The Australian Assistance and Access Bill, often referred to as the anti-encryption law, was passed in December of 2018. It’s a complicated set of regulations that has made international headlines for its potential ramifications. It’s also received significant criticism from tech companies, privacy advocates, and the general public.
If you’ve only glossed over the issue, you may have been misled by the headlines, with some claiming that the bill threatens to “break encryption” and compromise security across the world.
This isn’t exactly the case, because a government can’t just “break” encryption because it wants to. Encryption relies on mathematical laws, which thankfully hold precedence over those of the Australian Parliament.
Another problem with these assertions is that the bill doesn’t actually say that it aims to break encryption. In fact, it has caveats against introducing security weaknesses and vulnerabilities.
Don’t mistake these concessions as implications that the bill is a good thing. It definitely needs revisions and its current form could lead to serious security problems.
However, hyperbole and misrepresentation of the facts do everyone a disservice. If anything, it further justifies the Government’s position, because it can argue that any dissent against the regulations is based on lies or manipulation of the facts.
It’s been several months since the bill passed and the dust has finally begun to settle. Now is a good time to examine the bill in a more realistic sense, to cut through the myths and talk about the real issues, as well as their potential ramifications.
What Is the Assistance & Access Bill?
The Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018, popularly shortened to The Assistance and Access Bill (and colloquially referred to as the anti-encryption law), was passed by both houses of the Australian Government on December 6, 2018.
The main focus of the legislation, and the aspect that has received the most media attention, is the bill’s provisions that can force companies to help the authorities access the data of individuals.
Organizations or individuals can be compelled to surrender data when a warrant has been issued against the target under the Telecommunications (Interception and Access) Act, the Surveillance Devices Act, or their state-level equivalents.
There only needs to be preexisting warrant under one of these acts, and no specific warrant is required before companies are forced to divulge information or help the authorities access it in other ways. This means that there is no judicial oversight of the process.
Despite these issues, the bill cannot be used for mass surveillance, since preexisting warrants are required.
In its most extreme interpretation, it is feared that some of the powers granted by the bill could make businesses introduce vulnerabilities into their services, which could in turn weaken global security.
Who does the bill affect?
The bill applies to “designated communications providers”, which the text defines in an extremely broad manner. While the bill is ostensibly aimed at telecommunications businesses and tech companies, it also covers those involved in:
- Manufacturing equipment.
- Supplying equipment.
- Developing and updating software.
- Acting as an intermediary in any of the above processes.
Following the wording of the bill, it seems like it also applies to small-time players, such as website owners, and even individuals that work in any of the above-listed companies, rather than just the organization itself or its leaders.
The bill applies to any organization that has “one or more end users in Australia”. This implies that the powers can be used against international organizations. At this stage, however, it isn’t known how international organizations would respond to the bill, or what their obligations would be.
What powers does the bill grant?
The most controversial part of the bill revolves around the three separate notices that various government agencies can send to companies:
- Technical assistance notices (TANs) – These are essentially demands that require organizations to assist the authorities with capabilities that are already in place. This can cover things like handing over account information on an individual, providing technical advice, or giving authorities data that a company already has access to.
- Technical capability notices (TCNs) – These notices go one step further and can require organizations to develop new capabilities to help authorities with spying and other endeavors. Companies are required to perform the tasks on a no-profit, no-loss basis. This is the most worrying part of the legislation, because certain readings imply that these requests could force companies to insert vulnerabilities into their technology. It covers:
- Removing forms of electronic protection, such as encryption or authentication.
- Providing technical information.
- Installing, maintaining, testing or using software and equipment to assist the authorities with their goals.
- Technical assistance requests (TARs) – These are voluntary requests that ask organizations to assist the authorities in either of the above practices. Companies are not obligated to follow them, nor is there any punishment for non-compliance. While TARs might not seem so bad, they have less oversight than the other two notices.
Which agencies can submit these requests?
