Analysis: ‘Catastrophic’ fallout from Australia security laws could cripple crypto industry
Security services around the globe are clamping down on anonymity services, to the extent that it could collapse the burgeoning blockchain sector. Australia’s latest anti-encryption laws are a case in point.
8th December saw the Telecommunications and Other Legislation Amendment Assistance and Access Bill 2018 (AA Bill) rushed through the House of Representatives in Canberra.
Proposed just four months ago, it contains fundamental anonymity-breaking requirements for tech firms that have senior managements seriously worried.
According to the letter of the law, intelligence agents can serve a technical assistance notice (TAN) or technical capability notice on tech firms, forcing them to comply and to hide that information from their users.
Under amendment 317ZF, if those contacted by security services disclose that information, they could face five years in prison. That’s bumped up to 10 years for cases involving the most serious crimes. Reveal you’re working with intelligence agencies against your customers? Go directly to jail.
The hammer will likely fall hardest on that subsection of blockchain firms who trade exclusively in privacy.
Canary in the coalmine
Australian crypto businesses like Loki are already clamouring for a repeal.
The Melbourne startup builds privacy-focused tools based on Monero to allow for transactions that are entirely and necessarily anonymous.
Speaking to CryptoNewsReview, Operations Lead Simon Harman said: “To put it simply, I think the Assistance and Access Bill was a bad idea. In its current form it serves no one, not even the agencies the government purported it to be supporting, whilst simultaneously needlessly damaging the reputation of Australian technology firms and workers.
“The bill has been poorly covered by the media and the final round of amendments that went into the bill significantly reduced its practical uses for law enforcement agencies. However, it does contain the basis of a system which could be extended in future. The framework to issue notices and silence firms and their workers over government intervention is a dangerous precedent that should be repealed.
“The scariest thing about this bill is the penalties given to providers who leak information about the investigation or notice, or refuse to comply with the notice,” says Harman.
Whistleblowers, including staff at crypto firms who leak, could face a decade in prison, according to sentencing guidelines. Less serious crimes are capped at five years.
Traditional Australian tech firms also face fundamental threats, says Harman.
“Australian VPN providers should be considered compromised from this point on. Agencies could compel these operators to install software which gives them a complete picture of the connection between the VPN, client, and destination.”
These new anti-encryption laws call to mind the famous ‘warrant canary’ in the US.
FBI agents send out thousands of National Security Letters every year to internet providers, forums or other websites demanding they reveal the identity of users they suspect of federal crimes. The NSLs prevent the website from disclosing that they are being watched by authorities. In effect it means that the person under surveillance can’t challenge the decision.
One semi-legal way to get around the gag and warn users is the warrant canary. A website will post a statement to the effect that: “We have not been served with any secret government snooping requests for data.”
Despite years of opposition from privacy groups, the US Ninth Circuit Appeals Court finally ruled in favour of the FBI’s warrant gag in June 2017.
Loki has serious privacy credentials in the form of Lead Developer Tom Winget, who contributed to the Monero codebase since around June 2014 and was apparently the third-largest developer for the privacy coin having written over 120,000 lines of code.
Monero (XMR) has become the currency of choice for grey-area and outright illegal p2p filesharing services like The PirateBay. The pirated film and TV torrent website turned 15 in September this year. It is remarkably resilient given its years of battling takedowns and server raids, alongside legislation designed to criminalise users. Those venturing in must be inventive. The site can usually only be accessed through a proxy to get around ISP copyright blocking. Small print on its homepage, added during the crypto rush of early 2018, notes that: “By entering TPB you agree to XMR being mined using your CPU.”
At its heart the AA Bill seeks to solve the existential threat that police and national security agencies face worldwide.
That the majority of modern communications are made on encrypted messaging platforms that are difficult to intercept and decode, other than for the sender and receiver.
The challenges facing security services become clear when we see that drug dealers are fleeing online black markets on the dark web in favour of end-to-end encrypted messaging apps like Telegram.
Add to this the fact that no information is safe from the exponential rise in private and state-sponsored hacking. So frequent are the data dumps that the leak of highly sensitive and damaging EU diplomatic cables criticising President Trump on China and Russia is just another story.
Down Under, crypto and blockchain startups are flourishing, from energy trader Power Ledger to exchanges ACX and Coinspot. But true anonymity is floundering.
In order to comply with anti-terror financing regulations, Australia banned cash transactions over $10,000. Exchanges in the country must now verify customers’ identity and are forced to report any transactions over this five-figure limit that are considered suspicious.
Where crypto abuts up against the real world of spying, security and surveillance, cracks start to show. To comply with anti-terror financing regulations Coinbase now requires users to upload a valid driver’s licence in order to buy and sell crypto. This cuts to the heart of anonymity question. Is it even cryptocurrency any more when transactions require the intermediary of a government or bank?
Tell no one
Much outrage has centred on the idea that the AA Bill bypasses the need for a valid warrant to collect information on users.
Privacy and civil liberties advocates worry this will mean forcing tech firms to build backdoors into their platforms to hand law enforcement data at a pre-encryption stage.
That’s not quite what’s going on. The Act specifically guards against this potential privacy abuse. Instead, this appears to be a tool-scraping device for Australia’s secret service and national cyber security division. Again, if you tell your customers this is what is happening, you could face jail time.
