cybersecurity experts and technology industry operators have hit out at the potential commercial calamity of anti-encryption legislation, saying Australian tech companies now risked being viewed like Chinese telecommunications supplier Huawei by potential overseas customers.
The Assistance and Access bills are nominally aimed at enabling authorities to monitor communications of terrorists and criminals within encrypted applications, such as WhatsApp and Telegram. They were set to pass through Parliament with bipartisan support on Thursday night.
However despite the bipartisan accord arising after earlier attempts by Labor to institute an interim bill to cover the increased threat to public safety during the Christmas period, views on the bill outside of the Parliament were much more sceptical.
Concerns ranged from the attack on citizens’ privacy, to a lack of any discernible plan for how the laws will be implemented and the potential disadvantage for Australian technology companies looking to compete for business against rivals from countries with less draconian laws.
Little expert support
“The party line seems to be ‘trust us’, and that’s not good enough in the face of opposition from experts across so many domains.”
Aside from the practical implementation concerns, Mr Turner and others in Australia’s nascent software start-up sector said the new laws risked putting Australian firms at a big competitive disadvantage.
The Australian government has blocked Chinese companies like Huawei from providing equipment to Australia’s new 5G mobile phone networksand the National Broadband Network citing national security concerns, including fears Chinese authorities would have so-called backdoors into private communications.
Forcing companies to provide the Australian government access to encrypted data and messages could leave Australian-based companies similarly compromised to overseas customers, he warned.
“The way some parts of our industry have been talking about Huawei is the exact same way that Australian vendors will now be spoken about by their competitors,” Mr Turner said.
“Any Australian technology company trying to crack an overseas market will inevitably have their local competitors hold up this legislation as Exhibit A as to why Australian vendors should now be treated with caution, if not suspicion.
“That’s not great for our export market, and I suspect the impact of that will be quite costly. There will be deals we don’t win where our legislation may be raised as the block.”
The encryption bill formed part of a legislative logjam on Thursday afternoon, as debate was extended by the government’s attempts to prevent a vote on amendments to evacuate children and the sick from Nauru and Manus Island to the mainland.
The encryption laws passed the House of Representatives with Labor backing after 173 amendments to emerge from an intelligence committee inquiry were introduced with only a few hours notice.
Crucially, the amendments include a definition of “systematic weakness” after the government had promised the laws would not introduce backdoor access to encrypted communications by agencies. Experts had warned that the laws would weaken cyber security by introducing vulnerabilities.
Systemic weakness is defined as “a weakness that affects a whole class of technology, but does not include a weakness that is selectively introduced to one or more target technologies that are connected with a particular person”.
Shadow attorney-general Mark Dreyfus flagged the introduction of further amendments in the Senate, saying the government’s changes did not fully reflect the committee’s bipartisan recommendations but withdrew them last night to ensure Bill was passed before Parliament wrapped up for the year.
General partner at tech venture capital fund M8 Ventures, Alan Jones, lashed out at the government for rushing through the bill, comparing his shock at its apparent passage to the feeling of young US Democrats at the election of US President Donald Trump.
“I don’t think anyone in the industry through it would get this far. We thought someone would come to their senses before this,” he said.
“It won’t have a practical effect on monitoring the people they want to monitor, but it will cripple Aussie tech.”
Mr Jones said the plans would not have their intended effect because global tech giants would not risk weakening their products by creating compromised Australian-specific versions of their apps.
He warned that, rather than scuppering terrorists, the legislation would hurt local tech firms and said those in the cloud storage market, or cloud database architecture, and even some consulting firms, would have to look at moving their services overseas to countries like New Zealand, Singapore or Silicon Valley in the US to skirt the laws.
Tech company reaction
“The big US tech players have bigger fish to fry than Australia, so I don’t imagine any of them would agree to the requirements of the legislation,” Mr Jones said.
“They will call the bluff of the government because I can’t imagine [the government] saying that Australians can’t use Facebook or WhatsApp any more.”
Large US tech companies including Google and Microsoft declined to comment directly on the legislation, but media inquiries were directed to Digital Industry Group Inc (DIGI), which has members including Facebook, Google, Yahoo, Microsoft and Twitter.
A DIGI spokesman said several critical issues remain unaddressed in this legislation, most significantly the prospect of introducing systemic weaknesses that could put Australians’ data security at risk.
‘Out of step’
He said DIGI members had a long history of working with Australian law enforcement to promote public safety, and responded to thousands of requests every year from Australian law enforcement.
However he said the legislation could jeopardise the security of the apps and systems that millions of Australians use every day.
“This legislation is out of step with surveillance and privacy legislation in Europe and other countries that have strong national security concerns,” the spokesman said.
“While we acknowledge and appreciate the efforts of the opposition this week to address the critical issues with this bill, we share the concerns expressed by industry and civil society that fundamental flaws within it have not been rectified and must be addressed before it is passed into law.”
Chair of non-government organisation Digital Rights Watch, Tim Singleton Norton, meanwhile said the bill remained deeply flawed, despite the amendments, and would likely weaken Australia’s overall cyber security, lower confidence in e-commerce, reduce standards of safety for data storage and reduce civil right protections.
He said it was astonishing that the bill would be passed by the lower house on the last sitting day of the year, with almost no time for consideration of the amendments in the Senate.
“The last minute amendments rushed through Parliament today provide weak and inadequate oversight provisions and will do little to change the drastic harm that this bill will wreak on the privacy of Australian citizens, the technology industry and the infrastructure of the digital economy in this country,” Mr Singleton Norton said.
“This entire process has been a farce … Australians need to be able to trust the systems that rely on encryption every single day. This haphazard abuse of parliamentary process will undermine trust in those systems, as well as government itself.”