Technical assistance notices (TANs) can be submitted by the Director-General of Security (the leader of ASIO), or the chief officer of any of the following entities, which the report terms interception agencies:
- The Australian Federal Police.
- The Australian Crime Commission.
- The police force of a state or the Northern Territory.
The chief officer of an interception agency requires permission from the Commissioner of the Australian Federal Police before a request can be submitted. All three types of request need to be made to the target organization in writing, unless there is an imminent risk of harm, under which case the requests can be made orally.
Technical Capability Notices can only be submitted by the Director General of Security or a chief officer of an interception agency, however, they need to do so through the Attorney-General. In turn, the Attorney-General must get approval from the Communications Minister.
Voluntary technical assistance notices can be given by the Director-General of Security, the Director-General of the Australian Secret Intelligence Service, the Director-General of the Australian Signals Directorate, or the chief officer of an interception agency.
The last few sections are somewhat complex due to their legal nature. Let’s give a brief summary of the law so far. It allows several different Australian agencies to make a range of different requests to tech and telecommunications companies. These range from asking for assistance, to demanding that they build new capabilities to help spy on individuals.
What caveats are in place?
If you’ve managed to wade through the dry legalese, you might be shocked by the broad powers that the laws grant and their potential repercussions. But there are caveats in place which seemingly limit how they can be applied.
The bill specifically states that none of these requests can force organizations to “implement or build a systemic weakness, or a systemic vulnerability”. It also says that the requests cannot be used to prevent companies from “rectifying a systemic weakness or a systemic vulnerability.
What’s the problem with the Assistance & Access Bill?
Those caveats may have you breathing a sigh of relief, but they aren’t as ironclad as you might have hoped. The bill has a number of other worrying elements that we need to cover.
Vague wording
Many aspects of the bill are quite vague, which makes it difficult for those who are affected by it to know where they stand in a legal sense. It’s hard to tell whether this vagueness is intentional and malicious, or the result of incompetence and the haste in which the bill was passed.
Either way, any law that can be interpreted in a number of ways is bound to cause serious issues, due to the uncertainty it brings. Naturally, those who could be affected fear the worst case scenarios, while the bill’s backers stress that the laws aren’t intended to be used in such ways.
Let’s examine some of the most important examples where the report’s wording leads to uncertainty in how it will be applied.
Systemic vulnerabilities & systemic weaknesses
The definitions of these terms are responsible for much of the bill’s criticism:
Systemic vulnerability means a vulnerability that affects a whole class of technology, but does not include a vulnerability that is selectively introduced to one or more target technologies that are connected with a particular person. For this purpose, it is immaterial whether the person can be identified.
Systemic weakness means a weakness that affects a whole class of technology, but does not include a weakness that is selectively introduced to one or more target technologies that are connected with a particular person. For this purpose, it is immaterial whether the person can be identified.
The first thing you may notice is that the definitions are the same, bar the terms themselves. At the very least, the use of both terms in the report is redundant and complicates it unnecessarily, since they are defined in the exact same way.
The second major issue is that the term “class of technology” is not defined in the bill. It is not a commonly used term in the industry, nor is there any consensus on what it actually means. One may assume that it refers to a very broad type of technology, like computers or mobile phones. It could refer to something more nuanced, like encryption or authentication, or something even more specific, like RSA or digital certificates.
Since we can’t know what these definitions are supposed to cover, it effectively voids any of the specific protections that are offered by the caveat in the first place. If the law was being abused, how would anyone know where they stand legally?
If you were a small business owner, what would you do if you received a request that involved compromising your service’s security? If you couldn’t afford legal fees, would you be willing to challenge the law and refuse to comply?
The current maximum fine for noncompliance is almost A$1,000,000 (US$700,100) for organizations, and A$50,000 (US$35,005) for individuals, as well as up to ten years of imprisonment.
Whether or not something constitutes a systemic weakness or systemic vulnerability is ultimately decided by an assessor on a case-by-case basis. Assessors must have “knowledge that would enable the person to assess” whether an action would introduce a systemic weakness or vulnerability. Unfortunately, “knowledge” is not defined, opening up another gaping hole in the law.
