On December 2018, the Australian government passed the Assistance and Access Act 2018, a controversial law requiring technology companies to allow security agencies and the police to access encrypted messages of Australians. This law is the first in the world to have such reach and go so far in providing a government access and legality in forcing companies to comply. Increasingly, law enforcement and governments want technology companies to provide backdoors into personal communication services and devices in order to spy on citizens, all under the guise of national security.
The need for this law stemmed from the inability of law enforcement to have a quick and streamline process for accessing encrypted messages believed to be for criminal activities such as terrorism and other crime. Data, once relatively easy to track and trace has become increasingly difficult to regulate and control in a globalised and technological world. This data that law enforcement had access to has now been encrypted in an effort to protect everyday Australian data from criminals and other nefarious individuals. Currently, in Australia there are already laws that require service providers and technology companies to hand over a suspect’s communication to police. This becomes relatively simple if the encryption that is used allows the company to view a user’s message. However, it becomes increasingly difficult for companies such as WhatsApp, Signal and others who have additional security called an end to end encryption which only allows the sender and recipient to view the message.
Under this Act, the police have the power to force companies to create technical tools or functions that allow them to access encrypted messages without the knowledge of the user. This means that authorities will be able to compel technology companies to make backdoors in their secure messaging platforms to allow authorities to discreetly survey potential threats. There are also hefty fines for companies who fail to comply in the form of fines up to around $7.3 million and specific individuals can face jail time for non-compliance. Interestingly, Schedule 1 of the Act comprises of three key areas that are causing the most concern. These relate to the ability of police to ask a company to ‘voluntarily help’ via a technical assistance request (TAR), a company is required to give assistance via a technical assistance notice (TAN) and a company compulsorily being required to build a new function to help police get data or face penalties via a technical capability notice (TCN). Even more controversially, this law allows police to engage with individuals from companies with these demands and force them to comply through the threat of jail time. This would mean technology company would not even know that it’s security has been compromised and it’s customer’s data has been infiltrated as this law allows authorities to force an individual employee (IT administrator, engineer, product creator) to create product updates allowing a backdoor to encryption. This is all under the guise of national security to protect against terrorism and tackle organised crime.
This law has faced widespread criticism both globally, from technological companies such as Facebook and Google as well as human rights and legal groups. The criticism has stemmed from the speed in which this law was introduced as there were only five months to deliberate and consider this law. There was no consultation with the industry nor the ability for the government to properly understand the implications of the law. Critics have stated that the rushed nature of the law has resulted in a broad, overly vague and democratically undermining law in Australia.
Additionally, the main concern is about authorities having the ability to essentially create system weaknesses and vulnerabilities in the technology of companies. Although the government has stated they will not act if there is cause for systemic weakness, their definitions of such weakness prove vague and broad. The Act can require companies to create backdoors for the government to enter encrypted spaces to monitor individuals who they believe are national security risks. However, these newly created encryption backdoors have the ability to be manipulated by criminals in infiltrating consumer information. Experts have warned that the laws can create “global weak point” for companies such as Facebook, Apple and Google who are required to create these discrete backdoors. Critics of the law have stated that it is not possible to open up merely one backdoor for one person and do so safely. In doing so, one is undermining the entire data encryption protection system of the company, the privacy of users and overall security available.
Allegedly, a similar situation occurred when the NSA became aware that Microsoft had a vulnerability in its system and began discreetly and deliberately utilising it for security purposes. However, this vulnerability was ultimately utilised by hackers who in 2017 were responsible for Wannacry malware attacks which shut down computer systems globally. Experts state similar situations could occur where the vulnerabilities deliberately created have the ability to be manipulated by criminals themselves.
Additionally, parts of the Act could be used for other federal investigations to crime not merely the terrorism and organised crime that the laws were primarily brought in to protect against. Despite a compromise lobbied by Labor to limit the scope of the Act to merely serious offences, there is a potential for legislative creep. The overly broad Act could in theory allow law enforcement agencies to monitor the messages of low-level and other criminal conduct including copyright breaches. Additionally, with no judicial oversight and only an independent authority to approve warrants allowing this power, this law has the ability to yield unintended, undemocratic, unjust consequences. on a human rights level with the effect such laws have on an individuals’ right to privacy. Individuals will not know that their data has been looked at and decrypted for the purposes of security. Although there is a general notion that if you have nothing to hide then you have nothing to lose, there is an argument to suggest that one should have the opportunity to decide what they keep private and what it shared to others. It is a fine line that distinguishes the mass surveillance in countries such as China, Russia and Iran from other western countries with similarly stringent surveillance programs. Australia, the United Kingdom, the European Union, and the United States are exemplary of enforcing such draconian domestic surveillance and walk that fine line with every passing day.
Issues also arise on a human rights level with the effect such laws have on an individuals’ right to privacy. Individuals will not know that their data has been looked at and decrypted for the purposes of security. Although there is a general notion that if you have nothing to hide then you have nothing to lose, there is an argument to suggest that one should have the opportunity to decide what they keep private and what it shared to others. It is a fine line that distinguishes the mass surveillance in countries such as China, Russia and Iran from other western countries with similarly stringent surveillance programs. Australia, the United Kingdom, the European Union and the United States are exemplary of enforcing such draconian domestic surveillance and walk that fine line with every passing day.
Throughout the discussion both domestically and globally, data encryption is seen as a roadblock to get over in order to protect the interests of the country. It is not seen as the tool of protection it is, protecting individuals data from online banking, uploading personal pictures and messaging one’s friends. For an Act such as this, there needs to be more time allocated to scrutinising and considering it’s effects and it’s potential for overreach. More hearings need to occur where government listens to the concerns of industry experts, technology companies and individuals who have valid concerns about the vagueness and broad powers this Act gives. Additionally, amendments need to be made when the government is fully informed about the implications and effects of it’s own Act in order to allow appropriate protection for consumers as well as
Balance needs to exist between privacy and security, protection of the individual and protection of the state. Data encryption should not be seen as merely a barrier for the government but rather a tool for protection and a tool that can be used for security.