And once you’re dealing with the devices, you’ve opened up a Pandora’s box of complexity and unpredictability.
“The longer you’re in [the connected-device industry], the more you’re amazed by how complex it is,” Dr Potts told AFR Weekend.
“It’s an ecosystem with a lot of global supply chains, so it isn’t as easy as just going to one provider and saying, ‘Hey, I need this new feature’. It might involve 50 companies, trying to do something at the device level.
“Even on a single device, it’s an ecosystem. You’re dealing with lot of different little things and they’re not necessarily all [accessible] even to the device maker. Which is great from a security viewpoint, but it might mean that [a law enforcement agency] would need to approach 50 companies to get what they need.”
That’s one end of the spectrum of outcomes. The system is just too complex, with too many interdependent parts, for the Assistance and Access bill (also known as the Anti-Encyption Bill) to provide much, or even any, assistance or access to law enforcement.
The other end of the spectrum is just as worrisome.
It’s where the code, or exploits, are created that do crack encryption at the endpoints, but they have unforseen consequences that security experts warn could include: popular encrypted messaging services choosing to geo-block all Australian users rather than install the exploit in their software; the exploits spreading beyond the intended target group and out into the general public; and innocent consumers’ phones having their phones hacked by criminals, or having them black-listed from corporate or government networks because the phones are no longer certifiably secure.
The new legislation prohibits the creation of “systemic vulnerabilities” and “system weakness”, but the complexity of the telecommunications, hardware and software ecosystems makes it difficult to guarantee that targeted vulnerabilities and weaknesses won’t spread beyond the targets and become systemic.
Government agencies or compelled third parties writing exploits can no more guarantee there won’t be unintended consequences than Google, Apple or Microsoft can guarantee their operating systems will always work as intended.
There’s been an example of the consequences of this systemic complexity just recently. In October, a software update written by Microsoft for its Windows 10 operating system interacted with low-level software from Intel and Trend Micro in unexpected ways, blocking some users but not other users from installing the update.
For the blocked users, this turned out to be just as well: the update interacted with some users’ PCs in an unintended way, deleting some or in some cases all of their files.
For other users, though, the update worked well.
As Microsoft just experienced (and not for the first time), and as the Australian nation has learnt from the cane toad, introducing something into a complex ecosystem can have consequences that are hard to predict, and even harder to reverse.