Internet Society Delhi Chapter and CCAOI Organize Webinar on India’s Draft Intermediary Rules

On 10 January, the Internet Society Delhi Chapter and CCAOI jointly organised an interactive webinar on the draft Information Technology [Intermediary Guidelines (Amendment) Rules] 2018 (“the draft Intermediary Rules”) to improve understanding of it and to encourage members and other Indian stakeholders to submit their comments to the Ministry of Electronics and Information Technology (MeitY) during their public comment period. The draft Intermediary Rules seeks to modify Section 79(2)(c) of the Information Technology Act, 2000 (the IT Act). Section 79 of the IT Act introduces obligations for intermediaries to meet to gain exemption from liability over the third-party information that they “receive, store, transmit, or provide any service with respect to.” These proposed changes were developed by MeitY to try to address misinformation and harmful content on social media, which have been connected with lynching and other recent violent acts of vigilantism.

The session was moderated by Subhashish Panigrahi, chapter development manager for Asia-Pacific at the Internet Society, and Amrita Choudhury, treasurer of the Internet Society Delhi Chapter and director of the CCAOI.

The changes to the IT Act proposed in the draft Intermediary Rules would require intermediaries to provide monthly notification to users on content they should not share; ensure that the originator of unlawful content is traceable; deploy automated tools for proactively identifying and disabling unlawful information or content; and obligate intermediaries with over 5,000,000 users to set up office in India and appoint a nodal officer (for coordination with law enforcement agencies).

An “intermediary” under the IT Act includes any person or entity who on behalf of another receives, stores, or transmits a message or provides any service with respect to a message. Under the IT Act, intermediaries include ISPs, cybercafés, online companies, social media, etc. Looking at the broad definition of intermediaries, some argue that the proposed changes to the IT Act would be difficult for many intermediaries to comply with. Other concerns include whether the draft Intermediary Rules have the capacity to affect the fundamental rights of free speech and privacy or may erode the safe harbor protection for intermediaries which Section 79 of the IT Act provides.

During the interactive webinar organized by the Delhi Chapter and CCAOI:

  • Shashank Misra, Senior Associate at Shardul Amarchand Mangaldas & Co, gave an introduction to the draft Intermediary Rules, the definition of intermediaries under the IT Act, and obligations for intermediaries. He presented an overview of the draft Intermediary Rules, categorizing the amendments under five broad themes, and reiterated the importance of commenting on the draft now before it becomes a law.
  • Nehaa ChaudhariPublic Policy Lead at Ikigai Law, highlighted the draft Intermediary Rules’ lack of clarity on oversight mechanisms for the state and central government. She called attention to the lack of safeguards on take down requests under Section 5 of the draft Intermediary Rules. She also questioned the introduction of some obligations as part of “delegated legislation,” instead arguing that these should be proposed under new legislation. (In India, delegated legislation occurs when an executive authority is given the power to make laws to implement a primary legislation.) The Intermediary Rules are a form of delegated legislation to implement the IT Act. She also questioned the necessity of some of the proposed suggestions, such as the monthly user notification by all intermediaries, and whether it achieves its objective.
  • Arjun Sinha, a tech lawyer, argued that the government needs to adopt a graded approach for requesting for information or assistance from online platforms, rather than adopting a 72-hour timeline. Using this approach, different grades would be based on the importance of the information requested. He also questioned the metrics used to calculate the 5,000,000 users, including how the government would independently verify the number and ensure compliance.
  • Gurshabad Grover, Policy Officer at CIS India, highlighted that the draft rules may exceed the scope of what is allowed to be “delegated legislation.” In addition, he argued that the draft rule 3.9, which asks for deploying automated tools for “proactively identifying and removing or disabling public access to unlawful information or content,” is technically impossible for some intermediaries to implement.
  • Paul BrooksChair of Internet Australia, an Internet Society Chapter, shared the Australian chapter’s experience and lessons learned during their own advocacy on Australian regulations and policies that could impact Internet security. In 2018, the Chapter engaged in an advocacy campaign to inform lawmakers and the public on the issues that could arise from proposed legislation on encryption. During their campaign, Internet Australia’s activities included holding a public workshop, making submissions on draft legislation, and conducting interviews with media outlets about the legislation.
  • Subhashish Panigrahi emphasized the Internet Society’s commitment to support Indian chapters in making their submissions on the draft Intermediary Rules. He also gave an overview of the work done by the Internet Society on encryption, such as the Encryption Policy Brief. He encouraged participants to visit the Internet Society’s encryption issues page for more resources.