For some absurd reason, the bill also requires a retired judge to participate in the assessment. It gives no reasons for using former judges over active ones. There is also no framework for how the two assessors will determine what constitutes a systemic weakness or vulnerability, nor is there a clearly outlined appeals process.
This is a bill that affects a large number of people and businesses. Having such murky terminology in one its central parts only adds uncertainty, and at its worst, opens up the door for abuse.
The law can be used to target employees
Another major concern is that the bill is phrased in a way that implies individual employees could be targeted to implement the requests, and they may be legally prevented from notifying their superiors.
It uses the term “person” when referring to what constitutes a designated communications provider, and thus the entities that are subject to the law. Some of the instances are clearly referring to legal persons (which can be companies or individuals), rather than natural persons (individuals).
A good example is Item 1, “the person is a carrier or carriage service provider”. A person can’t literally be a “carrier or carriage service provider”, so it is obviously referring to organizations. As we go down the list, things get less clear.
Item 6 refers to a person who “develops, supplies or updates software used, for use, or likely to be used, in connection with: (a) a listed carriage service; or (b) an electronic service that has one”.
Item 8 covers a person that “manufactures or supplies components for use, or likely to be used, in the manufacture of a facility for use, or likely to be used, in Australia”.
In both instances, it’s easy to interpret them as referring to employees as well as companies. The bill itself does not mention that it only targets companies, so it is fair for people in these positions to be worried.
These fears have been dismissed by the Department of Home Affairs, stating on its website:
“The industry assistance framework is concerned with getting help from companies not people acting in their capacity as an employee of a company. Requests for assistance will be served on the corporate entity itself in line with the deeming service provisions in section 317ZL. A notice may be served on an individual if that individual is a sole-trader and their own corporate entity.”
Note that section 317ZL makes no mention of whether these notices can be served to individuals.
It’s nice that the Department of Home Affairs offers this clarification, but why isn’t it included in the text of the Assistance and Access Bill? Whatever some clerk wrote on a government website doesn’t override the law that was passed by both houses of parliament.
If we interpret the law as it is written, it’s not unrealistic to think that one of these requests could be submitted to an employee at a company. If this were to happen, it would put the employee in a serious moral quandary, because they aren’t allowed to disclose that a request has been received, unless it is required to act out the request.
These gag orders would obviously put employees in a very difficult position, forcing them to sneak around any peers and higher ups that they can’t disclose the notice to. The bill does protect employees from being fired in acting out the demands of such a notice, but it’s still not a good situation to put a person in.
Once again, the law may not be intended to be used in this way, but if we don’t close up these gaps, it just leaves the legislation open to abuse.
Limited oversight
Not only is the legislation vague, but there is limited oversight involved in how it is applied. A specific warrant isn’t required for any of the three requests, although there must already be an existing warrant to access an individual’s data under the Telecommunications (Interception and Access) Act, the Surveillance Devices Act, or their state-level equivalents.
This results in no judicial oversight for how these requests are administered. A retired judge is involved in the assessment process, but not an actively serving one.
As mentioned in the Systemic vulnerability & systematic weakness section, the assessment process examines whether a request will introduce systematic weaknesses, but it also looks at whether or not the request is reasonable, proportionate, practicable and technically feasible. Despite this, there is limited detail as to how this is actually done.
Given the Australian Government’s track record when it comes to tech and security it’s not too far-fetched that its definition of “reasonable” will be seriously different to the definitions of tech companies and cybersecurity experts. One only has to read the following quote about cryptography from former Prime Minister Malcolm Turnbull to fear the worst:
“The laws of mathematics are very commendable but the only law that applies in Australia is the law of Australia.”
The statement is as absurd as saying “Gravity is commendable, but it doesn’t apply in my country.” This kind of ignorance toward technical concepts can be extrapolated to assume that the government may end up demanding unsafe or unreasonable actions, either out of incompetence or malice.
