The Australia parliament on Thursday passed a set of new cybersecurity measures that compels technology companies to furnish law enforcement agencies access to encrypted customer messages, a law that Apple and other tech firms railed against during its draft period.
Apple Messages on iOS.
Officially titled the “Assistance and Access Bill 2018,” Australia’s new law garnered the scrutiny of tech companies and civil rights advocates alike for the seemingly wide berth it grants law enforcement agencies in requesting access to digital communications.
Vague language, particularly in a to-be-amended limitation detailing “systemic weakness,” prompted public cries of disapproval as critics warned of potential abuse by government agencies. Of immediate concern are backdoors into secure platforms, the creation of which might be foisted upon tech companies under the guise of “assistance.”
As reported by CNET, the legislation calls on companies to provide three levels of assistance to law enforcement and select government agencies:
- Technical Assistance Requests: Companies provide voluntary assistance to aid certain agencies as they perform duties relating to “Australia’s national interests, the safeguarding of national security and the enforcement of the law.”
- Technical Assistance Notices: Requires companies to provide assistance that is “reasonable, proportionate, practicable and technically feasible.” Providers are able to use existing means like encryption keys to decrypt communications.
- Technical Capability Notices: Requires companies to build a new capability that enables it to provide assistance to law enforcement agencies and government bodies. The notice cannot force a provider to build or implement a capability to remove electronic protection, such as encryption.
Technical Assistance and Technical Capability Notices both require an underlying warrant or authorization, the bill reads.
Failure to comply with a notice incurs a fine of A$10 million (about $7.2 million) for corporations or A$50,000 for individuals.
Of the three, Technical Capability Notices are thought to pose the greatest threat to strong encryption practices as the stipulation appears to rubber-stamp the creation of software backdoors. While Australian officials have attempted to ameliorate the situation, vowing the bill does not provide a route to such extreme degradations of existing encryption methods, critics are still concerned.
In particular, the bill refers to “systemic weaknesses” or “systemic vulnerabilities” that companies cannot be forced to implement as a result of TANs or TCNs. The government says it “has no interest in undermining systems that protect the fundamental security of communications,” but opponents argue the language is too vague. Indeed, systemic weaknesses and vulnerabilities do not carry a narrow, technical definition.
Apple, which is among a cadre of tech giants that have for the past few months vehemently opposed the bill’s passage, in part opposes the legislation because of these odd ambiguities.
In October, Apple submitted a letter to the Australian Parliamentary Joint Committee on Intelligence and Security, urging the body to clarify ambiguous language in a draft of the statute before its ratification. The letter also reinforced Apple’s commitment to customer privacy, arguing strong encryption is vital to the safeguarding of national security, especially in light of large-scale database hacks.
“There is a profound risk of making criminals’ jobs easier, not harder,” Apple notes. “Increasingly stronger – not weaker – encryption is the best way to protect against these threats.”
Despite its contentious nature, the bill was pushed through on the last sitting day of Parliament before the summer break, reports CNET. The federal Labor opposition was forced to table modifications to the legislation, but allowed it to pass on condition that the amendments would be reviewed when parliament reconvenes. Those efforts might be for naught, however, as the bill is now law.