The Australian government yesterday passed a controversial bill that allows law enforcement agencies to compel tech companies to hand over encrypted messaging data. The legislation has been broadly condemned by privacy groups and technology companies with suggestions it could not only harm the Australian tech industry, but undermine encryption security worldwide.
The Australian legislation has been brewing for more than a year now, with constant calls from governments around the world reiterating concerns over an inability for law enforcement agencies to access encrypted communications. The legislation, called The Assistance and Access Bill 2018, can compel a private company to create new interception capabilities so no communications data is completely inaccessible to the government. Even more controversial is the fact that this security vulnerability must be deployed in secret, without public knowledge.
The new legislation is undoubtedly problematic, in a variety of ways, however, the Australian Senate rushed the bill through at the end of the final sitting day for the year, amidst a whirlwind of political games and sniping. The country's primary opposition party ultimately capitulated into supporting the bill, despite long-standing concerns, with opposition leader Bill Shorten buying into the argument that delaying the legislation until next year would threaten the country's national security.
"Do I go home and say 'well I hope nothing happens and I hope that the Government's politics don't backfire on the safety of Australians'? I'm not prepared to do it," Shorten said.
Earlier this year, in a submission to the Australian Parliament, Apple condemned the proposed legislation calling it "extraordinarily broad" and "dangerously ambitious". The core issue frequently raised is that forcing companies to embed some kind of backdoor access to encrypted data fundamentally weakens security for everyone.
It's unclear exactly what this bill will be asking of technology companies as comprehensive end-to-end encryption is a fundamentally unassailable process. Once encryption is enabled in an app such as WhatsApp, the company has no way to access that data. So, if it were legally compelled to create something under the parameters of this legislation it would have to involve some kind of backdoor that allows the company to intercept a message at either the point of sending, or the point of receipt.
The government has adamantly denied the bill requires the creation of "backdoors", and the bill itself stipulates it cannot demand the creation of a tool that results in a "systemic weakness". Of course, many experts suggest these are games of semantics with there being no way a function can be built to access encrypted communication that doesn't result in a "systemic weakness" being created.
What does this mean for the rest of the world?
Due to the vagaries in the new legislation it is unclear exactly what will play out over the next six to 12 months. What we can be sure of is that this Australian regulation will have far-reaching global implications.
Ted Hardie, chair of the Internet Architecture Board, suggested the legislation may even break laws in other countries if the Australian government tries to force companies to hand over sensitive data. The massive GDPR law rolled out across Europe earlier this year is a prime example raised by Hardie.
"We are concerned that the proposed legislation may cause these service providers to violate contracts or laws in other jurisdictions, depending upon the exact nature of the requests made," Hardie writes. "For example, companies with European presence are required to handle sensitive data according to the GDPR, and by complying with an Australian order for data that might be located in Europe, that provider could be required to violate the GDPR to satisfy Australian law."
So, why would a large global corporation such as WhatsApp or Wickr even pay attention to such an intrusive request as one potentially required by this Australian legislation? The bill mandates that companies refusing to comply with a request could be subject to fines of up to US$7 million, or jail for individuals that are associated with refusal.
It is hard to imagine things getting to the point where Australia actually tries to put a Facebook or Apple representative in jail for not complying with one of these requests. The scale of the fine, on the other hand, amounts to little more than a slap on the wrist for a massive corporation, so until all this gets pushed in court we won't know how far the Australian government is willing to take things.
A blow to the Australian tech industry
The legislation may be impracticable from an implementation perspective but the tech business sector in Australia has raised concerns over how it will affect local firms competing in the international market. The idea is that any product developed in Australia could be subject to obligations that require modifications allowing government agencies access to the data. Under conditions of the bill these modifications could not be disclosed to a client, breeding a distrust of Australian products in the global market.
"Any Australian technology company trying to crack an overseas market will inevitably have their local competitors hold up this legislation as Exhibit A as to why Australian vendors should now be treated with caution, if not suspicion," says James Turner, an Australian cyber-security expert. "That's not great for our export market, and I suspect the impact of that will be quite costly. There will be deals we don't win where our legislation may be raised as the block."
If the idea of a government compelling a private company to secretly install backdoor access into private communications sounds familiar, that's because it is essentially the same story that has recently decimated the international reputation of Chinese manufacturer Huawei.
For years, the company has been accused of working with the Chinese government to assist in surveillance and data collection. The Huawei controversy recently hit a boiling point following the arrest of the company's global chief financial officer in Canada.
Australia is also well known for taking a major stand against Huawei, recently banning the company from involvement in the roll out of 5G mobile networks in the country due to national security concerns. The primary worry ironically stemmed from a Chinese law that demands any citizen or company must support, assist or cooperate with state intelligence work.
Australia – the global backdoor
Despite other major western governments expressing concerns over the criminal use of encryption technologies, Australia is the first to push this issue to its legislative endpoint. And there may be a reason why this push is happening down under and not in the UK or the US.
Australia is part of a global intelligence alliance called Five Eyes. Comprising Australia, the United Kingdom, the United States, Canada and New Zealand, the alliance is a comprehensive agreement for the sharing of intelligence and surveillance operations.
Australia also has the weakest civil rights protections of all the Five Eyes countries. It is the only country of the five to have no singular bill of rights, meaning legislation such as this is more easily pushed through.
Out of those five major western countries, Australia is best positioned to push through a bill demanding tech companies insert backdoor access into encrypted information – a demand that once implemented would benefit all intelligence agencies in the partnership and not just Australia. So, while this legislation may seem like a small and provincial attempt to strike at global technology companies, it is a perfect backdoor strategy to create an encryption backdoor for larger countries such as the US and UK.
Now what?
To be honest, no one really knows. The new Australian legislation was ultimately passed in a rush by parliament, and the government has indicated it will revisit the bill in the new year to evaluate a large number of recommended amendments. However, in the meantime the law is essentially passed, allowing law enforcement agencies a number of new powers to play with over the coming months.
Considering the hot-button nature of personal data security these days it seems unlikely that a large private company could insert a backdoor into its encryption protocol without some kind of whistleblower leak, but now that the bill has been passed we may never know. Either way, this Australian legislation is a major win for governments in the battle against encryption and a major loss for global privacy advocates.