Designated communication providers must be notified of their right to complaint to the Commonwealth Ombudsman, the Inspector-General of Intelligence and Security (IGIS), or their state equivalents.
Despite this, the regulations don’t lay out a framework for this process. The bill doesn’t specify what constitutes a valid complaint, or how it could be taken up with the judiciary instead.
The use of these powers must be tracked, with a report issued to Parliament every 12 months. It must include the number of times each power has been used, as well as the type of offense that they were used to investigate. Voluntary requests do not have to be tracked and presented to Parliament, and significant amounts of pertinent information are kept confidential.
Companies are not allowed to notify the affected individuals of a request to access their data, nor are they allowed to tell the public that there has been a request. They are allowed to reveal the number of requests that have been made over a six month period, and whether these were compulsory or voluntary orders. It is illegal for any party to publish specific information about requests.
While the bill does include some oversight, it’s not cohesive, transparent or laid out in a formal manner. Considering the potential repercussions of these requests, such a loose process is dangerous and could lead to abuse of power.
The powers granted by the legislation are too broad
One of the main angles used in selling this legislation to the public was that the bill could help to prevent crimes such as terrorism, child pornography and other serious offenses. Despite this labeling, the bill actually covers anyone suspected of committing a crime with a maximum penalty of three years or more, under Australian or international law.
This includes an extremely wide range of offenses, such as bigamy, which has a seven year sentence, as does operating an unlawful gambling operation. Even something as left-field as unlawfully using another person’s cattle carries a three year maximum sentence.
Under the wording of the legislation, the powers of the bill could be used in all three of these investigations. If the bill was truly designed to target those who are committing serious offenses, why not limit it only to them?
Security repercussions of the Assistance & Access Bill
The Assistance and Access Bill could have wide-reaching ramifications in both Australia and the world. Since the bill is so vague and many of the processes are confidential, we can’t be sure of how it has been used so far, or what will happen in the future.
The best we can do is read the text as it is and examine what could happen. Due to the loose wording, it could end up impacting global security and the IT industry as a whole.
Could the bill break encryption?
One of the biggest fears about the legislation is that it could weaken cybersecurity around the world. You may have heard that the bill could be used to break encryption, although this is kind of an inaccurate statement.
That’s because when the right encryption standards are used (such as AES-256), and they are implemented correctly, they can’t be broken under current technology and techniques.
This is because they rely on the laws of mathematics, and unless there are some quirks we don’t know about, or the government has an unimaginable amount of secret computing power at their disposal, it’s simply not possible.
Let’s take a messaging app like Signal, which is one of the premier apps when it comes to effective security implementations. If the government knocks on Signal’s door and asks it to decrypt a specific person’s messages, the organization might respond with, “Sorry, but no one here has access to that information.”
That’s because, in most cases, Signal doesn’t have access to the private keys that are necessary to unlock the data.
Let’s say that the government held a gun to Signal’s head and told it to do whatever it can to help. Signal would have to completely overhaul its application in order to install a backdoor, which wouldn’t be practical in a short timeframe.
Presumably, such an act wouldn’t be reasonable or practicable, but it’s impossible to know how these laws will be applied. Even if Signal did overhaul their app and alter its security implementations, they would only be able to grant access to future messages and not those from the past.
These past messages would still be encrypted with the target’s secret keys, although such an overhaul might allow the authorities to take the keys from the target.
Existing poor security
Not every app is built to Signal’s standard, so this example is far from universal. Many apps have poor security implementations or they don’t offer their code up for review, so we can’t really know what’s going on under the hood. In these cases, the companies may be able to hand the government the keys or build tools that can grant it access.
Fake clients
The most practical way for the authorities to target an individual’s data would be to force a company to build a fake version of their app, then sneak it onto the person’s device. This could be done by either physically accessing the device, tricking the person into downloading it, or by sending a fake “update” to the target’s phone.
Gaining physical access to someone’s phone or computer can be difficult, and sending people fake updates is not encouraged. This is because updates are essential for securing newly discovered vulnerabilities.
