, and data is valuable on the black market — perhaps even more so than credit card data.

“The bad will far outweigh the good it will do,” he says.

If there is a way to access encrypted data, in order to allow law enforcement to do it, then “the criminals will know there will be a way to do it too”.

A database full of information becomes “a honeypot people are going to target,” he says.

“They’re going to be looking for vulnerabilities,” he adds.

In a statement from the Australian Industry Group, Lizzie O’Shea, board member for the Digital Rights Watch, noted encryption is used for all kinds of everyday activities and communications, to protect the very data we don’t want getting into the hands of criminals, or onto the black market.

“We should all be worried, because this legislation doesn’t only target criminals, it puts every Australian at risk. We use encryption to buy things online, manage our finances, and communicate personally and professionally. Hospitals, transportation systems and government agencies use encrypted data,” O’Shea said.

“Creating tools to weaken encrypted systems for one purpose weakens it for all purposes. If the federal government succeeds in doing so, it could be your bank account, your personal correspondence, or your medical records that are compromised in the end.”

NOW READ: Nine Australian cyber security startups raising money and kicking goals

NOW READ: Why Aussie startups should keep one eye on European data regulation

COMMENTS