The new Australian encryption law is alarming

The Australian government has passed a law that gives Australian law enforcement agencies, every right to access users’ encrypted data. The law bounds the technology companies operating in or out of Australia to reveal the encrypted data for the users present in Australia.

Last week, the Australian government signed a bill that allows the law enforcement agencies to get every encrypted data of users from the technology companies. This law was introduced under the Telecommunications and Other Legislation Amendment Bill 2018. This bill has successfully received assent from both the houses and is applicable as a law.

Under this Bill, the technology companies are bound to cooperate with the Australian law enforcement Agencies to give them access to the user’s encrypted messages and other data. The technology companies that are forced to abide by this law does not necessarily belong to Australia. It could be any company, website or any entity that has an end user located in Australia. No matter from where the company operates in the world.

Also, it doesn’t necessarily need to be a company or an organization; it could be any individual designated as a communication provider. A communication provider can be anyone who is the provider for an electronic service which has either one or more users in Australia. Also, the person who develops, supplies or updates any software that was used, is being used or is likely to be used in Australia in connection to:

• A carriage service that is listed.
• An electronic service having one or more users in Australia.

The approval of this bill has led the entire definition of Systemic Vulnerability and Systemic weakness to change in the legislation. As the notice cannot force a service provider to build up a decryption possibility or make the system security less effective so that a third party can get on-demand access to the user’s data for whatever reasons. The new definition in the legislation are:

• Systemic vulnerability means a vulnerability that affects a whole class of technology but does not include a vulnerability that is selectively introduced to one or more target technologies that are connected with a particular person. For this purpose, it is immaterial whether the person can be identified.
• Systemic weakness means a weakness that affects a whole class of technology but does not include a weakness that is selectively introduced to one or more target technologies that are connected with a particular person. For this purpose, it is immaterial whether the person can be identified.

The three notices that can be generated are:

1. Technical Assistance Notice: These notices are sent to companies that can avoid encryption, give access to user logs or decrypt the given messages. These are essentials and any entity refusing to this can be penalized financially.
2. Technical Capability Notices: These notices urge the companies to modify, redesign or build infrastructures that allow law enforcement agencies to have access to the users’ data.
3. Technical Assistance Requests: These are the voluntary ones, which means that they won’t be penalized in case they refuse to provide data. However, they have to fulfill the mandatory requests according to the rules which include an inclusion to insight reports.

This law has been enforced as a dire need to protect child abuse and keep an eye on the terrorist activities. However, a lot of statements in the bill are not explanatory enough and have left the room to diversify the meaning and implementation of this law, which is alarming!

As of now, the bill has been unanimously passed and became a law, and can be implemented anytime by any law enforcement agency in the country. However, the independent National Security Legislation will monitor the implementation of the law till 2020 and can anytime ask for a review of its effectiveness and implementation.