If it becomes commonplace for authorities to use updates to spy on people, the public may become suspicious of updates and might not install them in the future. Such an attitude would make everyone far less secure. The US’ National Security Council has already researched this option, but recommended against it, stating that:
“…its use could call into question the trustworthiness of established software update channels. Individual users, concerned about remote access to their devices, could choose to turn off software updates, rendering their devices significantly less secure as time passed and vulnerabilities were discovered b[ut] not patched.
Regardless of how the government gets a fake client onto someone’s device, they could then use it in a man-in-the-middle attack. Under a man-in-the-middle attack, everything appears normal to the target. They think they are communicating directly with others in a secure manner, but in reality, an attacker is in between them.
When the target sends a message, it first goes to the attacker, who then sends it on to the recipient. Anything sent back to the target also goes through the attacker. Through this process, the attacker collects all of the incoming and outgoing data, including keys and private messages.
This kind of attack would allow the government to see almost everything that the target is doing. It’s also extremely unlikely that it would qualify as a systemic weakness, because the organization isn’t introducing a vulnerability into the software that everyone uses, it is just making a fake version for the individual target.
It should also be noted that sophisticated spyware already exists. These programs can be used to access an individual’s data in a range of different scenarios.
If authorities can get physical access to an individual’s devices or trick them into installing it, they can capture all of the person’s future communications, and may be able to discover the keys to unlock any previously stored data. Because of this, the need for any backdoors is more limited than many people realize.
Master key system
An alternative that could give the government access to any device they want can be thought of as a digital version of a master key. This electronic system could theoretically give the authorities access to every device.
If the authorities were granted this kind of power over all devices, then it would be critical to keep the master key absolutely secret. If it fell into the wrong hands, attackers could use it to access anything they wanted to. This would throw the world into turmoil.
If such a master key system were to be built, it would be practically impossible to guarantee its security. The system would need strict authentication measures in place to prevent unauthorized access. Given how valuable the master key would be, there is a huge risk that either the systems or the personnel who controlled it would be compromised in attacks.
Building such a system would also be an enormous technical challenge. It would have to be flexible enough to cater to every single type of device and computer, and a huge engineering task force would be required to keep the system operating whenever these devices are updated. There would simply be far too many opportunities for vulnerabilities to slip through the cracks.
Weakening security indirectly
When software is being developed, it’s common to hand it over to an external penetration tester. These are essentially the good guys of hacking, who are paid to probe through the code and see if they can find any vulnerabilities.
Contracting outsiders is a great approach for security, because they may find issues that those close to the project haven’t noticed. But the Assistance and Access Bill has the potential to put a stop to this process.
Since we don’t have an appropriate definition of what systemic weaknesses and vulnerabilities are in the context of the law, we have to assume the worst if we want to be prepared for all eventualities.
Let’s say that the authorities somehow massage the definition of a systemic weakness and manage to force a company to slip a backdoor into their software. If your company was put in that position, would you want to send the code to an external auditor who is probably going to find it?
How would you explain it to the penetration tester? Depending on the situation, your organization may not be able to disclose the government-requested backdoor.
If the penetration tester found the backdoor and your company ignored their recommendations to fix it, the penetration tester may eventually end up going public with the vulnerability and accuse your company of endangering its users. This could end up being incredibly damaging to your organization’s reputation.
Following this line of logic, organizations that have been forced to insert backdoors may end up avoiding external audits altogether, to avoid ending up in such an awkward situation. This would be dangerous, because it means that many other vulnerabilities wouldn’t be picked up in these routine checks.
This chilling effect may seem far-fetched, but crazier things have happened, so these laws need to be as tight as possible to prevent such worst-case scenarios.
Possible effects on the IT industry
Not only do the laws have the potential to weaken security, but their vagueness may also have an effect on business and the workforce. In fact, some Australian companies have already been financially affected, because customers fear their products and services could be compromised.
