After Pushback From Service Providers, Australian Regulators Strip Encryption Breaking Demands From Online Safety Bill

Yet another attempt to mandate broken encryption has been disrupted. The Australian government has long held the belief that broken encryption would be a net win for citizens. Or, at the very least, it’s pretty sure it will be a huge win for law enforcement, which won’t have to deal with encrypted communications or devices.

But, despite declaring only criminals need encryption, proposals to expand the government’s power to include direct regulation of encryption have met with significant pushback. Its efforts began more than a half-decade ago but — after folding in horrible proposals by the UK government and the EU Commission — got a bit worse in recent years.

The new idea was called “client-side scanning.” The aim was to give the government access to illegal content passed around via encrypted services. Since the government wasn’t willing to simply declare encryption illegal, it passed the buck. New regulations would require service providers to undermine the encryption they offered their users, stripping one of the end-to-end encryption so communications can be monitored.

Fortunately, like elsewhere in the world, unified opposition to encryption-breaking mandates has resulted in the Australian government rolling back that particular demand in the final (or so they say) version of its online safety standards.

In November, the eSafety commissioner announced draft standards that would require the operators of cloud and messaging services to detect and remove known child abuse and pro-terror material “where technically feasible”, as well as disrupt and deter new material of the same nature.

[…]

But in the finalised online safety standards lodged in parliament on Friday, the documents specifically state that companies will not be required to break encryption and will not be required to undertake measures not technically feasible or reasonably practical.

That includes instances where it would require the provider to “implement or build a systemic weakness or systemic vulnerability in to the service” and “in relation to an end-to-end encrypted service – implement or build a new decryption capability into the service, or render methods of encryption used in the service less effective”.

This is great news, as long as the “final” proposal remains “final.” It will, of course, be temporary. The calls for breaking encryption aren’t going away. They’re omnipresent but have yet to take a solid foothold because governments can’t actually explain how any proposal like this is possible, much less feasible. They also can’t logically declare that any security flaw introduced by legislation won’t be exploited by the very people it aims to stop: criminals.

Those advocating the hardest for broken encryption are the most disturbed by this rollback. Australia’s eSafety commissioner, Julia Inman Grant, was given space in The Australian to vent her feelings about the success of those pushing back against anti-encryption mandates:

Grant hit back at the criticism of the proposals, saying tech companies had claimed the standards “represented a step too far, potentially unleashing a dystopian future of widespread government surveillance”.

The real dystopian future, she said, would be one where “adults fail to protect children from vile forms of torture and sexual abuse, then allow their trauma to be freely shared with predators on a global scale”.

Right. That’s a pretty hot take on what’s actually happened here. Tech companies can’t undo the laws of mathematics. Governments can’t guarantee their security holes won’t be exploited by criminals. And most rational people recognize there’s a trade-off being made here — one that gives millions of non-criminals additional security and privacy while only inconveniencing the government in rare cases. If that’s the equation, the government has no business demanding companies deliberately undermine the security of all users just so it can go after a very small percentage of them.