https://getsession.org/blog/on-the-recent-australian-surveillance-legislation
On the recent Australian surveillance legislation
September 09, 2021 /
Regulators are increasingly acting with open hostility <https://getsession.org/blog/war-on-encryption> towards encryption,
security, and privacy. The latest chapter in this sorry story took place in our own backyard when Australia’s government passed a
new bill granting the Australian Federal Police (AFP) and the Australian Criminal Intelligence Commission (ACIC) new surveillance
capabilities. Because Session is built in Australia, we’ve always kept a close watch on emerging regulation in Australia as well
as the other Five Eyes countries. Unfortunately, this isn’t the first time Australia has rushed an anti-encryption bill into law,
with the infamous Assistance and Access Act
<https://getsession.org/blog/session-and-australias-laws-to-circumvent-secure-communications> speed-running through Australia’s
parliament in 2018.
Because surveillance capacities are being expanded and strengthened all over the world, Session’s design takes this into account.
After all, the people using Session are often vulnerable people living and working in the most highly surveilled places in the world.
*So where the bloody hell are you? *
Choosing to build Session in Australia is something that has always raised eyebrows for people who are privy to the Five Eyes
intelligence alliance. Why wouldn’t Session be based in Russia, Switzerland, or...just anywhere with a less hostile regulatory
environment, really.
//
The answer is simple: running away from regulators is not a sustainable future for private tech. No, the solution is to build
technology which is actually resistant to surveillance and other encroachments on people’s personal privacy. Local regulatory
environments are always evolving and changing, and it’s not viable for development teams to pick up and move to the latest privacy
haven every time their local laws change. An (unfortunate) recent example of this is ProtonMail.
//
While ProtonMail is widely trusted by the privacy community—I use it myself—and they’ve done awesome work spreading private,
encrypted services to lots of people, there was a view ProtonMail could operate with impunity because they were based in
Switzerland. So strong was this belief, that being Swiss was a core part of ProtonMail’s branding.
But the /Swiss is safe/ mantra copped a body blow when it was revealed
<https://twitter.com/tenacioustek/status/1434604102676271106> Swiss authorities compelled ProtonMail to share the IP address and
device information about activists in France. This information reportedly resulted in the arrest of a climate activist, and now
ProtonMail has deleted the claim they ‘don’t log your IP’ from their website
<https://www.theregister.com/2021/09/07/protonmail_hands_user_ip_address_police/>.
While credit has to be given to Proton for remaining relatively transparent about this incident, it serves as an excellent
illustration of the problem with placing too much importance on where a company is domiciled. While it’s an important aspect to
consider, the technological design should always be a part of the evaluation as well. No matter how friendly government
authorities might seem, when push comes to shove companies must always comply with their local laws. In this case, because of the
way email technology and ProtonMail are designed, the Proton team simply had no legal alternative.
*What this means for Session*
The Session team has always been prepared to face regulatory hostility. Before a single line of Session code was written, we were
pondering how to make sure the app itself would always remain a safe, secure place for people to communicate.
Decentralisation is at the heart of Session’s design. While it’s true that Session’s main development team is based in Australia,
its infrastructure is spread all across the world. Over 1,500 community operated servers are currently routing Session messages
for over 150,000 users. The network is growing all the time, as more and more people commit to upholding the privacy of Session’s
users by running their own server. The team hasn’t got any way of accessing these servers, and we will never have the capacity to
gain access.
Session is designed to minimise the amount of data required to deliver a message from one person to another. That data is also
spread across many, many servers operated by many different people in different jurisdictions all over the world.
The whole point of Session is to keep its users safe — no matter where in the
world they are.
*The beating heart of privacy*
Before we finish off this article, it’s important to criticise this legislation and its consequences — not necessarily for
Session, but for all Australians. In Australia, this is the second major piece of legislation we have seen in the last few years
which greatly inhibits the privacy of Australian citizens as well as jeopardising the future of several Aussie tech companies.
The right to privacy is enshrined in the UN’s Universal Declaration of Human Rights (UDHR). Australia sat on the Drafting
Committee for this milestone human rights document and was one of 48 countries which voted for its adoption.
“No one shall be subjected to arbitrary interference with his privacy,
family, home or correspondence, nor to attacks upon his
honour and reputation. Everyone has the right to the protection of the law
against such interference or attacks.”
Article 12 of the UDHR
<https://www.un.org/en/about-us/universal-declaration-of-human-rights>
Due to the grossly insufficient safeguards contained within the recently passed Identify and Disrupt Bill, Australia is failing to
uphold its commitment to protect the privacy of its citizens.
The contemporary issue of privacy rights is deeply entangled with the concept of digital privacy and security. For Australians to
enjoy the right to privacy as described in the UDHR, guarantees around the privacy of digital information is absolutely necessary.
Because the Identify and Disrupt Bill doesn’t mandate any judicial oversight (by requiring a warrant), it’s also a possible
concern that (as a consequence of weakening of the right to privacy) the act could lead to the contravention of other rights —
such as people’s implied right to freedom of political communication, which is provided for in the Constitution of Australia.
In the future, the government should consider more carefully the rights of its people, as well as the recommendations made to them
by the relevant human rights experts, before rushing amendments through its parliament.
*Looking forward*
As disappointing as attitudes towards privacy and encryption are, it is not entirely unexpected. We hope that, as the world moves
forward, everyone will have the ability to navigate the digital world peacefully and privately. That’s the future Session is
contributing to, and rest assured that the Session team is extremely dedicated to that vision. But for the time being, the most
popular technology is centralised, and this kind of regulation punches a huge hole in centralised tech’s ability to remain private
— even for platforms with the best intentions. That’s why engineered solutions like Session’s decentralised infrastructure are so
important for the future of technology — without it, no service (regardless of where it’s based) can guarantee your privacy.
If you’ve got any questions for us, feel free to get in touch with us using the Session open group
<http://116.203.70.33/session?public_key=a03c383cf63c3c4efe67acc52112a6dd734b3a946b9545f488aaa93da7991238> (on Session, of course).
--
Kim Holburn
IT Network & Security Consultant
+61 404072753
mailto:[email protected] aim://kimholburn
skype://kholburn - PGP Public Key on request
_______________________________________________
Link mailing list
[email protected]
https://mailman.anu.edu.au/mailman/listinfo/link