Effects on larger businesses
At this stage, the best we can do is speculate, because we don’t know how aggressively these laws will be applied. We may never find out due to the strict confidentiality that surrounds their issuance.
If an unreasonable request is made to one of the tech giants, it’s likely that they will have the power and resources to fight it and work around the law. They may refuse to comply, like Apple did in its case against the FBI regarding the iPhone of one of the perpetrators of the 2015 San Bernardino shooting
If these huge companies were worried about being affected by the law, they may try and protect themselves by making sure that no development is done in Australia, avoiding data storage within the country’s borders, or refusing to hire Australians if the laws extend to Australians based overseas. If this were the case, it could have a highly negative impact on the Australian IT workforce.
In an extreme scenario, the companies could end up refusing to do business in Australia and removing their products and services from the market. This seems very unlikely, because it would have huge ramifications. Despite this, it’s not completely unforeseeable, given that Google once pulled its search engine out of the Chinese market over issues with the Chinese Government.
Effects on smaller businesses
While big companies may be able to use their power and resources to skirt any requests from the government, this path might not be viable for smaller organizations. These businesses may lack the funds to mount a legal battle and could be intimidated into giving in by the Australian Government.
The laws are so vague that businesses won’t know their rights or whether they can appeal. This could lead to the government abusing its power against smaller businesses, or forcing them to implement unsafe and unreasonable changes into their software. The strict confidentiality requirements would also prevent these businesses from going public with the demands.
Effects on Australian businesses
Several Australian IT businesses have already been harmed by the regulations. Bron Gondwana, the CEO of Australian email hosting provider FastMail said, “We have seen existing customers leave, and potential customers go elsewhere, citing this bill as the reason for their choice. We are [also] regularly being asked by customers if we plan to move”.
Atlassian, Australia’s largest tech company, saw its stock price fall around the time of the bill’s passing, although it can’t be confirmed whether the two events were related. “We’ve got to recognise this law threatens jobs,” said Atlassian’s co-CEO, Scott Farquar.
Senetas, an Australian encryption company, also expected to be impacted negatively by the law. “In the form that it’s in at the moment, and if it doesn’t get changed, this legislation will force our company to go offshore,” said its non-executive chairman Francis Galbally.
Other dangers of the Assistance & Access Bill
The Assistance and Access Bill covers more than just what the authorities can demand from companies. It also includes a number of changes to the warrant system. Some of these seem reasonable, in line with changing technology and the shifting requirements for law enforcement agencies to be effective at their jobs. Other aspects are unnecessary oversteps that have the potential to violate people’s privacy.
It could violate the privacy of third parties
One such move is the provision that allows law enforcement to enter third party premises, or access third party digital systems in the course of executing a warrant. There are definitely situations where this would be a reasonable course of action. Let’s say that a terrorist attack is ongoing and the safest way that officials can end it is by entering through another building.
Another example could involve a child who is in extreme danger of being harmed, and access to the network or computer of a third party might be the best way to save the child.
The problem is that these powers aren’t limited to such specific scenarios, and can be used whenever a judge deems it “appropriate”. Since the law even covers aspects such as adding, copying, deleting or altering data on third party computers, its use could easily lead to unnecessary privacy violations.
Almost everyone would agree that under certain circumstances, like the above cases, it’s reasonable to override the privacy rights of a third party. However, the use should be limited to only those occasions where the powers are absolutely necessary to prevent serious harm from occurring.
Compelling individuals to give up their passwords
The bill included updates to the Surveillance Devices (SD) Act and the ASIO Act. The changes to the SD Act allow law enforcement agencies to apply for assistance orders from a judge. These orders can be used to force individuals to hand over any information that is “reasonable and necessary” so that the authorities can “access, copy, convert or make intelligible” any data that is covered by a warrant.
These orders can force people to hand over their passwords, their biometric data, or knowledge of any relevant systems and devices. They don’t just target the person suspected of a crime, but can also cover their associates, owners of the devices in question, systems administrators and those who have used the devices.