With nearly fifty people attending the webinar, there were various questions raised by the participants, which were responded to by the experts.  Based on interest, another discussion may be held just after the submission deadline so that counter comments can be submitted.

All are encouraged to submit their comments on the draft guidelines by 31 January to:

  • gccyberlaw[at]meity[dot]gov[dot]in
  • pkumar[at]meity[dot]gov[dot]in
  • dhawal[at]gov[dot]in

Watch the Livestream of the event!

The post Internet Society Delhi Chapter and CCAOI Organize Webinar on India’s Draft Intermediary Rules appeared first on Internet Society.

How to choose and use an encrypted messaging app

Getty Images

Text messaging has been around since the dawn of cellular technology, and sparked its own unique language. But it’s time to put sending regular SMS messages out to pasture.

If you have an iPhone, you’re already on your way. iPhones (as well as iPads and Macs) use iMessage to send messages between Apple devices. It’s a data-based messaging system reliant on 3G, 4G, and Wi-Fi, rather than SMS messaging, which uses an old, outdated but universal 2G cellular network. iMessage has grown in popularity, but has left Android devices and other computers out in the dark.

That’s where other messaging services have filled a gap in the market.

Apps like Signal, WhatsApp, Wire and Wickr are also data-based and work across platforms. Best of all, they’re end-to-end encrypted, which means sent messages are scrambled on one end of the conversation — the device — and unscrambled at the other end on the recipient’s device. This makes it near-impossible for anyone — even the app maker — to see what’s being said.

Many popular apps, like Instagram, Skype, Slack and Snapchat don’t offer end-to-end encryption at all. Facebook Messenger has the option to use “secret” end-to-end encrypted messaging, but isn’t enabled by default.

Here’s what you need to know.

Why hate on SMS messaging?

SMS, or short messaging service, is more than three decades old. It’s generally reliable, but it’s outdated, archaic and expensive. There are also several reasons why SMS messaging is insecure.

SMS messages aren’t encrypted, meaning the contents of each text message are viewable to mobile carriers and governments, and can even be intercepted by organized and semi-skilled hackers. That means even if you’re using SMS to secure your online accounts using two-factor authentication, your codes can be stolen. Just as bad, SMS messages leak metadata, which is information about the message but not the contents of the message itself, such as the phone number of the sender and the recipient, which can identify the people involved in the conversation.

SMS messages can also be spoofed, meaning you can never be completely sure that a SMS message came from a particular person.

And a recent ruling by the Federal Communications Commission now gives cell carriers greater powers to block SMS messages. The FCC said it will cut down on SMS spam, but many worry that it could be used to stifle free speech.

In all of these cases, the answer is an encrypted messaging app.

What are the best encrypted messaging apps?

The simple answer is Signal, an open source, end-to-end encrypted messaging app seen as the gold standard of secure consumer messaging services.

Signal supports and encrypts all of your messages, calls and video chats with other Signal users. Some of the world’s smartest security professionals and cryptography experts have looked at and verified its code, and trust its security. The app uses your cell phone number as its point of contact — which some have criticized, but it’s easy to set the app up with a dedicated phone number without losing your own cell number. Other than your phone number, the app is built from the ground up to collect as little metadata as possible.

