Australia’s new technology surveillance laws are drawing increasing scrutiny from international privacy groups and technology companies.
Crimes, smartphone applications and data can cross borders thanks to the internet, and the proposed legislation is part of a push to allow authorities greater access to suspects’ secure messages.
“The lack of access to encrypted communications presents an increasingly significant barrier for national security and law enforcement agencies,” Home Affairs Minister Peter Dutton said when introducing the bill to parliament in mid-September.
But if it passed, the Assistance and Access Bill’s expansive powers could make Australia a troubling test case for the rest of the world, according to some critics.
A coalition of mostly American civil society groups and technology companies, including Apple and Microsoft, outlined issues with a draft version of the law in a submission to the Government, and members continue to voice concerns about its amended version.
The group fears the bill’s proposed powers, which could see technology and telecommunication companies, among others, made to build new ways of intercepting emails or text messages, could have serious implications for online security overseas as well as domestically.
The ‘Five Eyes’ network
The submission’s signatories are concerned about any attempt, anywhere in the world, to undermine encryption — the process that keeps online products and services secure, said Sharon Bradford Franklin, its co-author and Open Technology Institute’s director of cybersecurity policy in Washington, DC.
The Government maintains that the bill cannot be used to demand the creation of “systemic” vulnerabilities, such as undermining encryption across all devices.
However, it does include a list of things a provider could be called on to do for authorities, including “installing, maintaining, testing or using software or equipment”.
The coalition’s submission states that installing “unknown” or “untested” software could introduce unexpected vulnerabilities into a manufacturer’s products, among other outcomes.
“Tools that are available to Australia, number one, risk damaging the cyber security of everybody, depending on what type of changes tech companies are forced to make to their products and services,” Ms Franklin said.
Australia is a member of the Five Eyes intelligence-sharing alliance, which includes Canada, New Zealand, the United Kingdom and the United States.
Another concern is that a technical capability built for an Australian investigation could be a gateway for similar requests overseas.
“In Apple versus the FBI, Apple said ‘we can’t do that’,” Ms Franklin said, referring to the 2016 case in which Apple refused an FBI order demanding it provide access to the iPhone 5C of the San Bernardino shooter Syed Rizwan Farook.
The company said to do so would threaten the security of all iPhones, and the agency was able to access the device another way.
“If there were the legal authority to require [Apple] to do that once, then they would be hard pressed to argue in another jurisdiction that they can’t do that for the second country,” she said.
Less oversight than overseas laws: critics
As Australian commentary on the bill has also noted, the proposed law includes international heft.
It allows orders to be made for “assisting the enforcement of the criminal laws in force in a foreign country”, but Ms Stepanovich argued the amended bill still did not impose sufficiently “meaningful limitations” on this ability.
“It’s a very broadly permissive provision that they’re opening up for international use, and because there’s very little oversight, accountability or transparency built into the law, it’s unclear how people will ever know how this is being invoked or by whom,” she added.
The bill requires the number of issued technical assistance requests, technical assistance notices and technical capability notices to be shared annually, but not the nature of the request or notice.
The coalition also suggests the bill has fewer safeguards than comparable legislation overseas, such as the United Kingdom’s Investigatory Powers Act.
The UK legislation requires that judicial commissioners review technical capability notices before they can be issued, Ms Franklin said, unlike the law in Australia.
The amended bill does list factors for authorities to consider when deciding if an order is necessary, including “the interests of national security” and “the legitimate expectations of the Australian community relating to privacy and cybersecurity”.
The bill could have far-reaching consequences for consumer technology around the world, according to Nicole Buskiewicz, the managing director of the Digital Industry Group Inc (DIGI), which represents Google, Facebook, and Twitter in Australia.
“If an agency requested a company for example to install particular software to access user data, the mere presence of that software would impact the operation and the maintenance of the system,” she said.
DIGI, along with the Labour Party, has urged the bill not be rushed.
Ms Stepanovich also said any effort to circumvent digital security could have knock-on effects internationally.
Keeping our online goods and services secure is already a cat-and-mouse game, she suggested, where companies could keep only one step ahead of hackers and bad actors.
“Digital security and the trust that security provided really provided the backbone for the digital economy to build on top of,” she said.
A Government spokesperson said the bill had been referred to the Parliamentary Joint Committee on Intelligence and Security.
“The department has consulted extensively over the last year in developing the legislation before parliament,” he said.