The concept of encryption is at risk here in Australia.  And who’s to thank for that?  None other than our very own government.

Our government has recently “passed” a bill that allows your data to be unencrypted for reasons of suspicion of crime, terrorism or any reason the officer can come up with.  This bill, known as the ‘Assistance and Access Bill’, is a classic case of trading privacy for security, a case that is becoming all too common across the world.

So, what exactly is this bill?  What limits are tech companies and law enforcement expected to follow?

History of the A&A Bill

Contents of the A&A Bill were first revealed in July of 2017 as a way to make sure that law enforcement can access encrypted communication.  On paper, this doesn’t sound too bad.  Proponents of the bill even bragged about how national security of our country would be bolstered.  We’d be safe from every threat imaginable.  At least, that’s what the government wanted us to believe.

Unfortunately for them, we’re not as susceptible to fear as they believed.  The bill caught flak from all sides, the majority of the country opposing the content of the bill.  The contents were as follows:

  • To obligate ‘designated communication providers’ to assist law enforcement with access to particular users;
  • To create new powers allowing police access to computers and other devices without the user’s knowledge; and
  • To strengthen current data gathering abilities by broadening the amount of data possibly collected through search warrants.

To summarize the contents, law enforcement and communication providers could access your data at anytime for any sufficient reason.  More data would also be collected when it comes to searches.

While my past tense usage makes you think the bill is dead in the water, it’s the opposite; the bill was revised in 2018, catching flak yet again from monolith tech companies like Apple.  After a few months, the bill was passed in December of 2018.  Kind of.

The bill is going through a sort of test phase.  A parliamentary committee will review the bill over the next year.  Until the review is finished, law enforcement only have the ability to seize data if the data is linked to a serious crime (terrorism, murder, etc.).

But how would they seize your data?  There must be some sort of process that officers and communication companies would need to go through, right?

Process of Seizing Data

To seize data with sufficient reason, the government agency would need to issue a TAR, known as a Technical Assistance Request, to a telco.  The telco, if finding sufficient need, will proceed to aid the agency in any way they can.  This can range from providing data that is relevant to the request, to constructing a complete backdoor to a system.

Where things get a bit more complicated is when the telco denies assistance.  If that happens, the agency in question can submit a Technical Assistance Notice, TAN for short.  Tech companies are compelled to follow through with the demands of the notice.

There is one limit, and one limit only when it comes to a TAN.  A telco or tech company cannot fully remove encryption from the service or system in question that would affect other devices or users.  For example, Facebook wouldn’t be allowed to just remove encryption from their service just to aid an agency.  Only the requested data may be unencrypted.

But what’s to be worried about?  This should only apply towards criminals or citizens under suspicion, right?

Not exactly.  Remember, this is the same group of people who approved a law mandating that all telco’s and ISPs to retain data for up to two years.  The companies can then be compelled to give it up whenever needed by the government.  Thankfully citizens can mitigate this by using additional encryption such as an Australian VPN to encrypt data beforehand.

So, what do us average citizens need to be concerned about?

1.   Vague Wording

An important note about the bill is that a backdoor isn’t defined anywhere.  Nowhere does the bill attempt to inform people what constitutes a backdoor.  The bill even goes as far to say that a tech company is allowed to remove any protection from a system as long as other systems are not affected, or as Research Fellow Chris Culnane puts it:

‘The fact that the provider has the capability to remove encryption from a device is a systemic weakness.’

He’s right!  The ability to remove encryption from any device is a power that absolutely no one should hold.  Some good can be done, sure, but a lot more damage can be done as well.   And without a clear definition of what makes a backdoor, what stops an agency from undermining an ISP or telco without acknowledging the existence of a backdoor?

2.   Non-Existent Oversight and Reduced Government Accountability

If the ability to create a backdoor whenever needed isn’t scary enough for you, it’s also important to keep in mind the reach that the government has.  Figureheads like the Director-General of Security and Attorney General do not require judicial oversight.  This means that if the AG wanted to keep you under surveillance, he’d need no real reason.

TARs are also exempt from mentions in annual reports, and telcos aren’t even required to report how many requests were made.  Without a public record of requests, the citizens are left in the dark when it comes to their security.  And if someone leaked the number of requests?  They’d receive up to five years in prison, as disclosing the information is now a criminal offense.

Our Privacy is Treated as a Privilege, Not a Right

This bill was passed for the reason of keeping citizens safe and secure, but at what cost?  ISPs and telcos are now expected to work in the interest of government agencies, not their consumers.  All in the name of security.  But are we ever really secure when our privacy has been sacrificed?