In the last day of Parliament for 2018, the Australian Government attempted to introduce world-first encryption laws that would force technology companies into altering their systems and giving law enforcement agencies access to their customer’s encrypted messages. Their encryption is a major selling point for most technology companies, and these laws have serious and extensive implications for everyone.
Breakdown of the Legislation
A multitude of new powers are introduced under the proposed Assistance and Access Bill 2018. Criticism is focussed mainly on Schedule One, which proposes three key powers for law enforcement:
- A technical assistance request (TAR): Police ask a company to “voluntarily” help, such as giving technical details about the development of a new online service.
- A technical assistance notice (TAN): A company is required to give assistance. For example, if they can decrypt a specific communication they must do so or face fines.
- A technical capability notice (TCN): The company must build a new function to help police get at a suspect’s data, or face fines.
The enforcement agencies being granted this power are:
- Australian Security Intelligence Organisation;
- Australian Secret Intelligence Service;
- Australian Signals Directorate;
- Australian Federal Police;
- Australian Commission for Law Enforcement Integrity;
- Australian Crime Commission; and
- In many cases, State Police.
What Does This Mean?
Encrypted messaging provides customers with the security that messages can only be ready by the sender and intended recipient, with the ‘key’ to unlocking the encrypted message remaining only with them. The idea is that not even the service provider can unlock the messages.
With these encryption laws, however, enforcement agencies will be handed the key. Indeed, the things these companies could be forced to do are extensive. They may have to install software and modify their services or provide technical details such as source codes. What is more, the Bill contains extensive secrecy provisions, meaning companies are not allowed to tell anyone that their messages have been read or that new software has been installed.
This legislation is capable of forcing technology companies to install backdoors for accessing their customer’s encrypted data. While the Government has specifically denied that the legislation allows for ‘back doors’ in software, IT consultant and Electronic Frontiers Australia board member Justin Warren disagrees. Warren states, “if you break encryption in one place, it’s broken everywhere”. Dr Suelette Dreyfus, a University of Melbourne cybersecurity and privacy researcher also asserts that “there will be smart criminals who will find and use these backdoors in all sorts of dangerous ways”.
The penalties for failure to cooperate includes $10 million fines or ten years in jail. Experts are saying these laws could see employees punished for simply doing their job or installing vulnerabilities and essentially hacking into their own company. Essentially, any platform that uses encryption technology – from Tinder to Whatsapp, online banking to mobile gaming – will be exposed and targeted by these laws.
Extensive Reach
The Government emphasizes these laws are focussed on preventing terrorism and tackling organised crime. What they don’t emphasize, however, is that other parts of the Bill could be extended to investigate smaller federal crimes with three-year penalties.
Other concerns are the attempted extraterritorial reach of the legislation. In their submission, the Communications Alliance said this global reach is “unprecedented” and could mean companies simply stop offering their products in Australia. Various major technology companies are based overseas, so questions have been raised as to how Australian police could make them do anything under national law. Indeed, many companies such as Apple have slammed the laws and experts fear that these companies could remove themselves from Australia entirely rather than cooperate with these laws.
The Implications
Experts and technology companies alike continue to warn that tinkering with the security of online systems may have serious consequences. Encryption provider Senetas explained that changing just one part of a telecommunication network could have unforeseen systemic effects, which will be exacerbated by the Bill’s demand for secrecy.
There are also fears that these laws will cripple Australia’s local tech industry by making overseas customers suspicious of Australian products, as they fear government-mandated backdoors. Similarly, Digital rights activist Asher Wolf warned of a “brain drain” as Australia’s technology minds move overseas rather than working under this system. Whilst under duress, “people can’t do their jobs as engineers, developers or testers” Wolf said.
While some of these fears may be over-dramatic, the message is clear: this legislation could have chilling effects on the Australian tech industry and on the privacy of individuals and businesses. If it is to be passed, it must be re-drafted dramatically.
The Way Forward
Unfortunately for us, most of these implications are likely to play out behind closed doors, while the public is fed success stories of foiled terrorist attacks using the encryption laws.
However, we could also see tech companies simply refusing to work with the Australian authorities. For example, after the 2015 San Bernardino terrorist attack, Apple refused to comply with FBI requests to unlock the suspect’s iPhone.
In the meantime, the push to ram this legislation through Parliament in the last day of sitting ultimately failed. Therefore, the laws will be delayed until 2019 at least. In that time, it is hoped that the legislation is re-drafted if not reconsidered altogether. In their announcement, the Law Society stressed that “serious concerns remain” and in the future, “the intelligence and security committee needs to be brought back into the frame to get these laws right”.
Follow our LinkedIn page for all the latest security updates, and Contact Us to see how we can assist your business.