The controversial government plan to force tech companies to help law enforcement access the encrypted messages of customers is a “huge overreach” that will undermine encryption as a whole, civil rights and digital experts have warned.
Draft legislation for the long anticipated plan was unveiled on Tuesday, more than a year after Prime Minister Malcolm Turnbull first confirmed the government would hand wide-ranging powers to law enforcement and in intelligence agencies to force tech companies to provide access to communications.
Under the scheme, global giants like Facebook and Apple will face fines of up to $10 million if they do not comply with a request from Australian authorities.
The government has maintained that this does not mandate the creation of “backdoor” access, and says it will not lead to “systemic” weaknesses to encryption. But the legislation does enable authorities to force tech companies to build and insert a capability or functionality to provide access.
“The Australian government remains committed to the security of communications services and devices and the privacy of Australians.
“These powers cannot be used to introduce so-called ‘backdoors’ or require a provider to disclose communications content or data,” the bill’s explanatory memorandum said.
But civil and digital rights advocates have argued the new powers would amount to backdoor access, and would undermine encryption as a whole.
The government continues to point to the use of encrypted technology by criminals and terrorists, but the bill also allows for the use of the new powers for the “protection of the public revenue”.
“These reforms will allow law enforcement and interception agencies to access specific communications without compromising the security of a network,” Law Enforcement and Cyber Security Minister Angus Taylor said in a statement.
“The measures expressly prevent the weakening of encryption or the introduction of so-called backdoors.”
“We have had very productive meetings with industry partners based both in Australia and offshore to discuss these reforms. This bill reflects those conversations. The public now has the opportunity to review the draft legislation and put forward submissions to government.”
Authorities that will receive the new powers include ASIO and the ‘interception agencies’: the Australian Federal Police, Australian Commission for Law Enforcement Integrity, ACIC, state and territory police and anti-corruption commissions.
These agencies will be able to force any company providing electronic communications services or devices in Australia to:
- remove a form of electronic protection
- provide technical information of a service
- install, maintain, test or use software or equipment given to a provider by an agency
- format information obtained under a warrant
- facilitate access to a device or service
- help agencies test or develop their own systems
- notify agencies of any changes to their system
- conceal the fact that any of these things have happened
The legislation includes a new framework for how authorities can request assistance from these tech companies. The first step is a technical assistance request, which asks for voluntary assistance.
If the tech company does not comply, a technical assistance notice can then be issued by the head of an agency requiring the company to assist authorities if they have the existing capabilities. This applies to encryption that is not end-to-end, where the tech company already has a means to decrypt the communications.
The most extreme measure is the technical capability notice, which can only be issued by the Attorney-General and requires a company to build a new capability “that will enable them to give assistance” or insert malware onto a device to intercept communications.
Tech companies that don’t comply with this order will face a fine of up to $10 million.
In each case, the notice must be “reasonable, proportionate, practicable and technically feasible”.
“This means the decision-maker must evaluate the individual circumstances of each notice. The decision-maker must also consider wider public interests, such as any impact on privacy, cybersecurity and innocent third parties,” the bill said.
In line with current laws, an underlying warrant or authorisation is still required for each step.
The legislation also said that a technical capability notice cannot force a tech company to create a “systemic weakness” in its systems.
“The bill expressly prohibits technical assistance notices or technical capability notices from requiring a provider to build or implement a systemic weakness or systemic vulnerability into a form of electronic protection. This includes systemic weaknesses that would render methods of authentication or encryption less effective,” the government said.
“The Australian government has no interest in undermining systems that protect the fundamental security of communications.
“A technical capability notice cannot require a provider to build a capability to remove electronic protection and puts beyond doubt that these notices cannot require the construction of decryption capabilities.”
The purpose for the request must be for:
- enforcing the criminal law and laws imposing pecuniary penalties
- assisting the enforcement of criminal laws in force in a foreign country
- protecting the public revenue
- or “safeguarding national security”
Despite the government’s reassurances that the new powers won’t undermine encryption as a whole, Electronic Frontiers Australia board member Justin Warren said it will still force tech companies to create “backdoors” into their systems.
“It’s an ambit claim with huge over-reach that they’ll hope gets walked back a tiny bit in committee and gives them most of what they want. It’s trying really hard to provide multiple backdoors without calling them backdoors. But they are – it’s all about backdoors,” Mr Warren told InnovationAus.com.
He said that there also hasn’t been enough discussion over whether the new powers are actually needed.
“There’s been no serious discussion about why any of this is even necessary, just the usual scaremongering about terrorists and paedophiles while the law actually wants to go after people for the ‘protection of the public revenue’,” Mr Warren said.
“Authorities never seem to have enough power. They always demand more. It’s time to say enough is enough. They can’t be trusted with the powers they already have, let alone more.”
Greens digital rights spokesperson Jordon Steele-John also criticised the draft legislation, saying it will “completely undermine the point of end-to-end encryption and the privacy of every single Australian’s personal information online”.
“Regardless of what Minister Taylor claims, installing software or legislating some other means to capture data as it is unencrypted on the receiving device undermines the very principle of end-to-end encryption,” Senator Steele-John said.
“Installing malware on people’s devices to read encrypted data is not a solution to catching criminals but it is weakening the defences of every single device that receives encrypted messages, therefore making it easier for criminals who want to steal data.”
“What we’re talking about here is a serious pre-crime measure that will ultimately diminish the presumption of innocence and the privacy of all Australians online.
Senator Steele-John said the Greens will be referring the legislation to committee for “rigorous scrutiny”
“I call upon those tech companies who are likely to be affected to immediately condemn this legislation, which presents a very serious threat to the privacy of their users,” he said.
The draft legislation also included new powers for authorities to add, copy, delete or alter data on computers that they access with a warrant.
Submissions on the legislation are open until 10 September.