Australia passes controversial encryption law, raising serious privacy and legal concerns
On Thursday, the Australian government passed a controversial new law that would allow law enforcement and government agencies to demand access to encrypted communications. Under the new legislation, companies who fail to comply with requests could face fines up to $10 million (AUD), and individuals could face fines up to $50,000 (AUD).
The legislation includes powers that would allow agencies to seek three types of assistance from tech companies and individuals, as reported by CNET:
- Technical assistance request: A notice to provide “voluntary assistance” to law enforcement for “safeguarding of national security and the enforcement of the law.”
- Technical assistance notice: A notice requiring tech companies to offer decryption “they are already capable of providing that is reasonable, proportionate, practicable and technically feasible” where the company already has the “existing means” to decrypt communications (e.g. where messages aren’t end-to-end encrypted).
- Technical capability notice: A notice issued by the attorney general, requiring tech companies to “build a new capability” to decrypt communications for law enforcement. The bill stipulates this can’t include capabilities that “remove electronic protection, such as encryption.”
While the bill states that companies cannot be required to introduce a backdoor or “systemic weakness” or “systemic vulnerability” into their technology to respond to government demands, this term is not defined in legislation. There is also no mechanism for a company subject to a technical capability notice to seek clarification on whether the new capability demanded would result in the removal of electronic protection and the introduction of a systemic weakness or vulnerability. Amendments that would address these issues have been proposed, and are to be debated in 2019.
Tech sector, privacy advocates raise concerns
The legislation has been heavily criticized by privacy advocates and by tech companies, such as Apple and lobby group DIGI (the Digital Industry Group Inc.), which includes Amazon, Google, Twitter and Facebook. Among other concerns, critics have noted that tools created to decrypt communications are unlikely to remain used for the limited uses contemplated by the bill. Decryption tools and decrypted data are vulnerable to hacking, leaks, and are likely to reduce overall data security and privacy online. As a member of the Five Eyes, it also seems likely that Australia would share decrypted data and tools with other member countries.
In a PIA blog post earlier this week, Derek Zimmer also provided an overview of these concerns and detailed how the powers contemplated in the bill are likely to be ineffective at addressing the stated problem.
“This new law will dramatically increase the access of intelligence and law enforcement agencies to the private communications of ordinary Australians, with implications for our right to privacy and freedom of expression.”
– Edward Santow, Australian Human Rights Commissioner
Criticism from human rights and legal experts
The legislation has also attracted criticism from human rights and legal experts. The Law Council of Australia (LCA) released a statement in opposition to the bill. Specifically, the LCA noted that the legislation would circumvent the need for law enforcement to obtain warrants when asking tech companies and communications providers to perform actions like intercepts through “technical assistance requests”. The statement also raised concerns that the bill did not make it clear that legal privilege was protected, and noted a risk that individuals could be detained to provide “compulsory assistance” without being afforded the proper legal processes, including the ability to contact a lawyer.