Australia passes sweeping anti-encryption legislation

The Australian government has said the proposed laws are needed to counter militant attacks and organised crime, and that security agencies would need to seek warrants to access personal data. PHOTO: EPA-EFE

CANBERRA (BLOOMBERG) - Australia's parliament passed some of the world's toughest anti-encryption legislation on Thursday (Dec 6), installing a Bill that seeks to force Facebook and other tech giants to help decode messages used in terrorism and organised crime.

Under new powers to be given to police and intelligence agencies, companies may be required to help decrypt communications on platforms such as WhatsApp, Telegram and Signal, and even insert code to help capture data.

The Bill had support from both major parties and, late yesterday, the opposition Labor party said it was withdrawing amendments it had previously demanded. That allowed the upper house to vote in support of the legislation, meaning it becomes law.

The new law thrusts Australia to the centre of a global battle between tech companies and governments over privacy and security.

In 2016, the UK gave authorities sweeping powers to hack, intercept and retain the communications of all British citizens, while China's Cyber Security Law requires Internet operators to cooperate with criminal and national security investigations.

"There has been similar legislation in the UK and possibly a few other jurisdictions but their legislation doesn't go anywhere near as far as what's happening here," said Mr Mark Gregory, an associate professor specialising in network engineering and Internet security at Melbourne's RMIT University.

"The government here can coerce the company to actually provide backdoors into their systems and into devices and force the company to build systems that can help with investigations."

In arguing for the legislation, Prime Minister Scott Morrison's government said 95 per cent of people being monitored by security agencies use encrypted messages. The technology has resulted in law enforcers effectively "going blind or going deaf", according to Mr Alastair MacGibbon, the government's cyber security adviser.

The Digital Industry Group, an association whose members include Facebook and Google, campaigned against the legislation in a loose alliance with Amnesty International and the Melbourne-based Human Rights Law Centre.

Critics warned the legislation could undermine security across the Internet, jeopardising activities from online voting to market trading and data storage.

The legislation will be subject to a review by a parliamentary committee for 12 months.

The new powers will be limited to tackling serious crimes. And there would be strict oversight of so-called "technical capability notices" that would seek to force companies to amend their services to help police access data.

Many technology companies began to add encryption to their products after former US government contractor Edward Snowden exposed the extent of US spying. That has left security agencies facing an uphill struggle to keep up with new technology, and caused repeated tussles with tech giants.

In 2016, the US Justice Department clashed with Apple when the company refused to unlock an iPhone connected to a mass shooting in San Bernardino, California.

The UK government, meanwhile, has been deeply critical of WhatsApp's end-to-end encryption, which was used by a terrorist shortly before he killed five people in London in March 2017.

Lobby group Digital Rights Watch said "some extremely dangerous elements" of the Australian legislation had been addressed by the agreement between the government and the opposition.

"But the fundamental fact remains that the powers being sought by law enforcement are ill-informed, badly drafted and a gross overreach," Digital Rights Watch said in a statement.

"This Bill is still deeply flawed, and has the likely impact of weakening Australia's overall cyber-security, lowering confidence in e-commerce, reducing standards of safety for data storage and reducing civil right protections."

RMIT University's Gregory said the effect of the laws would likely spread beyond terrorist or criminal activities and into private-sector investigations.

"It's too rushed, too broad, not well-defined and ultimately will be misused," he added. "People will also be able to use this not just for criminal law matters but also corporation law matters."

Ms Monique Mann, a researcher in technology, law and regulation at the Queensland University of Technology, agreed there were problems with the legislation, which she described as "world first" in its scope.

"There are issues around transparency, accountability, oversight, and the potential and scope for misuse," Ms Mann said.

Join ST's Telegram channel and get the latest breaking news delivered to you.