The Australian government argues the new legislation is important for national security and an essential tool to help law enforcement and security agencies fight serious offenses such as crime, terrorist attacks, drug trafficking, smuggling, and sexual exploitation of children.
Since the bill had support from both major parties (the Coalition and Labor), the upper house could vote in support of the Assistance and Access Bill to make it law, which is expected to come into effect immediately during the next session of parliament in early 2019.
Although the new legislation does not properly clarify specifics around the potential power that the Assistance and Access Bill could give Australian government and law enforcement agencies over citizen's digital privacy, it contains new provisions for companies to provide three levels of "assistance" in accessing encrypted data, as explained below:
- Technical Assistance Request (TAR): A notice to request tech companies for providing "voluntary assistance" to law enforcement, which includes "removing electronic protection, providing technical information, installing software, putting information in a particular format and facilitating access to devices or services."
- Technical Assistance Notice (TAN): This notice requires, rather than request, tech companies to give assistance they are already capable of providing that is reasonable, proportionate, practical and technically feasible, giving Australian agencies the flexibility to seek decryption of encrypted communications in circumstances where companies have existing means to do it (like at points where messages are not end-to-end encrypted).
- Technical Capability Notice (TCN): This notice is issued by the Attorney-General requiring companies to "build a new capability" to decrypt communications for Australian law enforcement.
These notices would compel tech companies to modify their software and service infrastructure to backdoor encrypted communications and data that could otherwise not be obtained.
It is worth noting that companies could face massive financial penalties for not complying with the new law.
Bill Says—Don't Crack OR Backdoor the Encryption, Just Let Govt Sneak Into Devices
The Bill clearly says that the tech companies can't be compelled to introduce a "systemic weakness" or "systemic backdoor" into their legit software or hardware, or "remove electronic protection," like encryption to satisfy government demands.
Instead, the new legislation contains measures aimed at facilitating lawful access to information through two avenues—"decryption of encrypted technologies and access to communications and data at points where they are not encrypted."
"We encourage the government to stand by their stated intention not to weaken encryption or compel providers to build systemic weaknesses into their products," the Bill stipulates.
So without forcing companies to break encryption in their software, Australian law enforcement is looking for ways to snoop on your messages before they are encrypted, or read them once they're decrypted on the users' end.
Of course, this would require assistance from providers of the software and services, including Apple, Samsung, Google, WhatsApp, Signal, iMessage, and Telegram, though it remains to be seen whether and how tech companies cooperate with the new Australian laws.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!Join the Session
You need to read the below statement included in the Assistance and Access Bill [PDF] word-by-word:
"The Bill could allow the government to order the makers of smart home speakers to install persistent eavesdropping capabilities into a person's home, require a provider to monitor health data of its customers for indications of drug use, or require the development of tool that can unlock a particular user's device regardless of whether such [a] tool could be used to unlock every other user's device as well…"
"While we share the goal of protecting the public and communities, we believe more work needs to be done on the Bill to iron out the ambiguities on encryption and security to ensure that Australian are protected to the greatest extent possible in the digital world."
It should be noted that the Australian law enforcement authorities still require a judicial warrant to sneak into your devices and intercept your encrypted messages.
Five Eyes Nations: Responses to "Going Dark"
Since Australia is a member of the Five Eyes alliance along with the United States, United Kingdom, Canada, and New Zealand, which last month declared that "privacy is not an absolute" and the use of end-to-end encryption "should be rare," the new bill could be a stepping stone towards new encryption laws in other nations as well.
The Bill also claims that without the new legislation, law enforcement agencies face the problem of "going dark"—a term used by the FBI and U.S. Department of Justice (DoJ) to describe the situation when they failed to intercept encrypted data and communications.
Australian Prime Minister Malcolm Turnbull has previously made his position on encryption clear last year, saying "The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia."
Apple—Encryption is Simply Math
Apple responded to the new bill by making a submission to the Australian government month ago, saying "Encryption is simply math. Any process that weakens the mathematical models that protect user data for anyone will by extension weaken the protections for everyone."
"It would be wrong to weaken security for millions of law-abiding customers in order to investigate the very few who pose a threat," the tech giant added.
Even though the new Assistance and Access Bill does not propose weakening encryption or removing electronic protection, tech companies and privacy advocates argue that any efforts to thwart encryption even for one device could potentially affect privacy and security of everyone.
Moreover, the new way to intercept into devices could possibly open a backdoor for hackers, making it easier for them to spy on encrypted communications or steal sensitive encrypted information.