It is a fairly binary question: should paedophiles have an absolute right to privacy? Should those who would do the community harm through acts of mass murder be allowed to operate free from digital harassment by law enforcement and intelligence services?
And if you answer unequivocally no to both questions, what damages are you prepared to wear and at what cost?
For instance, are you willing to accept that the domestic technology industry might be seriously compromised, losing potentially billions in foreign sales? Or do you mind that all of your own personal information — including your finances, your medical history and your own intimate correspondence with friends and family — would be made more susceptible to bad actors by a law which guarantees a security weakness as a legislated design element?
That’s the dilemma facing Australia’s politicians, most of whom have demonstrated little intrinsic understanding of the matters on which they are legislating.
Last week Australia passed a modified version of its anti-encryption bill, which gives law enforcement the ability to compel technology companies to create capabilities to access data to which they do not have direct access — essentially creating a backdoor into previously encrypted data.
Ostensibly designed to fight terrorism and other serious crimes, the new laws give police and intelligence agencies powers to access encrypted communications, and go further than any other western nation.
The legislation, known as the Assistance and Access Bill, was passed on the final sitting day of Parliament after the opposition Labor Party dropped its proposed amendments to the Bill, voting to pass the legislation with the agreement that it would be reexamined in the new year when Parliament resumes.
While substantial amendments are expected, the legislation in its current form has drawn the ire of privacy groups and the local tech community over fears of mission creep, designed vulnerability exploitation and an undermining of confidence in the Australian market.
Critics have argued the backdoor capability can also be exploited by the criminals law enforcement agencies seek to expose. And they argue the very possibility of its existence — companies cannot notify any users of the forced backdoors — will undermine the Australian technology industry.
Senetas, a global leader in the development of advanced encryption technologies with clients in 40 countries — including contracts with the US government, secret service agencies and Australian agencies — is the kind of company with plenty to lose if the legislation is not amended.
Francis Galbally, Chairman of the ASX-listed business, told Which-50 that by rushing the Bill through on a shambolic final sitting day, Parliament had ensured the legislation and proposed amendments could not be properly considered.
“I think the Bill was passed in haste with no regard made of suggested amendments and further interaction with the industry leaders which was asked for on many occasions,” Galbally told Which-50.
“Legislation made in haste is bad legislation.
“I think the government needs to introduce some further discussion early next year and consider seriously the amendments being proposed,” Galbally said.
Some amendments have been made on the initial draft of the Bill, which Galbally says he welcomes, but they do not go far enough.
He criticises the broad nature of the Bill. In particular, he says the new capabilities the laws could force companies to build into their software risk creating “huge” unintended consequences for security and the local industry.
“I think the real risk here is the fact that a party can be asked to grant access or to modify a product after consultation [with intelligence agencies] but do so without regard or collaboration with other players in the industry.”
If a bug is introduced into a product, or if a backdoor is introduced into that product, the bug could spread elsewhere, says Galbally. “Worse still, the weakness that is introduced into the product because the intelligence agencies want to eavesdrop, can be used by a malevolent power or by a criminal to access, through that product, other systems and data and information relating to citizens.”
These new backdoor capabilities create the possibility for Australia’s own WannaCry ransomware scenario, critics like the Senetas Chairman warn.
In 2017 a NSA-introduced vulnerability was discovered and shared by hackers, leading to large-scale ransomware attacks around the world. Galabally said a similar outcome is now possible in Australia because of the designed vulnerabilities intelligence agencies could implement.
The laws also threaten to tarnish the Australian industry’s global reputation, he warns.
The Bill’s original form created the risk that tech companies could even avoid the Australian market altogether but, Galbally says, it is still too early to know if that will occur as amendments could significantly change the Bill.
“I’m very hopeful that the government and the Labor party will see sense and actually look at amending it in a way that it achieves the purpose intelligence agencies seek, but also ensures that every citizen’s security and trust in the system remains.”
A “body blow”
Paul Shetler, former CEO of the government’s Digital Transformation Agency (who also held a similar role in the UK prior to coming to Australia), is less optimistic. He says the laws are a “body blow” for Australia’s technology industry and undermine efforts to grow the sector.
“Australia needs to move beyond extractive industries, agriculture and tourism. This is a body blow [to that],” Shetler told Which-50.
”I think it massively hurts Australian companies overseas and it disincentives foreign technology companies from opening offices in Australia.”
Shetler said foreign customers concerned with security and cyber would likely avoid Australian tech products and Australian companies will be viewed “as an equivalent to China’s Huawei.”
The introduction of the laws will also make Australian companies a target for hackers, Shetler said.
“Australian companies will be hit very hard by hackers and criminals looking for ways to break in because everyone is going to know they are there.
“Once you put a backdoor in, anyone who finds it can use it and of course it’s going to be quite clear now that there is a backdoor and people and going to be looking for that — particularly with Australian software.”
On an individual level, the laws place Australians working for global companies in a precarious position.
“The way the law is drafted, Australian employees of foreign tech companies can be viewed as kind of a rogue force. They are not allowed to let anybody know if something happens — it is all very forbidden to talk about it — therefore management doesn’t really know what’s going on,” Shetler said.
