Australia’s new cyber-snooping law may create website security issues for online properties everywhere—not just in Oz.
Here’s how. The new law requires internet providers serving Australia to remove privacy protections currently preventing police from monitoring encrypted online activity.
Additionally, the law seems to make it OK to share with other countries’ police and spy agencies whatever Australia uncovers.
For example, American law normally prevents the U.S. government from eyeing encrypted visitor sessions at your website. To spy on them, the feds must first get a warrant. (Unless they claim a Fourth Amendment exception carved out in a past Supreme Court ruling.)
However, American authorities can skip the whole due process bit. They need only ask their Australian counterparts to pass along Australian-collected intel relating to the U.S. spy target. Australia’s new law seeks to ensure the continued availability of this intel. And in richer detail.
National Security is Law’s Justification
The Australian parliament approved the new cyber-snooping law on Dec. 6.
According to news reports, a desire to prevent terrorist attacks drove Australian legislators to get onboard with it.
Some observers describe the new law as giving Australian security officials “unprecedented” powers.
From Yahoo News:
“Canberra can compel international providers—including overseas communication giants such as Facebook and WhatsApp—to remove electronic protections, conceal covert operations by government agencies, and help with access to devices or services.
“[Lawmakers] brushed off warnings from tech giants that the laws would undermine internet security….Global communications firms, including Google and Twitter, have repeatedly said the legislation would force them to create vulnerabilities in their products, such as by decrypting messages on apps, which could then by exploited by bad actors.”
There lies the reason this new law creates website security issues. Take away encryption protection to make the police happy and you also end up making cyber-crooks happy.
Yahoo quotes one cybersecurity chief who basically said anyone can use a backdoor once installed. Cops, crooks, kids just messing around. It amounts to vulnerability baked right into the cake and ripe for exploitation.
Remember how in past posts in this space we talked about the magic of HTTPS? Do you recall our descriptions of HTTPS as a boon to internet security?
Well, some or all of HTTPS’s wonderful goodness could go out the window. All it would take is for providers to build backdoors as required by Australia’s new law.
Valet Addresses Website Security Issues
Critics of the law argue that the presence of backdoors represents a blow to privacy-as-a-business-model. They contend that the ability to claim privacy as a value-proposition ends if the law reduces or eliminates privacy.
And now for some hope-stirring news. Various influential organizations in and out of Oz convinced the Australian government to consider modifying the measure in coming months.
What’s more, the government promises to give it a top-to-bottom review in about a year or so to see if it needs extra amending.
Admittedly, this new law may in the end reveal itself as a website security issues nothingburger. In that case, the law likely continues on unchanged.
On the other hand, it might turn out that the critics nailed it. In that case, the government may relent and loosen things up. Time will tell.
In the meanwhile, why not give Valet a shout and invite our team of website security issues experts to poke around under the hood of your site. They’ll almost certainly find at least a few things that can be improved to boost the state of your website’s health.