A recent government demand for Signal’s data showed that the app maker has almost nothing to turn over. Not only are your messages encrypted, each person in the conversation can set messages to expire — so that even if a device is compromised, the messages can be set to already disappear. You can also add a separate lock screen on the app for additional security. And the app keeps getting stronger and stronger. Recently, Signal rolled out a new feature that masks the phone number of a message sender, making it better for sender anonymity.

But actually, there is a far more nuanced answer than “just Signal.”

Everyone has different needs, wants and requirements. Depending on who you are, what your job is, and who you talk to will determine which encrypted messaging app is best for you.

Signal may be the favorite app for high-risk jobs — like journalism, activism, and government workers. Many will find that WhatsApp, for example, is good enough for the vast majority who just want to talk to their friends and family without worrying about someone reading their messages.

You may have heard some misinformed things about WhatsApp in recent years, sparked largely by incorrect and misleading reporting that claimed there was a “backdoor” to allow third parties to read messages. Those claims were unsubstantiated. WhatsApp does collect some data on its 1.5 billion users, like metadata about who is contacting whom, and when. That data can be turned over to police if they request it with a valid legal order. But messages cannot be read as they are end-to-end encrypted. WhatsApp can’t turn over those messages even if it wanted to.

Although many don’t realize that WhatsApp is owned by Facebook, which has faced a slew of security and privacy scandals in the past year, Facebook has said it’s committed to keeping WhatsApp messages end-to-end-encrypted by default. That said, it’s feasibly possible that Facebook could change its mind in the future, security researchers have said. It’s right to remain cautious, but WhatsApp is still better to use for sending encrypted messages than not at all.

The best advice is to never write and send something on even an end-to-end encrypted messaging app that you wouldn’t want to appear in a courtroom — just in case!

Wire is also enjoyed by many who trust the open-source cross-platform app for sharing group chats and calls. The app doesn’t require a phone number, instead opting for usernames, which many who want greater anonymity find more appealing than alternative apps. Wire also backed up its end-to-end encryption claims by asking researchers to conduct an external audit of its cryptography, but users should be aware that a trade-off for using the app on other devices means that the app keeps a record of everyone you’ve ever contacted in plain text.

iMessage is also end-to-end encrypted and are used by millions of people around the world who likely don’t even realize their messages are encrypted.

Other apps should be treated with care or avoided altogether.

Apps like Telegram have been criticized by experts for its error-prone cryptography, which has been described as “being like being stabbed in the eye with a fork.” And researchers have found that apps like Confide, once a favorite among White House staffers, don’t properly scramble messages, making it easy for the app’s makers to secretly eavesdrop on someone’s conversation.

How to verify someone’s identity

A core question in end-to-end encrypted messaging is: how do I know a person is who they say they are?

Every end-to-end encrypted messaging app handles a user’s identity differently. Signal calls it a “safety number” and WhatsApp calls it a “security code.” Across the board, it’s what we call “key verification.”

Every user has their own unique “fingerprint” that’s associated with their username, phone number or their device. It’s usually a string of letters and numbers. The easiest way to verify someone’s fingerprint is to do it in person. It’s simple: you both get your phones out, open up a conversation on your encrypted messaging app of choice, and you make sure that the fingerprints on the two sets of devices are exactly the same. You usually then hit a “verify” button — and that’s it.

Verifying a contact’s fingerprint remotely or over the internet is tricker. Often it requires sharing your fingerprint (or a screenshot) over another channel — such as a Twitter message, on Facebook, or email — and making sure they match. (The Intercept’s Micah Lee has a simple walk-through of how to verify an identity.)

Once you verify someone’s identity, they won’t need to be reverified.

If your app warns you that a recipient’s fingerprint has changed, it could be an innocuous reason — they may have a new phone number, or sent a message from a new device. But that could also mean that someone is trying to impersonate the other person in your conversation. You would be right to be cautious, and try to reverify their identity again.

Some apps don’t bother to verify a user’s identity at all. For example, there’s no way to know that someone isn’t secretly snooping on your iMessage conversations because Apple doesn’t notify you if someone is secretly monitoring your conversation or hasn’t somehow replaced a message recipient with another person.

