Canberra starts enforcing new decryption legislation

The government said the law was urgently needed to foil ongoing terrorist plots and intercept communications among other serious criminals.
The government said the law was urgently needed to foil ongoing terrorist plots and intercept communications among other serious criminals.PHOTO: NYTIMES

Law put into practice despite planned review with major tech companies yet to take place

CANBERRA • Australian security agencies have begun using sweeping new powers to access encrypted communications, even before a promised review to address concerns from the likes of Google, Apple and Facebook.

The powers were granted under a new decryption law which was rushed through Parliament last December amid fierce debate, and was seen as the latest salvo between governments and tech firms over national security and privacy.

Two months later, the Australian Federal Police have revealed that agents have already used it while investigating drug trafficking and child exploitation.

Australia is widely seen as a global test case for such laws, with possible applications by other governments seeking to counter the growing use of encrypted messaging, notably Australia's partners in the so-called Five Eyes intelligence alliance - the United States, Britain, Canada and New Zealand.

Under the new laws, refusal to grant the authorities access to devices is punishable with up to 10 years in prison.

The police told a parliamentary inquiry they used that threat to compel two suspects to hand over their passwords.

Citing secrecy provisions in the law, the police declined to say if they had used the new law to force device makers or telecommunications firms - including global giants like Apple - to break or bypass encrypted communications.

Australia is widely seen as a global test case for such laws, with possible applications by other governments seeking to counter the growing use of encrypted messaging, notably Australia's partners in the so-called Five Eyes intelligence alliance - the United States, Britain, Canada and New Zealand.

The same provisions bar industry from disclosing whether they have received such police demands, known as "compulsory notices".

The government has argued that the law was urgently needed to foil ongoing terrorist plots and intercept communications among other serious criminals.

But opponents allege it punches a hole in global efforts to keep governments from eavesdropping on secure communications, like WhatsApp chats.

They also argue it could undermine security by creating vulnerabilities in encryption technologies, which could then be exploited by malicious actors.

The Department of Home Affairs said the law is being progressively implemented and that last month, it wrote to tech industry members for assistance in drawing up guidelines on how to use the new powers.

"The department is also engaging with industry to dispel common misconceptions, build confidence and to reiterate the intended purpose and operation of the Act," it said in a submission to the parliamentary inquiry.

But the tech industry appears far from reassured.

"There is no doubt there is an extremely broad coalition of stakeholders that are very concerned about the impact of this Bill," said Mr John Stanton, chief executive of the Communications Alliance, which represents the Australian communications industry. "It is not just industry, it is civil society and digital rights activists (too)."

Mr Stanton warned that the new law posed "an enormous threat" to export opportunities for Australian tech firms "because they can no longer provide any assurance that their gear hasn't been tampered with by Australian security".

Industry groups have combined forces to present a joint submission to the latest inquiry, proposing a series of amendments.

These include a higher threshold for using the law, which can currently be applied in any investigation of an offence carrying a maximum three-year jail term - a bar critics say is too low.

The industry also wants more precision about an element of the law barring the authorities from forcing companies to introduce a "system vulnerability" into their products - a term they say is ambiguous.

The tech industry alliance warned that the new law as written could force companies to take actions in Australia that violate laws in other nations where they operate or have clients.

And they issued a thinly veiled warning that the law could force major global companies to end or restrict their activities in Australia.

The parliamentary committee must complete its review by April 3, but any moves to then amend the legislation risk running up against the Australian electoral cycle, with a federal election due by mid-May.

AGENCE FRANCE-PRESSE

A version of this article appeared in the print edition of The Straits Times on February 09, 2019, with the headline 'Canberra starts enforcing new decryption legislation'. Print Edition | Subscribe