Organizations Propose Amendments to Australia’s Anti-Encryption Law Drew Wilson | January 23, 2019 The passage of Australia’s anti-encryption laws devastated Australia’s security community. Now, they are rallying to amend the law. Last year, Australia rushed its anti-encryption laws through to passage. While there are steps left to take before the anti-encryption becomes the law of the land, news has been devastating to the local security and technology communities. Signal, for instance, said that they wouldn’t comply with the laws because it is technologically unfeasible. Other companies are contemplating fleeing the country altogether because the laws are so onerous. Australia’s anti-encryption laws, or the “Assistance and Access” laws, compel any company operating in the country to create backdoor access to any and all forms of encryption. So, if you run a VPN while on Australian soil, all communication need to be compromised so the spy community can eavesdrop on anything they like. Additionally, backdoor access demands must be kept secret to the point that company leaders aren’t even aware. All of this is handled without a warrant. Understandably, the security community is livid with this law. They pushed the Australian government to reconsider on this law, but the Australian government refused to budged and rammed through the legislation with no evidence to support the laws. As a result, consumer rights organizations have labelled Australia as a fallen country in the world of digital rights. Of course, the fight is not totally over even though it is quite a grim one at this point. Recently, Australian academics, businesses, and other experts have banded together to issue a submission to amend the laws. In their submission (PDF), they are arguing for a number of amendments to be implemented. One of their requests is that eavesdropping orders comply with a warrant-based system. This would allow for judicial oversight. It’s a very non-controversial request because oversight would at least add some layer of accountability. Some people might point to the US and the National Security Letters as a reason why such a system may work. Of course, the alternative in this case is that the Australian spy agency would get a free legal ride without such a process at all. So, what’s worse, a rubber stamp system or no oversight system at all? A second request is to remove some of the ambiguous definitions in the law. From the submission: It appears very difficult to adequately define the terms ‘systemic weakness/ vulnerability’ and ‘target technology’. As currently drafted in the Act, these definitions are difficult to understand, ambiguous and are significantly too narrow. The limitations intended to be given to systemic vulnerability/weakness through the definition of target technology do not achieve the desired objective. Specifically, it is unclear what constitutes a class of technology, (e.g. would a ‘class’ be all mobile handsets, or Android phones, but not iPhones, or the mobile handsets offered by one service provider but not another, or some other combination of factors?). Assuming this term has a common – sense meaning (to the extent this exists), then the application to the whole class of technology creates a far too narrow characterisation of what constitutes a systemic weakness or vulnerability. Subsequently, they recommend deleting some of the ambiguous definitions and make amendments accordingly so as to eliminate any confusion. In addition, they ask that a reason be provided for demanding access to their networks. They argue that, as the laws stand now, the only reason that can be given is that the demand for access is simply urgent. Therefore, no other reason needs to be given and the company must comply. So, they want a system in place where a reason actually needs to be provided. Over top of that, they want to see a qualified third party opinion be part of the process. Again, they want to see some form of oversight in all of this. Another fear is that if a company is compelled to provide access to information regarding, say, a European citizen, they could be liable to damages via the European privacy laws. From the submission: The legislation only creates a defence for providers if the act requested by a TAN or TCN is done in a foreign country and would contravene foreign law. However, for example, if an Australian provider took action in Australia that compromised the security or privacy of a European citizen under the General Data Protection Regulation (GDPR) of the European Union, the provider could be liable for fines of up to 4% of its global revenues, thereby placing the provider into an extremely difficult position with respect to compliance with either legislation. Therefore, the implications for a provider of complying with the Act ought to be an express consideration when assessing the reasonableness of a TAN/TCN, and the defence afforded by the legislation ought to be extended to include actions taken in Australia as well as in a foreign country It would definitely put a company between a rock and a hard place. If you don’t comply with an access order, you risk breaking the law. Comply with the law, and you risk running afoul of Europe’s GDPR laws. It’s possible that you’ll be put into a situation where you can’t comply with the laws of both jurisdictions, so which jurisdiction do you follow? Understandably, the companies want some form of clarity here. So, all in all, there are a lot of reasonable requests here. Whether or not the Australian government will even want to hear those requests is another. Already, the government has shown that they have one set of laws they want to pass and they don’t want to hear anything that requires changing it. So, whether or not the pleas will be heard remains in the air. Still, if you ever wanted to know just how serious things have gotten from a privacy front, you could really just read through the submission and see what specifically Australians are calling for. At this point, it’s not as though people have given up on the country yet. There are still some skirmishes still playing out in the country. Whether some form of sanity can be restored in light of all of this remains to be seen. Hard to envision sanity being restored, but it’s probably good to know for Australians that there is still an effort playing out. Drew Wilson on Twitter: @icecube85 and Google+.