You can read more about how Signal, WhatsApp, Telegram, and Wire allow you to verify your keys and warn you of key changes. (Spoiler alert: Signal is the safest choice.)

There are some other tips you should know:

Encrypted message backups are usually not encrypted in the cloud: A very important point here — often, your encrypted messages are not encrypted when they are backed up to the cloud. That means the government can demand that your cloud provider — like Apple or Google — to retrieve and turn over your encrypted messages from its servers. You should not back up your messages to the cloud if this is a concern.

Beware of desktop apps: One of the benefits to many encrypted messaging apps is that they’re available on a multitude of platforms, devices and operating systems. Many also offer desktop versions for responding faster. But over the past few years, most of the major vulnerabilities have been in the buggy desktop software. Make sure you’re on top of app updates. If an update requires you to restart the app or your computer, you should do it straight away.

Set your messages to expire: Encryption isn’t magic; it requires awareness and consideration. End-to-end encrypted messaging won’t save you if your phone is compromised or stolen and its contents can be accessed. You should strongly consider setting an expiry timer on your conversations to ensure that older messages will be deleted and disappear.

Keep your apps updated: One of the best ways to make sure you stay secure (and get new features!) is to make sure that your desktop and mobile apps are kept up-to-date. Security bugs are found often, but you may not always hear about them. Keep your apps updated is the best way to make sure you’re getting those security fixes as soon as possible, lowering your risk that your messages could be intercepted or stolen.

Check out our full Cybersecurity 101 guides here.

The most common forms of censorship the public doesn’t know about

Amid all the discussion today about online threats, from censorship to surveillance to cyberwar, we often spend more time on the symptoms than on the underlying chronic conditions. If we want to make people around the world safer from an oppressive, weaponized Internet, we need to get a bit nerdy and talk about Internet standards.

Most Internet censorship today is only possible because the Internet wasn’t designed to protect the privacy of your connections. It wasn’t private by design, so when censors came along, they pushed on an open door. Making Internet connections truly private and secure means updating the fundamental technical standards that govern the global internet.

Fortunately, the first step toward making global internet standards safer and more censorship-resistant is neither controversial nor particularly complicated. Put simply, we should make Internet protocols—the who, what, where of internet addresses—more private. Everyone from regulators to users has been asking for more privacy protections, and improving Internet standards is one foundational way of providing that.

Privacy makes selective censorship harder because censors no longer know the blow-by-blow details of what everyone is doing, so they can’t micromanage a person’s access to the Internet. Improving standards doesn’t take magic — just prototyping, debating, consensus-building, and implementing. The standards that govern the Internet are driven through organizations like the Internet Engineering Task Force.

Since 2015, technologists, facilitated by the IETF, have been considering proposals to enhance privacy for a key element of the Internet: the Domain Name System (DNS). It’s often described as the “address book of the Internet” and it was not designed to use encryption.

Unfortunately, every time you visit a website, your computer first consults the DNS system without any encryption, allowing censors and snoopers to know the name of every website you visit. A new standard is emerging to encrypt DNS lookups.

The standardization of encrypted DNS is just one way Internet standards could be improved. Another example can be seen at CloudFlare, one of the largest content delivery networks in the world. They recently announced support for an evolving standard — “encrypted SNI” — that would close another subtle privacy hole that often occurs when users visit websites hosted on cloud providers.

As a final example, the W3C (another Internet standards body) has been establishing a draft standard for Network Error Logging. This potentially helps address one of the trickiest challenges in tackling network interference: figuring out when interference is even happening. After all, if someone attempts to load a website but cannot access it, any number of things could have gone wrong, from a network glitch to network interference. Because no connection was ever established, the website owner may never even know that someone tried and failed to reach their site. Network Error Logging allows the user’s device to report a failed lookup to a neutral third party that is not blocked. Think of it as enabling ombudsmen when sites are blocked.

The standards we define for the Internet today will determine how the next generation of technologists and technology companies build the tools of the future.

