leowolfert - Fotolia

Australia passes controversial encryption law

Arguments continue over law that requires companies to work with government agencies to ensure that encrypted communications can be read if a crime is suspected

Australia has passed highly contentious legislation that will force technology and telecommunications companies to work with law enforcement agencies to make encrypted communications accessible in circumstances where there is reasonable belief that a crime has been, or will be, committed.

The Telecommunications and Other Legislation Amendment (Assistance and Access) Bill completed its passage through parliament on the last sitting day of the year – and only after a last-minute list of 173 amendments to the legislation was withdrawn.

According to the government, encrypted communications have affected about 200 operations conducted by the Australian Federal Police in the past year. It also said that the proportion of internet communications intercepted by the Australian Security Intelligence Organisation that were encrypted had risen from 3% in in 2013 to 55% in 2017, which was why it needed new powers.

Although the government is adamant that the legislation will not weaken encryption or mandate “backdoors” into encrypted systems, it does require companies to work with government agencies, when directed, to ensure that encrypted communications can be read, although it does not specify how that could be achieved without creating vulnerabilities.

The bill that was passed – on a vote of 46 to 11 – had been reworked from the original, and now requires any technical capability notice to a technology or telecommunications company to be approved by both the attorney-general and the minister for communications.

Telcos can also ask for an independent assessment to be conducted before they make information available, to ensure that a systemic weakness is not introduced as a result of decrypting information, and that the assessment is delivered by a technical expert and a non-serving judge.

To get the bill across the line before parliament’s Christmas break, 173 last-minute amendments were dropped in favour of an instruction to the Parliamentary Joint Committee on Intelligence and Security to conduct a review of the operation of the amendments and report back on 3 April 2019.

By then, however, Australia is likely to be in the throes of a federal election campaign and political focus will be elsewhere.

Although the legislation was passed with bipartisan support, it attracted stiff criticism from the Greens, notably Senator Jordon Steele-John, who described it as “one of the most dangerous and one of the least-thought-through pieces of legislation ever to come before the Australian parliament”.

He added: “Within its pages are listed the mechanisms by which the privacy of every Australian citizen may be violated, the security of our nation placed at risk, and billions of dollars’ worth of industry banished overseas.”

Digital Rights Watch chair Tim Singleton Norton said the legislation “has the likely impact of weakening Australia’s overall cyber security, lowering confidence in e-commerce, reducing standards of safety for data storage and reducing civil right protections – in its very design, it is antithetical to human rights and core democratic principles”.

The Law Council of Australia was also scathing about the haste in which the law was passed. Its president, Morry Bailes, said: “We now have a situation where unprecedented powers to access encrypted communications are law, even though parliament knows that serious problems exist.”

Bailes said the Intelligence and Security Committee needed to be engaged in 2019 to “get these laws right”.

Read more on Endpoint security