On Thursday, the Australian parliament approved a measure that critics say will weaken encryption in favor of law enforcement and the demands of government.
The new law, which has been pushed for since at least 2017, requires that companies provide a way to get at encrypted communications and data via a warrant process. It also imposes fines of up to A$10 million for companies that do not comply and A$50,000 for individuals who do not comply. In short, the law thwarts (or at least tries to thwart) strong encryption.
Companies who receive one of these warrants have the option of either complying with the government or waiting for a court order. However, by default, the orders are secret, so companies would not be able to tell the public that they had received one.
However, the law as currently written seems to contain what some view as a loophole. The statute says that companies cannot be compelled to introduce a "systemic weakness" or a "systemic vulnerability" into their software or hardware to satisfy government demands.
"Some suggest that exceptions can be made, and access to encrypted data could be created just for only those sworn to uphold the public good," Apple continued. "That is a false premise. Encryption is simply math. Any process that weakens the mathematical models that protect user data for anyone will, by extension, weaken the protections for everyone. It would be wrong to weaken security for millions of law-abiding customers in order to investigate the very few who pose a threat."
Even Riana Pfefferkorn—a cryptography expert and attorney at Stanford Law School who submitted formal October 2018 testimony to the Australian parliament arguing against the law—doesn't know what is meant exactly by "systemic weakness."
"Nobody knows!" she said, while laughing for a brief moment. "Whenever you open up a vulnerability in a piece of software or a piece of hardware, it's going to have consequences that are unforeseeable."
Apple previously decried Australian efforts: "Encryption is simply math."arstechnica.com