Australia has become the first western country to pass a bill forcing tech companies to hand over your encrypted data
- Facebook, Twitter, Apple, Google and others say the move will create a back door to users’ data and inevitably undermine security for everyone
A controversial bill allowing spies and police to snoop on the encrypted communications of suspected terrorists and criminals was passed in Australia on Thursday, as tech giants warned of wide-ranging implications for global cybersecurity.
The bill, the most far-reaching imposed by a western country, is set to become law before the end of the year.
“Let’s just make Australians safe over Christmas,” opposition Labour Party leader Bill Shorten told reporters outside parliament in the capital of Canberra.
There has been extensive debate about the new law and its reach beyond Australia’s shores in what is seen as the latest salvo between global governments and tech firms over national security and privacy.
Under the legislation, Canberra can compel local and international providers – including overseas communication giants such as Facebook and WhatsApp – to remove electronic protections, conceal covert operations by government agencies, and help with access to devices or services.
Australian authorities can also require that those demands be kept secret.
The bill, passed by the lower house of parliament earlier on Thursday, was to be debated in the upper Senate, where Labour said it intended to suggest new amendments, before going back to the lower house.
But in an eleventh-hour twist, Labour said that despite its reservations, it would pass the bill in the Senate, on the proviso that the coalition agreed to its amendments next year.
“We will pass the legislation, inadequate as it is, so we can give our security agencies some of the tools they say they need,” Shorten said.
The bill provides for fines of up to A$10 million (US$7.2 million) for institutions and prison terms for individuals for failing to hand over data linked to suspected illegal activities.
“There has been similar legislation in the UK and possibly a few other jurisdictions but their legislation doesn’t go anywhere near as far as what’s happening here,” said Mark Gregory, an associate professor specialising in network engineering and internet security at Melbourne’s RMIT University. “The government here can coerce the company to actually provide back doors into their systems and into devices and force the company to build systems that can help with investigations.”
When the bill becomes law, Australia will be one of the first nations to impose broad access requirements on technology firms, after many years of lobbying by intelligence and law enforcement agencies in many countries, particularly the so-called Five Eyes nations.
The Five Eyes intelligence network, comprised of the United States, Canada, Britain, Australia and New Zealand, have each warned that national security was at risk because authorities were unable to monitor the communications of suspects.
Australia’s government has said the laws are needed to counter militant attacks and organised crime and that security agencies would need to seek warrants to access personal data.
Technology companies have opposed efforts to create what they see as a back door to users’ data, a stand-off that was propelled into the public arena by Apple’s refusal to unlock an iPhone used by an attacker in a 2015 shooting in California. The companies say creating tools for law enforcement to break encryption will inevitably undermine security for everyone.
Earlier on Thursday, a Facebook spokesman pointed to a statement made by the Digital Industry Group Inc, of which Facebook, Apple, Google, Amazon and Twitter, are members.
“This legislation is out of step with surveillance and privacy legislation in Europe and other countries that have strong national security concerns,” the statement said.
“Several critical issues remain unaddressed in this legislation, most significantly the prospect of introducing systemic weaknesses that could put Australians’ data security at risk.”
National cybersecurity adviser Alastair MacGibbon said police have been “going blind or going deaf because of encryption” used by suspects.
Brushing off the warnings from tech giants that the laws would undermine internet security, he said they would be similar to traditional telecommunications intercepts, just updated to take in modern technologies.
Experts such as the UN special rapporteur on the right to privacy Joseph Cannataci have described the bill as “poorly conceived” and “equally as likely to endanger security as not”.
“Encryption underpins the foundations of a secure internet and the internet pervades everything that we do in a modern society,” said Tim de Sousa, of privacy and cybersecurity consultancy elevenM.
“If you require encryption to be undermined to help law enforcement investigations, then you are ultimately undermining that encryption in all circumstances. Those back doors will be found and exploited by others, making everyone less secure.”
As the bill also includes secrecy provisions, doubts have also been raised about whether vendors have already been forced to act – undermining business models where privacy is a key selling point.
Additional reporting by agencies