Australia‘s government signed a bill into law last week giving law enforcement agencies the right to force technology companies to reveal users’ encrypted messages. Another way of putting it: Australia’s tech scene will soon be located on the Wayback Machine.
The law was introduced as the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018, but now it’s official. And there’s a lot to be concerned about, even if you don’t live or work in Australia.
The new law gives Australian law enforcement agencies the power to issue cooperation notices to technology entities with the purpose of gaining access to specific users’ encrypted messages and data. These entities may include companies, websites, or anything else that transmits data to an end-user in Australia.
They can also contain an individual if the person “develops, supplies or updates software used, for use, or likely to be used, in connection with: (a) a listed carriage service; or (b) an electronic service that has one or more end users in Australia.”
The three notices are:
- Technical Assistance Notices (TAN): these are sent when a company has the ability to decrypt a message, bypass encryption, or provide access to user logs including inputs before encryption or after end-decryption. These are compulsory and refusal can result in financial penalties.
- Technical Capability Notices (TCN): these would compel companies to build infrastructure to enable access for law enforcement – though by definition cannot force a company to “weaken” encryption for all users.
- Technical Assistance Requests (TAR): these, despite being voluntary (they carry no penalty if a person refuses), circumvent the rules surrounding mandatory requests, including their inclusion in oversight reports.
Before we get into the specifics of what these requests mean, and how they could affect Australia, its citizens abroad, and the rest of the world, it’s worth understanding why the country’s government just rushed such a chilling law through.
According to the government, its passage was necessary to prosecute terrorists. But, ambiguous language throughout the bill – as passed – leaves the door wide open for vast interpretation.
In essence, it seems that an investigation into any crime “punishable by a maximum term of imprisonment of 3 years or more or for life” can be used as the basis to invoke the law. Depending on how the court chooses to interpret sentencing this could encompass non-violent offenses and lead to near ubiquitous sweeps. As Tech Crunch reporter Zack Whittaker wrote:
Critics have pointed out that the law could allow mission creep into less serious offenses, such as copyright infringement, despite promises that compelled assistance requests are signed off by two senior government officials.
Australian investigators will apparently be able to demand access to just about anyone’s data as “six degrees of separation” networks get built.
There’s no language in the bill’s documentation indicating a person has to be suspected of a crime, but merely “involved in inquiries pertaining to” one, in order for the law to cover an order for access.
Worse, the law would allow for covert operations with legal penalties for non-participation or blowing secrecy. This means a company could be forced to spy on any user the government says is related to a crime without informing the users under penalty of fine. It also means that the government will conduct the bulk of its related surveillance work with absolutely no public awareness or oversight.
It gets worse. An individual developer could potentially be forced to alter/bypass/disable company software. And could be charged with a crime if they refuse or inform the company.
Basically, according to experts, if an Australian tech-worker is employed by your company, the government could potentially compel them to hack/disable/change/bypass/etc. your systems with a threat of jail time. Whether or not it’s feasible, the fact it’s law is concerning.
One of the ways #AABill gets access to systems is by commandeering employees of companies to write backdoors. But they’re not even allowed to tell their employer, or face jail time.
I went through the mechanics of this, and realised how out of touch Canberra is…
— Alfie John (@alfiedotwtf) December 4, 2018
And, if you use any technology product in Australia, your encrypted data could be sent to the government. Finally, if you’re a technology company based in Australia, every potential client, customer, or user knows their data is potentially compromised if they use any of your encrypted software.
Well shit, I've already got international folks asking if they need to treat their Australian teams as potentially compromised now.
— Paul Fenwick (@pjf) December 6, 2018
Politicians in many nations, for whatever reasons, have attempted to give law enforcement such sweeping power over the years but cooler heads have always prevailed. There’s no end to the damage this law could do if there’s even a single corrupt judge, law enforcement agent, or politician on the Australian continent.
As the signatories of an open-letter to the Australian government titled “You Bunch of Idiots!” put it:
Being against the so-called “Assistance and Access Bill” does not mean you are in support of terrorism or pedophilia. We abhor terrorism and pedophilia. We are against the bill because it is a destructive and shortsighted law.