If we don’t approach internet standards with a strong set of values that promote user privacy and freedom of expression, the standards will be set by people who do not share those values, and the overall integrity of the global open internet will inevitably suffer.

The internet may not have been initially designed to prevent censorship by protecting user privacy, but the protection of individual privacy ought to be the North Star guiding how we navigate the challenges of an evolving, global internet. If we’re serious about addressing those challenges, we need to start with improving standards.

How to Encrypt a USB Flash Drive in macOS Mojave

In macOS Mojave, you can choose to encrypt and decrypt disks on the fly right from the desktop. Using this convenient Finder option, we’re going to show you how to encrypt a USB flash drive (or “thumb drive”), which is useful if you’re traveling light and want to take sensitive data with you for use on another Mac.

Finder uses XTS-AES encryption, the same encryption that FileVault 2 uses to prevent access to data on a Mac’s startup disk without a password. Note that the following method is only compatible with Macs – you won’t be able to access data on the encrypted drive using a Windows machine.

If this is a requirement, you’ll need to use a third-party encryption solution like VeraCrypt. With that in mind, here’s how to securely encrypt your USB flash drive.



Attach the USB flash drive to your Mac and locate its disk icon on your desktop, in a Finder window, or in the Finder sidebar, then right-click (or Ctrl-click) it and select Encrypt “[USB stick name]”… from the contextual menu.

(Note that if you don’t see the Encrypt option in the dropdown menu, your USB flash drive hasn’t been formatted with a GUID partition map. To resolve this, you’ll need to erase and encrypt the USB drive in Disk Utility – before that though, copy any data on the drive to another location for temporary safekeeping.)



When you select Encrypt, Finder will prompt you to create a password, which you’ll need to enter the next time you attach the USB flash drive to a Mac. (Don’t forget this, otherwise you’ll lose access to any data stored on the USB drive!) Once you’ve chosen a password, verify it, add a meaningful hint if desired, and click Encrypt Disk.

The encryption process depends on how much data you have on the USB flash drive, but you’ll know it’s completed when its disk icon disappears and re-mounts. You’ll now be able to access the contents of the USB flash drive as usual, but if you physically detach it and re-attach it to your Mac you’ll be prompted to enter the password.



Note that the prompt includes an option for macOS to remember this password in my keychain. Check the box, and whenever you attach the USB stick to your Mac again you won’t be prompted to enter the password and you’ll have automatic access to it, just like any other drive.



If you ever want to decrypt the USB flash drive in future, right-click (or Ctrl-click) its disk icon, select Decrypt “[USB stick name]” from the contextual menu, and enter the password to turn off encryption protection.

How to Encrypt a USB Flash Drive in Disk Utility

Before proceeding, make sure you’ve copied any data on the USB flash drive to a safe location, like your Mac’s internal disk.

  1. Launch Disk Utility, located on your Mac in Applications/Utilities.


  2. In the Disk Utility toolbar, click the View button and select Show All Devices if it isn’t already ticked.


  3. Select your USB flash drive in the sidebar by clicking its top-level device name (i.e. not the volume name that’s listed beneath it).


  4. Click the Erase button in the toolbar.
  5. Give the USB flash drive a name.
  6. Next, click the Scheme dropdown menu and select GUID Partition Map. (It’s important to do this first before the next step, otherwise you won’t see the encryption option in the Format dropdown.)


  7. Now click the Format dropdown menu and select Mac OS Extended (Journaled, Encrypted).


  8. Click Erase.


  9. Enter your new password, enter it once more to verify, include a password hint if desired, then click Choose.


  10. Click Erase once again, and wait for your disk to be formatted and encrypted.

Once the process is complete, copy across your sensitive data to the blank USB flash drive, where it will be automatically encrypted and secured with a password.

Discuss this article in our forums

Signal app to Australia: Good luck with that crypto ban

Grafitti urging people to use Signal, a highly-enctypted messaging app, is spray-painted on a wall during a protest on February 1, 2017 in Berkeley, California.

