Planned Australian law raises tech firms’ security concerns

The Australian government is this week expected to release a draft bill that will introduce new powers to help law enforcement officers investigate illicit activity online, which supporters claim are necessary to counter criminals’ increasing use of encrypted digital methods of communication.

The draft bill proposes three ways for tech firms, software developers and others to assist security agencies and police.

The legislation provides for “technical assistance requests”, under which a company can choose to help “voluntarily” by giving details about the development new online services.

However, under “technical assistance notices”, companies are required to give assistance if they can, such as decrypt a specific communication or face fines, and under proposed “technical capability notices”, companies must build a new function so they can assist police. But the government claims that “systemic” weaknesses, such as undermining encryption across all devices, cannot be demanded, reports ABC news.

However, the Digital Industry Group, whose members include Facebook, Google and Twitter, has raised concerns about the ambiguity of the legislation and that it could undermine customer trust.

The group has also rejected government claims that the bill would not require communications providers to build weaknesses into their products and warned that it would open users’ data up to attack, according to The Guardian, despite assurances that authorities would still need an “underlying warrant or authorisation” to access the content of the encrypted communications.

Because of the bill’s ambiguity, critics say it is unclear whether a company could be asked to build a specific vulnerability for an individual’s device, even if the company was concerned about unintended consequences for other users.

The industry group, known as Digi, is concerned that the bill could have “devastating implications” for tech firms and their customers. 

“The reality is that creating security vulnerabilities, even if they are built to combat crime, leaves us all open to attack from criminals,” said Digi managing director Nicole Buskiewicz.

“We are extremely concerned at the lack of judicial oversight and checks and balances with this legislation.”

Australia’s proposed laws represent a significant step up in the fight against the criminal use of encrypted communications, according to industry commentators, who describe it as “much more aggressive” than any legislation in North America.

Similar powers are granted by the UK’s controversial Investigatory Powers Act, which is currently being redrafted after the high court ruled that parts of the legislation were unlawful in a judicial review brought by human rights group Liberty. The court has given the government until 1 November to bring the legislation into line with fundamental rights in EU law.

Like the UK government, the Australian government claims that the bill contains adequate safeguards, citing as an example the requirement of the attorney-general to consider a provider’s submission in determining whether a request is reasonable, proportionate, practicable and technically feasible, including the impact on privacy, security and third parties.

“These requests are subject to robust scrutiny to ensure that assistance is consistent with Australia’s international responsibilities and human rights obligations,” said an Australian government spokesperson.

Digi is calling on governments around the world to adopt surveillance laws and practices that are consistent with established norms of privacy, free expression, and the rule of law.

“We hope there is a constructive and public dialogue with the government around these principles as the bill continues its progress through parliament,” said Buskiewicz, adding that Digi is concerned about the lack of judicial oversight and check and balances in the proposed legislation.