The Australian government has passed new legislation that would allow law enforcement authorities to force tech companies to hand over user information, even if it’s protected by end-to-end encryption (via BBC). The Assistance and Access Bill 2018 has been criticized by Apple as well as other technology companies and academics who argue that the legislation will weaken the data security of all Australians, with a reach that could jeopardize the data of companies, citizens, and societies around the world.
At its core, the legislation allows law enforcement agencies to compel companies to hand over user information, even if it’s protected by end-to-end encryption. If companies do not have the ability to intercept encrypted information, they can be forced to build tools to do so.
The problem, as human rights lawyer Lizzie O’Shea points out, is that creating tools to weaken encryption for one purpose weakens it for all purposes. Tools created to intercept encrypted messages between suspected terrorists undermine the digital security of anyone who relies on that encryption for their security, whether they’re buying things online, managing their bank account, or communicating with personal or professional contacts.
“The truth is that there is simply no way to create tools to undermine encryption without jeopardizing digital security and eroding individual rights and freedoms. Hackers with bad intentions will do their utmost to take advantage of any such tools that companies are forced to provide the government.”
O’Shea suggests that once these tools exist, then it would be easy for Australian authorities to share them with their counterparts in allied nations. Australia is part of the Five Eyes intelligence sharing agreement, which also includes Britain, Canada, New Zealand, and the United States.
Apple has argued against the legislation, saying that encryption is actually a defense against cyberattacks and terrorism. It says that more of it is needed to make citizens safe, not less.
Once these encryption-breaking technologies exist for a service, they’re then a potential avenue for hackers to use across the world, and we’ve already seen attacks emerge as a result of government breaches. Last year’s WannaCry ransomware attack that caused chaos for the UK’s National Health Service, was made possible after the Windows exploit was stolen from the NSA.
The Australian government has argued that the powers are necessary to defend its citizens against terrorism and crime, and that companies are protected against having to introduce capabilities that would introduce a “Systemic Weakness” into their technology. However, academics and lawyers have pointed out that the legislation doesn’t properly define a systemic weakness.
The legislation grants law enforcement agencies three powers. The first two, Technical Assistance Notices and Technical Capability Notices, are compulsory and require companies to give access to encrypted data if they’re able, or to build the capacity to do so if they can’t already. Companies can be fined up to $10 million AUD (around $7.2 million USD) if they don’t comply with either notice. The third is a Technical Assistance Request, a voluntary version of the first two powers that doesn’t need to be publicly reported and isn’t kept in check by the systemic weakness clause.
The Law Council of Australia has criticized the government for rushing the legislation through parliament. A draft version of the bill was only presented back in August, while lawmakers had just a day to review the results of a parliamentary committee’s investigation before voting on the bill on Thursday. The opposition Labor party agreed to drop all 173 of the amendments it initially proposed for the bill in order for it to be passed on the final day of parliament this year. The amendments are now due to be raised for debate in 2019.