The Australian government has ignored the expertise of researchers, developers, major tech companies, and civil liberties organizations by charging forward with a disastrous proposal to undermine trust and security for technology users around the world.
On September 10, the Australian government closed the window for receiving feedback about its anti-encryption and pro-surveillance “Access and Assistance” bill. A little more than a week and more than 15,000 comments later, the Minister for Home Affairs introduced a largely-unchanged version of the bill into the House of Representatives.
The issue isn’t whether the Australian government read the 15,000 comments and ignored them, or refused to read them altogether. The issue is that the Australian government couldn’t have read the 15,000 comments in such a short time period. Indeed, the bill’s few revisions reflect this—no security recommendations are included.
The Access and Assistance bill threatens the trust we place—either by choice or necessity—in our technology. If passed, the bill will allow the Australian government to demand “assistance” from an enormous array of “designated service providers,” from the multibillion-dollar global Internet company to the garage-startup app maker who just earned her first Australian user.
The required “assistance” is equally vast. The Australian government could demand web developers to deliver spyware and software developers to push malicious updates, all under the cloak of “national security.” The penalty for speaking about these government orders—which are called technical assistance requests (TAR), technical assistance notices (TAN), and technical capability notices (TCN)—is five years in prison.
EFF’s opposition to this bill is widely shared by companies, cybersecurity researchers, and civil liberties groups around the world. New America’s Open Technology Institute and EFF, in comments signed by Apple, Cloudflare, Google, Microsoft, R-Street Institute, CryptoAUSTRALIA, and Privacy International, criticized the bill for failing to provide a “clear process or standard for challenging” TANs and TCNs. Further, the bill’s strict nondisclosure provisions mean that any end-users harmed by a government order will likely never know about it, hindering their ability to defend their privacy rights in court.
The Australian government made no meaningful changes to the bill to correct these issues.
Multiple Australian rights groups, including Digital Rights Watch, Australian Privacy Foundation, Electronic Frontiers Australia, and New South Wales Council for Civil Liberties, recommended that both the potentially affected “designated service providers” and the types of required “assistance” be “significantly reduced.”
The revised bill includes no such changes, and it still leaves open the risk that open-source volunteers can be targeted with government orders. The revised bill is also unclear about whether an individual within a company can receive an order. This may mean that a programmer, systems administrator, or network operator could be forced to comply with an order in secret, potentially harming her company’s services and their users.
Riana Pfefferkorn, a cryptography fellow at Stanford Law’s Center for Internet and Society, warned about an inherent disconnect within the bill itself. The draft bill stated that no service provider can be ordered to create a backdoor—or “systemic weakness or systemic vulnerability”—but, Pfefferkorn said, other government orders could have the same result.
“The bill risks forcing technology companies to create insecure versions of their products and services that, while ostensibly limited to a single incidence, in fact open the door to the very systemic vulnerabilities the bill professes to avoid,” Pfefferkorn wrote.
The Australian government did not fix this. Instead, the revised bill gives the Attorney General and service providers the option to “jointly appoint” a third-party to assess whether a government order will create a systemic weakness. The bill is silent on what happens if the Attorney General and a provider disagree on such an appointment, and whether the Attorney General can override a provider’s recommendation.
These are just a handful of neglected concerns from three comments submitted to the Australian government—just the tip of the iceberg of thousands likely submitted by its own citizens.
If the bill clears Australia’s House of Representatives, it could still be sent to a Senate committee for changes. We’ve said exactly what we want. We’ll just have to say it again.