Internet users are besieged from all directions by online privacy threats.
Whether those threats come in the form of cybercriminals looking to steal identities or governments spying on their own citizens, the resulting effects are all too real. It’s important that anyone who uses the internet take active steps to keep themselves and their data safe online.
Governments have nervously taken note of this trend and have created legislation pertaining to data security, online privacy and the internet. Though such legislation claims to be an effort to protect personal data, the attempts have drawn criticism as clumsy and misguided.
Cybersecurity experts remain wary that such laws, whatever their intent, will have unintended negative consequences.
For Aussies, the Assistance and Access (AA) Bill of 2018 is an example. The bill massively expanded the Australian government’s power to gather and access data, especially encrypted data.
Given the recent arrest of Wikileaks co-founder Julian Assange — an Australian national — for reasons that are intimately related to the subjects dealt with in the bill, it’s all the more important for Aussies to know what’s in this bill and what consequence it has not just for their online privacy, but for journalism, data sharing, government whistleblowing and the future of the Australian tech industry as well.
The bill contains two major provisions that concern privacy and civil liberty advocates. First, it empowers Australian government agencies to demand access to the storehouse of encrypted customer communications that large tech companies have on their servers, no matter where in the world those companies are based.
What is a “tech company” anyway? The bill is broad about the definition, including everything from internet service providers to email providers and even social media websites. This was ostensibly done to make it easier for Australian law enforcement to catch criminals, who often use encryption to hide their online activities.
To clarify, under the provisions of this bill, even an American company like Facebook - because it offers service to users in Australia - could potentially be required to surrender all of its encrypted customer communications to the Australian government, including those between American users, British users, French users, or any other kind of Facebook users anywhere in the world.
More importantly, the bill requires that as a condition of offering service to Australians, tech companies create backdoors to all encryption protocols. This would allow the Australian government to decrypt and read communications between any Facebook, Gmail or WhatsApp users, thus essentially rendering the point of encrypting anything moot.
The only circumstances under which a tech company may legally refuse to comply with the Australian government’s order to create a backdoor into their encryption is if doing so would create a systemic vulnerability for the entire system. In other words, if creating the backdoor would leave all users of the service at greater risk of having their data stolen, then the company may refuse.
Failure to comply with the demands of the Australian government in this regard could lead to fines or 10 years of imprisonment.
The second major provision of the bill — and one that has left freedom advocates more infuriated — punishes anyone who leaks data collected by the government with five years of imprisonment.
As a result of either ignorance or incompetence, the bill yielded consequences that has left the world scratching its head.
Conflict with internet privacy legislation in other countries: The provisions of the AA Bill flatly contradict the requirements of other internet privacy laws that have been passed in other countries. The most clear example of this concerns the General Data Protection Regulation (GDPR) passed by the European Union in 2018. That bill requires all tech companies operating in the EU to anonymize all user data for the sake of privacy, which puts it in potential conflict with the demands of the AA Bill. It is not clear how this conflict will be resolved.
Incentivizing Australian tech companies to move away: If operating in Australia endangers a tech company’s user privacy worldwide, then they may simply choose not to offer their services to Australians. Tech companies based in Australia may decide to leave entirely, which would hamstring the vibrancy of the Australian tech industry.
Making encryption useless: The original purpose of encryption was to shield communications from the view of those for whom it was not intended. This bill subverts that.
A chilling effect on journalism and government whistleblowing: Since the bill punishes leakers of government-collected data with imprisonment, don’t expect those with knowledge of government corruption to rush forward with the information. Assange’s Wikileaks would be out of luck, as would any future organization eager to engage in truth-telling.
The scary part about this type of legislation is that you can do everything else right when it comes to protecting your online security - use an uncompromised password manager and two-factor authentication, practice safe clicking, recognize and avoid social engineering schemes, share less sensitive information, and more - and none of it will do a bit of good if a tech company simply hands over your information at the government’s request. No need to fret about a hacker mounting brute-force attacks against the passwords that guard your front door when there’s a nice little backdoor built into your favorite sites.
At Least Get a VPN: Are you familiar with a VPN? You should run, not walk, to sign up for a virtual private network (VPN) service.
The AA Bill allows the Australian government to order tech companies to intercept and gather traffic metadata at the ISP level. With a VPN (which are still legal in Australia according to VPN review site Privacy Australia), your online presence is encrypted before it ever reaches the tech companies that might be ordered to provide it to law enforcement. In other words, they will only be handing over gibberish.
Look for a VPN that protects all your devices - desktop and laptop computers, tablets, as well as Android and iOS phones. Especially important for Australians is to be able to request a dedicated IP address, allowing access to Aussie content while traveling. Also look for a service provider that retains NO data that could end up in the hands of a hacker or government malcontent, eg Trust.Zone.
VPN Technology is Good but Not Perfect: VPNs do not offer foolproof protection. The main drawback is when a connection drops, leaving your traffic unencrypted and thus exposed to prying eyes. The most secure VPNs include a kill switch which immediately breaks your internet connection completely if the VPN protection fails. Prying eyes won’t have a chance to pilfer any data.
The second common issue is data leakage, which can also expose your information and location. For more information on how this happens and what you can do to detect and eliminate this problem, check out this article.
The recent online privacy incursion by the Australian government potentially extends far beyond the borders of Australia, as we’ve discussed. For citizens who haven’t used a VPN before, now would be a good time to start.
We’d also suggest to avoid Canadian-based services because rumblings coming out of that country say it might ban VPNs altogether. All the more reason to consider a VPN service based in a country unfettered by legislative privacy invasions - Seychelles, Romania, Switzerland, Malaysia and more. Research before you buy!
For example, Trust.Zone located in Seychelles, under offshore jurisdiction and out of 14-eyes countries list. There is no mandatory data retention law in Seychelles. Under jurisdiction in Seychelles, a foreign court order would not be enforceable and since TrustZone doesn’t store any logs, there is nothing to be taken from TrustZone servers.