Sydney-based Law and Economics Consulting Associates said in a report dated April 5 that laws undermining encryption could cause serious economic harm to countries that pass such legislation, and that this damage might spread worldwide too. The report, commissioned by the Internet Society (ISOC), studied the impact of Australia’s Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 [TOLA], which empowers law enforcement to obtain tech companies’ help to access encrypted communications.
In India, WhatsApp is currently fighting similar legislation that it says would force it to weaken its end-to-end encryption. The government wants messaging platforms, mainly WhatsApp, to trace the given message back to the first person who sent it after being ordered to do so, supposedly to hold people spreading misinformation accountable. To this end, it notified the Information Technology (Guidelines For Intermediaries And Digital Media Ethics Code) Rules, 2021, which requires, among other things, that “significant” social media intermediaries (like WhatsApp) comply with government and court orders to trace the “first originator” of a message.
Why undermining encryption can be harmful
The report was working with a few assumptions and limitations, such as the fact that TOLA was only passed in Australia recently, and details on how it was used are clouded by a non-transparent disclosure regime. As such, most of the research the report is based on was done by interviewing digital platforms anonymously. In these conversations, the following reasons emerged as the basis for possible economic harm following TOLA and similar legislation.
- Unpredictability can cause economic harm: “There are numerous mechanisms by which TOLA may impose economic harms. For example, TOLA increases business uncertainty. Studies completed by the US National Institute of Standards and Technology (NIST) in 2001 and 2018 concluded that government-sponsored interventions that reduced uncertainty about digital security resulted in aggregate benefits worth many billions of dollars. By increasing uncertainty among digital market participants as to the best ways to secure digital information, TOLA may forego the realisation of analogous benefits,” the report said.
- Brand image harm: TOLA might cause reputational harm for companies subject to Australian law, as trust in the security of communications facilitated by tech companies in Australia may suffer, the report said. “Customers, which includes both enterprise and mass market Internet users, concerned that their data may be rendered less secure due to TOLA may opt to take their business elsewhere,” the report pointed out.
- Reduction in trust: Digital businesses rely on trust, and a reduction in this trust can increase costs and reduce demand, the report argues. “Reduced trust in data security is expected to depress aggregate demand across the digital economy and induce firms to incur higher costs in attempts to offset the harms resulting from the reduction in trust,” the report says.
- Benefits to law enforcement “small”: In spite of all these potential costs, the report says, law enforcement may not be benefited much by the legislation, the report argues. “Suitably motivated targets who want to secure their data can do so even if TOLA is adopted, by employing strong encryption for both in transit (e.g., end-to-end messaging) and at rest (e.g., storage on a device), and making use of other techniques (e.g., various forms of indirection such as onion-routing) to render any efforts at providing assistance by [tech companies] ineffective,” the report points out.
One industry player estimated that the cost may have been up to AU$1 billion for that player alone due to TOLA. While the report relies on many assumptions, it argues that “the burden of proof should be shifted to evaluating the case for why TOLA is expected to yield significant benefits since the risk of significant harms posed by TOLA is clear.”
- WhatsApp Sues Indian Government Over Traceability Mandate Of New IT Rules
- ‘We Want Backdoors To E2E Encrypted Platforms For Law Enforcement’: India, Japan, Five Eyes To Companies