At a product level Shetler raised three possible routes that global companies could take: weaken their products (which makes them less attractive overseas); make a special Australian version of their product; or exit the market completely.
“It will be interesting to see the reaction of large tech companies — Apples and others — who have made a real stand against this kind of stuff in the United States, what their reactions are and how willing they are to compromise their products.”
“Will they produce special Australian versions of their products which are weaker in security? Or will they compromise all of their products at risk of losing domestic market share? Is Apple willing to lose a percentage of its market share in the United States or Europe to satisfy 25 million users in Australia?”
A global perspective
Sharon Bradford Franklin, Director of Surveillance and Cybersecurity Policy for New America’s Open Technology Institute, said the laws raise serious concerns for Australian developers and any tech companies that do business in Australia.
“Users will no longer be able to trust that Australian developers’ products are secure, and this could have a significant impact on their ability to sell their products and services,” she told Which-50.
“They are now subject to a law that authorises the government to demand that they weaken the security features of their products. Despite the law’s statement that the government may not require communications providers ‘to implement or build a systemic weakness or systemic vulnerability,’ the breadth of the provisions creating tools like technical capability notices undermine this assurance.”
Prior to the laws passing, New America’s Open Technology Institute (OTI) had urged the Australian Parliament to slow down the process and had submitted three rounds of comments on behalf of an international coalition of civil society organisations, technology companies, and trade associations.
Bradford Franklin noted that the United States, nor any of the other Five Eyes countries, has any comparable law that “provides the government with specific authorities to break encryption or otherwise require tech companies to weaken the security features of their products.”
Bradford Franklin is however, deeply concerned that the Australian law will become a model for other countries.
Modelled after the United Kingdom’s Investigatory Powers Act (IPA), the Australian laws’ authorisation for Technical Capability Notices (TCNs), poses greater threats to cybersecurity and individual rights than the UK laws, according to Bradford Franklin, because there is no provision requiring any type of independent review.
Setting these laws in context, Bradford Franklin said over the past two years, the Five Eyes countries have focused on developing strategies and policies to weaken encryption, and ensure governmental access to encrypted communications.
In August the Governments of the United States, the United Kingdom, Canada, Australia and New Zealand issued a Statement of Principles on Access to Evidence and Encryption stating that if they continue to “encounter impediments” in their efforts to access encrypted communications, they may pursue legislative mandates for encryption back doors.
Bradford Franklin cited research that the principal challenge law enforcement agencies face in accessing digital evidence is not encryption, but obstacles such as a lack of training and resources that would permit them to access evidence that is already legally available.
“Law enforcement agencies already have many tools available to provide them with access to digital evidence, such as metadata and cloud backups of content,” she said.
“A backdoor to a backdoor”
Bradford Franklin argues there is a serious risk that other countries may use Australia’s new law as a backdoor to an encryption backdoor.
She explained, “Australia now has the authority to compel providers to create encryption backdoors, and once providers are forced to build weaknesses into their products, then other governments can exploit those weaknesses.
“For example, if Australia issued a technical capability notice to compel Apple to build a new operating system to circumvent iPhone security features — which is what the FBI demanded in the San Bernardino shooter case — then, if Apple complied and built the system, it could then no longer argue that it lacked the capacity to turn over data to the US government in similar cases.”
How exactly would Apple respond to such a request? Now the laws have been passed attention is shifting to the Internet giants like Apple, Google and Facebook to see what they do next.
But given the difficulty the Australian government
Amazon Web Services addressed the issue a fortnight ago when the bills were yet to be passed, during its annual Re:Invent conference in Las Vegas.
At the time the cloud giant wouldn’t rule out opposing such laws in court if they were to pass, depending on legislation’s final wording.
Currently the tech giants are deferring all commentary to the digital industry association, DIGI, which represents Facebook, Google, AWS, Twitter and Oath.
According to a statement provided by DIGI the laws contain fundamental flaws which “should have been addressed before it was passed into law.”
The group said it will “continue to assess the impact of the legislation” and what it means for its members’ operations in Australia.
Here is the statement in full:
“This legislation is out of step with surveillance and privacy legislation in Europe and other countries that have strong national security concerns. While we acknowledge and appreciate the efforts of the opposition this week to address the critical issues with this bill, we share the concerns expressed by industry and civil society that fundamental flaws within it have not been rectified and should have been addressed before it was passed into law.
“Several critical issues remain unaddressed in this legislation, most significantly the prospect of introducing systemic weaknesses that could put Australians’ data security at risk. It is also deeply concerning that the minimum safeguards Australians should expect under such unprecedented new powers — judicial oversight and a warrant-based system — are absent in relation to the new Technical Capability Notice.
“DIGI members have a long history of working with Australian law enforcement to promote public safety, and respond to thousands of requests every year from Australian law enforcement. However, the changes proposed in this legislation potentially jeopardise the security of the apps and systems that millions of Australians use every day.
“DIGI members will continue to assess the impact of this legislation and what it means for their operations in Australia.”