Australia just passed tough new legislation that requires tech companies to hand over user data when requested by law enforcement, even if that means building a backdoor into their encryption. The decision has huge implications for communications companies, not just in Australia but also across the rest of the world.
The legislation not only compels companies to hand over user data they have easy access to, but also to build the ability for themselves to intercept this data when they don’t. Critics have said that creating a backdoor has security implications worldwide because hackers and other countries might be able to take advantage of the weakened security.
The legislation has “several critical issues” according to a group that represents Facebook, Google, Twitter, Amazon, and Oath. Digi, the Australian tech industry group, said that the legislation had the potential to introduce systematic weaknesses that could harm the data security of users.
The lack of continued judicial oversight is also “deeply concerning,” the group said. Law enforcement agencies are required to obtain a warrant to force tech companies to build backdoors into their services, but no further judicial oversight would be necessary to intercept telecommunications once a warrant has been issued. Digi said that “judicial oversight and a warrant-based system” are “the minimum safeguards Australians should expect,” yet these were absent from the new rules.
A campaign group representing Apple, Facebook, Google, Microsoft, Snap, and Twitter described the new legislation as “deeply flawed, overly broad, and lacking in adequate independent oversight over the new authorities.” The Reform Government Surveillance coalition, which campaigns for worldwide reform about government surveillance, urged the Australian Parliament to amend the legislation.
WhatsApp also criticized the legislation. As the world’s most popular end-to-end encrypted messaging service in the world, the company is no stranger to having to defend its use of encryption in the face of criticism by law-enforcement agencies in the US, India, and the UK. It said that its position is no different when it comes to Australia: “We have challenged attempts to curtail end-to-end encryption in the past and will continue to defend the ability for people to communicate privately with one another online.”
But a WhatsApp spokesperson said the company doesn’t believe Australia’s new law “provides a basis to remove end-to-end encryption, as some reports suggest.” That may be because of a clause in the law, meant to offer a degree of privacy protection, that is supposed to offer an out for tech companies if their only option would be to cause a “systemic weakness” in their product. It’s unclear, however, exactly how such a weakness would be defined.
A spokesperson for ProtonMail, which offers an encrypted email service, said their service wouldn’t be affected by the law, because the company’s servers are located outside the country. But they still denounced the law as an attack on encryption. “This law endangers the security of online services, and it places an unprecedented obligation on tech companies,” the spokesperson said.
The comments echo previous criticism levied by Apple at the legislation in a letter sent to the Australian government. Prior to the legislation passing through Parliament, the company argued that encryption makes criminals’ jobs harder rather than easier, and that more encryption is better overall for society.
The bill could change a bit next year. Although the opposition Labor Party agreed to drop its 173 amendments to the bill to allow it to be passed before the end of 2018, it did so on the condition that these amendments would be debated properly in the 2019 session. There’s no guarantee that they’ll make it into law, but the fate of Australia’s Assistance and Access Bill 2018 isn’t yet set in stone.