Signal, one of the most secure messaging apps, essentially told Australia this week that its attempts to thwart strong crypto are rather cute.

“By design, Signal does not have a record of your contacts, social graph, conversation list, location, user avatar, user profile name, group memberships, group titles, or group avatars,” Joshua Lund, a Signal developer wrote. “The end-to-end encrypted contents of every message and voice/video call are protected by keys that are entirely inaccessible to us. In most cases now we don’t even have access to who is messaging whom.”

Lund is referring to a recent law passed in Australia that will fine companies that do not comply with government demands for encrypted data up to AUS$10 million.

Read 3 remaining paragraphs | Comments

US intelligence community says quantum computing and artificial intelligence pose an ’emerging threat’ to national security

It’s not often you can put nuclear weapons, terrorism and climate change on the same list as quantum computing, artificial intelligence, and the Internet of Things, but the U.S. government believes all pose an “emerging threat” to its national security.

Several key agencies in the U.S. intelligence community were asked what they saw as long-term threats faced by the country in the next decade and beyond, and the future of “dual-use technologies” took center stage.

Agnostic technologies like encryption, autonomous and unmanned systems, AI and quantum computing rank at the top of the agencies’ “worry list” for fears that they could be used to cause harm, rather than advance society. While all can be used for good — to secure data, to survey a dangerous area, or simply to save time and effort — the government says that all can have disastrous effects if used by an adversary.

For example, the government says that, “adversaries could gain increased access to AI through affordable designs used in the commercial industry, and could apply AI to areas such as weapons and technology,” and that “quantum communications could enable adversaries to develop secure communications that U.S. personnel would not be able to intercept or decrypt.”

The list of emerging threats also includes information operations — such as those purportedly carried out by adversarial nation states in the run up to recent elections — may engage in “advanced information operations campaigns that use social media, artificial intelligence, and data analytics to undermine the United States and its allies.”

A list of “dual-use” technological threats faced by the U.S. (Image: Government Accountability Office)

It’s no surprise that the government fears the unknown: warfare in this day and age has adapted beyond recognition, with nation states targeting one another with literal “cyber-bombs” and disinformation campaigns, sowing seeds of doubt rather than lobbing bombs over borders.

“As such, the nature of warfare has evolved to include ‘gray zone’ conflict—defined as the area between war and peace — where weaker adversaries have learned how to seize territory and advance their agendas in ways not recognized as ‘war’ by Western democracies,” the government watchdog wrote. Notably, the U.S. pointed its finger specifically at China and Russia — with Iran a close third — for “pursuing gray zone strategies to achieve their objectives without resorting to military conflict.”

And the U.S. knows it has to keep up with the range of threats, or face weakening on the world stage.

“The challenge for the United States and its allies will be to develop responses faster than adversaries through a better understanding of the strategic environment,” the government said. That might be tougher than it seems, given that senior government officials said the U.S. has been “strategically surprised” by how fast the threats have evolved.

“The nature of conflict has changed, and so the United States must evolve,” the government said.

US tech giants decry Australia’s ‘deeply flawed’ new anti-encryption law

A group of U.S. tech giants, including Apple, Google and Microsoft, have collectively denounced the new so-called “anti-encryption” law passed by the Australian parliament last week.

The bill was passed less than a day after the ruling coalition government secured the votes from opposition Labor lawmakers, despite strong objection from tech companies and telcos.

“The new Australian law is deeply flawed, overly broad, and lacking in adequate independent oversight over the new authorities,” said the Reform Government Surveillance coalition in a statement. The tech companies added that the law would “undermine the cybersecurity, human rights, or the right to privacy of our users.”

It’s the latest rebuke since the bill’s passing, following an extensive lobbying effort by Silicon Valley to push back on the anti-encryption proposals.

