Setback in the outback

jlund on 13 Dec 2018

Like many others, we have been following the latest developments in Australia related to the “Assistance and Access” bill with a growing sense of frustration. The widespread adoption of strong cryptography and end-to-end encryption has given people around the world the ability to protect their personal information and communicate securely. Life is increasingly lived online, and the everyday actions of billions of people depend on this foundation remaining strong.

Attempting to roll back the clock on security improvements which have massively benefited Australia and the entire global community is a disappointing development.

Design for a world that is sometimes disappointing

More than eight years have passed since we released the public beta of what is now known as Signal. Throughout the entire development process, the project has faced resistance from people who struggle to understand end-to-end encryption or who seek to weaken its effects. This is not a new dynamic.

We can’t include a backdoor in Signal, but that isn’t a new dynamic either.

By design, Signal does not have a record of your contacts, social graph, conversation list, location, user avatar, user profile name, group memberships, group titles, or group avatars. The end-to-end encrypted contents of every message and voice/video call are protected by keys that are entirely inaccessible to us. In most cases now we don’t even have access to who is messaging whom.

Everything we do is open source and anyone is free to verify or examine the code for each release. Reproducible builds and other readily accessible binary comparisons make it possible to ensure the code we distribute is what is actually running on user’s devices. People often use Signal to share secrets with their friends, but we can’t hide secrets in our software.

Everyone benefits from these design decisions – including Australian politicians. For instance, it has been widely reported that Malcolm Turnbull, the 29th Prime Minister of Australia, is a Signal user. He isn’t alone. Members of government everywhere use Signal. Even if we disagree with Christian Porter, we would never be able to access his Signal messages, regardless of whether the request comes from his own government or any other government.

Although we can’t include a backdoor in Signal, the Australian government could attempt to block the service or restrict access to the app itself. Historically, this strategy hasn’t worked very well. Whenever services get blocked, users quickly adopt VPNs or other network obfuscation techniques to route around the restrictions.

If a country decided to apply pressure on Apple or Google to remove certain apps from their stores, switching to a different region is extremely trivial on both Android and iOS. Popular apps are widely mirrored across the internet. Some of them can even be downloaded directly from their official website.

Down under, but not out

One of the myriad ways that the “Assistance and Access” bill is particularly terrible lies in its potential to isolate Australians from the services that they depend on and use every day. Over time, users may find that a growing number of apps no longer behave as expected. New apps might never launch in Australia at all.

Technology organizations that want to open offices in a new country could decide that AEST isn’t such a great time zone after all. Foreign engineers may choose to watch the Australia episode of Planet Earth in 4K rather than spending $4K at an Australian programming conference. As remote work continues to become more prevalent, will companies start saying “goodbye” instead of “g’day” to applicants from Australia?

This doesn’t seem like smart politics, but nothing about this bill seems particularly smart.

We remain committed to fighting mass surveillance worldwide. We encourage users in Australia to reach out to their representatives and express their opposition to the Assistance and Access Bill.