Australia’s proposed anti-encryption legislation has been roundly criticized by tech giants and concerned individuals alike. On October 3, a group of four global tech giants – Facebook, Apple, Alphabet, and Amazon – confirmed that they will oppose the new law, over concerns that it undermines consumers’ privacy.
Nevertheless, the bill forms a crucial test case in the debate over the limits of privacy, and its success (or otherwise) could have impacts on similar proposed legislation in the UK and US. Australia has long formed one part of the US-led ‘Five Eyes’ intelligence network, a group of countries who have agreed to share data collected from citizens’ emails and other forms of electronic communication. The proposed new bill, however, gives the Australian government unprecedented powers to request access to private data.
The Telecommunications and Other Legislations Amendment (Assistance Access) Bill 2018 has not yet become law, but Scott Morrison’s Liberal-National Government seems determined to have it pass before the end of the year. It was tabled in parliament in September with only minor amendments, and is set to be discussed by the parliamentary intelligence and security committee in a one-day hearing next month.
The government claims that the proposed bill is necessary in order to protect the country against terrorist attacks. Intelligence agencies have repeatedly argued that allowing individuals and groups to use encrypted messages denies law enforcement crucial evidence, whether this be in cases regarding pedophilia, organized crime, or terrorism.
The bill essentially requires companies to leave a ‘key under the mat’, a way for the government to access otherwise encrypted data should it need to. Specifically, it would create three new legal mechanisms for Australian Government Agencies to request data from companies in the communications supply chain. These mechanisms range from a ‘Technical Assistance Request’, which asks companies to provide voluntary assistance, to ‘Technical Assistance Notices’, which require such companies to provide private data, as long as this is ‘reasonable, proportionate, practicable, and technically feasible’.
The fines for non-compliance are steep. The current version of the bill proposes that internet companies, device manufacturers, and social media hosts may be fined up to AUS$10 million for each instance of non-compliance. Individuals may be fined up to AUS$50,000.
In extreme cases, the bill would also require tech companies to build new capabilities to access private data. Beyond the more general concerns over the privacy of data, this mechanism has attracted the most criticism from consumers and companies alike.
The scope of the bill has attracted a huge amount of criticism. The government has received some 14,000 submissions from concerned individuals and companies, but so far has received only very limited amendments.
These concerns are motivated by a variety of factors. At the most general level, consumers and companies alike are growing ever-more aware of the privacy of their data. Many tech companies, particularly Apple and Whatsapp, make use of the privacy afforded by their systems in their offer to consumers. For their part, consumers are more tech-savvy than ever before, and many services that used to find only a niche use, such as open source privacy tools and encryption software, are becoming commonplace as individuals seek to protect their private data.
More specifically, many in the tech industry have expressed concerns that requiring companies to build backdoors will inherently compromise the security of their systems. These companies spend many millions of dollars attempting to close such doors, lest they be exploited by hackers, and the idea of purposefully introducing vulnerabilities strikes many engineers as a retrograde step.
In the most general sense, others have argued that the bill risks creating a culture in which companies feel they work (at least partially) for law enforcement agencies. Though one of the legal mechanisms created by the bill requires only voluntary compliance with requests for users’ private data, in reality it is unlikely that any company would refuse such a request for fear of future censure. Because such relationships are nominally voluntary, it is also feared that this part of the bill may be over-used by intelligence agencies to build large, albeit informal, data-gathering systems.
Though Australia has long been a well-integrated part of global intelligence-gathering networks, the new bill goes beyond any comparable legislation in US, UK, or NZ. This, in turn, is not a new phenomenon. As some have pointed out, Australia already has robust national security legislation covering telecommunication interception and surveillance, and these mechanisms are already far in advance of those elsewhere.
The reasons why the Australian government feels it needs greater powers in this area than almost any other state must remain speculative. Some on the left have argued that the government is being leaned on by international partners, and particularly the US intelligence administration, and that the implementation of these mechanisms in Australia form a test case for an eventual roll-out across the ‘Five Eyes’ partners.
There is, however, a more immanent reason why the government is pushing through the bill right now: they can. The lack of organized opposition to the bill may be reflective of the importance given to it by legislators, but it is out of step with how the majority of Australians feel about sharing their data. Rather than being unique in its ability to gather encrypted data, the Australian government should perhaps try to be unique in a different way: to be the first country to reach a consensual compromise between individual privacy and the needs of law enforcement.