If law enforcement has a suspect they’re tailing, agents could coerce a tech firm or crypto startup to build a fake version of their app to deploy on the target’s phone.
Because blockchain projects are open source, agents wouldn’t necessarily need tech firms to build these fake apps for them. Quietly taking over the source code would in fact expose security services to much lower risk of being found out.
These are dark arts at play, but when it comes to national security governments tend to use every method at their disposal, no matter how outrageous. The peril doesn’t end there, though.
Harman says if the tools were to fall into the wrong hands, the results could be “potentially catastrophic”. It’s certainly not unheard of. In the high-stakes world of state-sponsored hacking, anything goes.
The NSA’s Eternal Blue was the codebase for one of the most notorious infrastructure-crippling attacks of recent years. Developed in-house, this suite of hacking tools was stolen and sold, most likely to North Korea. The result was a stunning attack on the UK’s National Health Service, along with Spanish banks and telecoms companies, all locked down by the WannaCry ransomware worm of May 2017.
“The same is bound to happen in Australia if these tools are being used fairly often,” Harman concludes.
He is, however, bullish on the real-world effects on his business. “Based on the definition of ‘systemic weakness’ contained within the legislation, any compelled modification to our public source code or releases would be illegal, as it would affect everyone that uses Loki.”
Amendments by the opposition Labor Party were granted at the eleventh hour and include limitations that could provide crypto firms with some pre-Christmas cheer.
The text reads: “A technical assistance notice or technical capability notice must not have the effect of (a) requiring a designated communications provider to implement or build a systemic weakness, or a systemic vulnerability, into a form of electronic protection; or (b) preventing a designated communications provider from rectifying a systemic weakness, or a systemic vulnerability, in a form of electronic protection.”
The AA Bill essentially specifies that such a capability cannot introduce a “systemic weakness” that could put all encrypted communications on the same platform in jeopardy. This was a key concern of lobbyists and technology sector professionals.
But there are other, wider concerns.
Dr Monique Mann is the director of Australia’s primary privacy NGO, the Australia Privacy Foundation. She says that while other personal privacy rulings like GDPR have made people safer, these laws do the opposite.
Mann believes GDPR requires data protection by design, whereas the AA Bill “mandates information insecurity by design”.
While the EU’s General Data Protection Regulation has imposed huge costs on business, its impact in terms of structural change cannot be denied. People in the UK and Europe are now demonstrably much less likely to suffer from data leaks.
The same is not true for our American cousins, as the hack on data-storage giant Exactis revealed. 3.5 billion records from 340 million Americans are thought to be at risk from that one leak alone.
The US Secret Service is still calling for privacy coins that rely on absolute anonymity of transactions to be regulated.
Experts point to the Five Eyes security alliance between the US, France, the UK, Australia and Canada as key to the case.
In an extraordinary statement aimed at the country’s security services Harman writes: “Some, myself included, strongly suspect that this is a co-ordinated effort by the Five Eyes alliance to gain access to the world most popular applications.”
In the UK, MPs in the House of Commons recently forced through an amendment to the highly controversial Investigatory Powers Act of 2016, dubbed the ‘Snooper’s Charter’, which follows Australia’s lead. The law is already highly controversial for its emphasis on mass surveillance, potentially bringing millions of people into the purview of necessarily shadowy security services. Especially when the extent of their powers is unclear to private citizens.
And law will have a devastating effect on Australia’s tech sector, even if in practice the tools it gives to security services are substantially weakened.
“Loki is a project whose sole objective is to help the public access free and open tools for better privacy online, and if we are perceived to be weaker as a result of being in Australia, this is likely to hurt our user growth and long term goals,” Harman writes.
The effects of the Bill will ripple outwards. Any notion that they can be confined to the South Pacific are just naive.
Can Loki stay in Australia with these anti-encryption laws in place? Harman believes so, with but without changes to the legislation “there is nothing restricting the Australian authorities targeting anyone, even overseas corporations or individuals. Most of the Loki team has family in Australia, so many of us would likely return for holidays and could be arrested if we failed to comply with a notice when we returned, or we could even be extradited from the country that we moved to.”
Supporting the crypto industry
When vast amounts of ICO funding was sloshing around, the race was on for governments to cash in. Notably this happened in the Philippines and Armenia, where low tax economic zones were formed to attract blockchain firms.
But in the background was an implied acceptance that these things couldn’t really operate totally off-grid, without being in any way plugged into the other infrastructure that makes a country work. At least that was the feeling from government. Maybe they didn’t imply it hard enough. Disrupters who run fast and break things tend to get swatted pretty hard by regulators in the end.
The result is the crypto-libertarian dream of borderless, anonymous, trustless transactions and an end to government interference with private citizens dying faster than an iPhone with a lost charger.
Also adding to concerns is the fact that enforcement activity is ramping up. Australia’s Tax Office (ATO) is warning cryptocurrency traders that it wants a cut of their trading profits and according to comments made by officials reported by the Australian Financial Review: “Anonymity can no longer be relied upon in cryptocurrency transactions, and state has indicated it is more than willing to prosecute those who use crypto to avoid obligations.”
This is the crux of the argument. There is a fundamental philosophical difference between the tech sector and security services on anonymity, rights and freedoms. Crypto firms will blink first, because they have to. The two sides are, sadly, mutually exclusive.