A developer from popular end-to-end encrypted messaging app Signal says it can’t help law enforcement decrypt Signal messages under Australia’s new Assistance and Access law.
The company is a potential candidate for receiving one of Australia’s voluntary technical assistance requests or the compulsory assistance and capability notices. The messaging app falls within scope of the law as a provider of an “electronic service that has one or more end users in Australia”.
Signal developer Joshua Lund said the messaging app maker “can’t include a backdoor” and that Signal, by design, doesn’t keep records of users’ contacts, conversation lists, location, avatars, profile names, group memberships, group titles, or group avatars. It doesn’t even have access to the private keys that could be used to decrypt a message -- something that only the recipient of a message has.
“The end-to-end encrypted contents of every message and voice/video call are protected by keys that are entirely inaccessible to us," wrote Lund.
"In most cases now we don’t even have access to who is messaging whom,” referring to the scars of metadata that can be used discover a person's contacts.
Signal, which is considered one of the most secure messaging apps available, could be an interesting test case for Australia’s new encryption law, though it’s less likely to face an assistance request than Facebook-owned WhatsApp, the world’s most popular messaging app. WhatsApp adopted Signal’s end-to-end encryption protocol in 2016, and since then Skype has too for private messages.
WhatsApp has faced troubles in Brazil ever since telling local authorities in 2016 that it could not provide users’ plaintext messages because of its end-to-end encryption.
The experience of WhatsApp in Brazil offers a preview of what could happen in Australia if Signal or WhatsApp didn’t include a requested backdoor. The Australian government could follow Brazil's action and block the Signal service. But Lund argues this will fail.
“Although we can’t include a backdoor in Signal, the Australian government could attempt to block the service or restrict access to the app itself. Historically, this strategy hasn’t worked very well. Whenever services get blocked, users quickly adopt VPNs or other network obfuscation techniques to route around the restrictions,” he wrote.
Also, pressuring Apple or Google to remove apps from their respective app stores would fail because of how easy it is to switch regions.
Lund also pointed out that all Signal software is entirely open source, meaning that even if the law prevents individuals within a company from revealing details about a request, Signal can’t hide secrets in its software.
To emphasize Signal’s protections for its users, Lund notes that even if a foreign government asked it to provide a plaintext copy of Signal messages from Australia’s Attorney General Christian Porter, it couldn’t; nor that of former Australian PM, Malcolm Turnbull, who reportedly actually uses the app.
Last week Mike Burgess, director general of Australian Signals Directorate posted a myth-busting blog about Australia’s encryption laws, arguing that claims the law will push US tech companies with bases in Australia offshore were “flawed” because the UK already has similar powers, while others are considering it.
Lund however argued the law could erode the benefits of tech companies that employ developers in Australia to take advantage of the time zone differences.