The law allows Australian police and the intelligence agencies wide-reaching powers to issue “technical notices” — essentially forcing companies and even websites operating in Australia to help the government undermine encryption or insert backdoors at the behest of the government. Critics argue that there’s little oversight, potentially allowing abuse of the system. And because the notices will almost always be issued with a gag order, any technical notices are served behind closed doors in secret.

Companies that refuse to comply with the demands in a technical notice can be served heavy financial penalties.

The Australian government won in part by accusing Labor of using scare tactics, saying that the opposition party was choosing to “allow terrorists and pedophiles to continue their evil work in order to engage in point scoring,” said Australian defense minister Christopher Pyne, in a since-deleted tweet. Labor caved in to the pressure, and party leader Bill Shorten instructed his members to vote for the bill. He promised that the party would offer amendments to the law once passed in the coming months, while keeping “Australians safer over Christmas.”

The tech coalition said it’ll hold the Australian parliament’s feet to the fire, urging lawmakers to “promptly address these flaws when it reconvenes” in the new year.

The group, which also includes Dropbox, Facebook, Google and Yahoo parent company Oath (which also owns TechCrunch) — was set up after the companies were named in classified U.S. documents as participants in the secret National Security Agency program, dubbed PRISM. All of the companies denied their willing involvement, and began a collective effort to lobby the government to reform its surveillance operations — many of which rely on compelled assistance from tech companies and telcos.

Evernote, LinkedIn, Snap and Twitter, which weren’t named as PRISM partners, later joined the coalition, and also signed on to the letter.

Cisco and Mozilla joined other companies in separately filing complaints with Australian lawmakers ahead of the planned vote, arguing that the law “could do significant harm to the Internet.”

Australia Passes Controversial Encryption Bill Despite Opposition From Apple and Other Tech Companies

The Australian parliament on Thursday passed controversial encryption legislation that could result in tech companies being forced to give law enforcement access to encrypted customer messages.

As we reported in October, Apple opposed the legislation in a seven-page letter to the Australian parliament, calling the encryption bill “dangerously ambiguous” and wide open to potential abuse by authorities.



Advocates of the bill, officially titled “Assistance and Access Bill 2018,” argue it is essential to national security because encrypted communications are used by terrorist groups and criminals to avoid detection.

CNET provided a breakdown on the Australian bill and the three tiers of law enforcement and state agency assistance it covers:

  • Technical assistance request: A notice to provide “voluntary assistance” to law enforcement for “safeguarding of national security and the enforcement of the law.”
  • Technical assistance notice: A notice requiring tech companies to offer decryption “they are already capable of providing that is reasonable, proportionate, practicable and technically feasible” where the company already has the “existing means” to decrypt communications (e.g. where messages aren’t end-to-end encrypted).
  • Technical capability notice: A notice issued by the attorney general, requiring tech companies to “build a new capability” to decrypt communications for law enforcement. The bill stipulates this can’t include capabilities that “remove electronic protection, such as encryption.”

The Australian government insists that the laws don’t provide a backdoor into encrypted communications, however Apple says says the language in the bill permits the government to order companies who make smart home speakers to “install persistent eavesdropping capabilities” or require device makers to create a tool to unlock devices.

Likewise, the joint industry lobby group DIGI, which includes Amazon, Facebook, Google, Oath, and Twitter, said they were willing to work with the government to promote public safety, but the laws could “potentially jeopardize the security of the apps and systems that millions of Australians use every day.”

Apple has fought against anti-encryption legislation and attempts to weaken device encryption for years, and its most public battle was against the U.S. government in 2016 after Apple was ordered to help the FBI unlock the iPhone owned by Syed Farook, one of the shooters in the December 2015 attacks in San Bernardino.

Apple opposed the order and claimed that it would set a “dangerous precedent” with serious implications for the future of smartphone encryption. Apple ultimately held its ground and the U.S. government backed off after finding an alternate way to access the device, but Apple has continually had to deal with further law enforcement efforts to combat encryption.

Note: Due to the political nature of the discussion regarding this topic, the discussion thread is located in our Politics, Religion, Social Issues forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.

Discuss this article in our forums