Not complying with these requests under the SD Act can lead to up to 10 years imprisonment and an A$126,000 (US$88,212) fine.
In a similar manner, the changes to the ASIO Act enable the Director-General to petition the Attorney-General to force individuals to provide the same kind of data. Refusing to comply can lead to up to 5 years of jail, or an A$63,000 (US$44,106) penalty. One of the biggest issues with the new powers under the ASIO Act is that there is no judicial oversight – the authorities never have to go before a judge to get permission.
It’s worth noting that these powers can be used in the investigation of any crime with a maximum penalty of three years or more. It seems heavy-handed that someone who refuses to comply could potentially end up with a sentence that exceeds the penalty for the original crime.
This is especially worrisome when there are legitimate privacy reasons for not wanting to give up passwords or biometric data. Because the laws can also be used against systems administrators and others, people who have committed no other crime could end up suffering serious punishments.
It’s also worth considering that these laws could be in conflict with the privilege against self-incrimination. At this stage, the rights of the individual when it comes to encryption haven’t been tested under Australian law, so we are uncertain whether compelling someone to hand over their password can be seen as self-incrimination.
Once more, these laws are exceptionally broad and many aspects are poorly defined. Due to the lack of proper definitions and oversight, we can’t be sure how they will play out in the real world.
The Assistance & Access Bill was rushed through without appropriate review
It’s not just the laws themselves that are controversial, but also the manner in which they were passed. A draft of the bill was first published in August 2018. Upon its release, it attracted a huge amount of criticism from the tech industry, privacy groups and citizens. The draft was open to public comment and 343 submissions were made.
Of these, only one was in favor of the regulations. The rest either demanded revisions, or were completely against the bill. Despite the cascade of disapproval, the final draft of the law was barely subject to any scrutiny.
On the last day of sitting before the Christmas period, a revised version of the bill was presented to the Parliament. It featured 173 amendments, but members were barely given any time to review them.
While these did include some positive changes, the new draft of the bill still neglected all of the issues mentioned in this article. Despite these serious problems, the Assistance & Access Bill was rushed through both the House and the Senate after the opposition party caved in.
The official reason was that the laws needed to be rushed through to prevent potential terrorist attacks from happening over the holidays. This was an especially dubious claim, since Australia already has a host of anti-terrorism laws.
If the authorities required the new capabilities to force companies into building backdoors, then this also should be viewed with skepticism. Since the laws were passed on December 6, it is unlikely that any company would have been able to provide the necessary tools ahead of Christmas.
On top of this, ASIO, the Australian spy agency, acknowledged there was no specific threat over the period, and it did not raise its warning level.
The result of this process is that the bill did not take the recommendations from the bulk of submissions on board, nor was it subject to an appropriate level of Parliamentary review and debate. The result is a mess of law which could have severe effects on Australia, its IT companies, and global security.
The bill was referred to the Parliamentary Joint Committee on Intelligence and Security, who examined it, then sent it on to the Independent National Security Legislation Monitor (INSLM), Dr. James Renwick, for review. At this stage, it’s not known if the review will result in any changes.
How will the Assistance & Access Bill affect Australia & the world?
The Assistance & Access Bill is a lengthy piece of legislation with a number of gray areas. Because key aspects of the text aren’t clear, it’s hard to know how these laws will be enforced and what their effects will be. There is also a lot of confidentiality involved in the key elements, so we may not ever know exactly how they are applied.
The main issue with the bill is the lack of clarity, transparency and oversight. Since parts of the law are so poorly defined, many of those who will be affected by the bill have been assuming worst case scenarios, which we have spent much of this article discussing.
At this stage, it seems that only the most extreme circumstances could lead to the laws compromising security on a global scale. Despite this, they have already caused significant tensions between tech companies and the Australian Government. Australian tech companies have already been affected, and as for the Australian IT industry’s workers? It’s hard to know what will happen to them.
There is a chance that the laws may be repealed or altered, but like many things to do with this legislation, we just don’t know.