Assistance and Access Bill spurned by Swiss encrypted email service

Assistance and Access Bill spurned by Swiss encrypted email service

A Switzerland-based company that offers the world’s most popular encrypted email service says it won’t have to comply with new national security laws expected to pass Australia’s parliament soon.

The refusal exposes a major flaw in the government’s push to give new powers to law enforcement agencies to tackle online crime.

Encrypted smartphones held as evidence by the New York City Police Department on display in 2016.Credit:New York Times

ProtonMail, which reportedly has more than 5 million users worldwide, also doesn’t believe it would have to remove its smartphone apps from Apple and Google's stores in Australia.

The law, dubbed the ‘AA’ (for ‘assistance and access’) bill, would force Australian, or Australia-based companies to give law enforcement agencies access to encrypted communications.

It is intended to help crack modern crime and terror groups, who increasingly use encrypted messaging services to communicate.

The bill rules out requirements to compromise encryption itself although that hasn't stopped the pro-encryption lobby from describing it as an "anti-encryption" bill.

Nevertheless, the law will require cooperation from companies in gaining access to data before and after it is encrypted on platforms and apps.

In the lead-up to Anzac Day in 2015, a teenage British IS sympathiser used one such app, Telegram, to coordinate preparations for a planned terror attack in Melbourne.

ProtonMail itself was used by the now-defunct company Cambridge Analytica to cover up correspondence it wanted to keep secret.

Cambridge Analytica chief Alexander Nix.Credit:PA

CA was exposed by an undercover reporting sting by UK’s Channel 4 News, with senior executives recorded boasting about their operations to secretly influence elections including the 2016 US presidential election.

Its CEO Alexander Nix told an undercover reporter, who was posing as a political consultant, to “set up a ProtonMail account please because now these (conversations) are getting quite sensitive”.

“We set our ProtonMail emails with a self destruct timer… so then there’s no evidence, there’s no paper trail, there’s nothing.”

ProtonMail, based on technology developed at the CERN physics lab in Switzerland, uses its secrecy as a selling point.

It claims to be used by “journalists, dissidents, doctors, lawyers, NGOs and even regular people who rightfully won’t want their data sold and resold without their consent.”

“While we may not always agree with the people who use ProtonMail, we must nevertheless continue to protect their privacy rights.”

The service was banned in Turkey earlier this year.

On its website it says it believes “privacy and security are universal values which cross borders”.

The company said “Our mission is to ensure that a private and secure Internet is available to everyone, everywhere, including in Australia.”

But the service is “not a safe haven for criminals”, one of the founders said in a recent interview, because “we’re going after them ourselves and getting them arrested”.

The company complies with orders from a Swiss court, he said, providing information such as account use patterns.

However it cannot hand over decrypted emails.

Because of the way the data is stored, even the company cannot decrypt the messages – only the users can.

“All user data is protected by the Swiss Federal Data Protection Act (DPA) and the Swiss Federal Data Protection Ordinance (DPO) which offers some of the strongest privacy protection in the world for both individuals and corporations,” the company said.

“Only a court order from the Cantonal Court of Geneva or the Swiss Federal Supreme Court can compel us to release the extremely limited user information we have.”

In a blog post earlier this year, ProtonMail criticised the AA Bill saying if it forced companies to create “deliberate vulnerabilities” in their security protocols that “could be exploited by others and compromised the security of all”.

“If users cannot trust the services they use, the chilling effect on free speech is just as if there were no encryption at all,” it said.

“The surveillance state has proved incredibly resilient. The best way to prevent creeping government intrusion is to make informed decisions about where to draw the line between legitimate policing and the right to privacy.”

On Wednesday ProtonMail said the recent update to the proposed law “does not address any of our privacy concerns”.

However, it said, “As a Swiss company we are subject to Swiss law and we do not have the ability to decrypt your messages”.

Asked if the AA Bill would required Apple and Google to de-list the ProtonMail apps from their Australian stores, ProtonMail replied “we don’t think so, but the bill is in the early stages so we cannot say 100 per cent for sure”.

Australian technology companies are concerned that the proposed new law will disadvantage them, as users will prefer overseas technology without the Australia-mandated security flaws.

Source: Read Full Article