New Australian Law Requires Tech Firms To Help Cops Crack Encryption

A view of Sydney Opera House in Australia

The newly proposed measures would levy fines of up to £6m for organisations that fail to comply

Australia has proposed a new law that would require technology giants to give police access to encrypted data in cases where it could be linked to criminal or militant activity, amidst an ongoing debate about the role of encryption in aiding criminality.

The law, which must be approved by the country’s federal parliament, requires police to obtain a court warrent to access the encrypted data and sets fines of up to A$10 million (£6m) for institutions who don’t comply, or A$50,000 and jail time for individuals.

Governments and law enforcement agencies have long called for measures that would enable them to decode encrypted communications when needed.

But it isn’t clear how such measures could be put into practice, since services that provide end-to-end encryption, such as WhatsApp, can in theory only be read by those sending and receiving the message, with the service provider itself locked out.

data encryption‘No back doors’

Australia’s government has ruled out any efforts to build back doors for law enforcement or other measures that could be seen as weakening the protections provided by encryption.

“We believe encryption is absolutely crucial to protecting Australians,” cyber security minister Angus Taylor told Australia’s ABC newtork. “So the legalisation explicitly excludes the potential for law enforcement to ask industry to create a weakness in their encryption systems.”

Instead, the proposed law provides measures intended to force companies to either provide access to the data through unspecified means, or to assist law enforcement in gaining access to it.

That assistance could include providing technical information such as the design specifications of a device or service, the removal of electronic protections, assistance in accessing material on a device or even building or installing software or equipment that could help authorities access the information.

How such technical assistance could work in practice remains unclear.

And critics said that forcing large tech companies that are domiciled abroad to cooperate could in itself be problematic.

That issue was highlighted in a high-profile 2016 case in which the FBI attempted to force Apple to assist it in unlocking an iPhone connected to a mass shooting in California.

Apple refused, and ultimately the FBI paid a third-party security group to hack into the handset.

Privacy issues

An industry association that includes Google, Twitter, Facebook, Yahoo and Microsoft called for a “constructive dialogue” around the Assistance and Access Bill 2018.

“We work every day to help protect the privacy of people who use our services and strongly support the economic and social benefits of encryption technology,” stated Nicole Buskiewicz, managing director of Digital Industry Group Inc. “At the same time, we appreciate the hard work governments do to keep us safe.”

Others in the IT industry noted that the law’s wording means it could affect a wide range of companies.

“Any company that writes software that could get installed on a computer connected to a network will become a ‘designated communications provider’ if you were wondering how broad this not-a-backdoor legislation is,” wrote technology expert Justin Warren on Twitter.