On Monday, the Australian government introduced the Assistance and Access Bill 2018. This bill would give law enforcement authorities new tools to pressure telecommunication and tech companies into complying with government requests to grant access to an individual’s online profile or message history. The Australian government, and Minister for Law Enforcement and Cybersecurity Angus Taylor in particular, have bemoaned the way encryption has eroded the mass-surveillance and evidence-gathering capability of law enforcement and intelligence agencies, similar to the FBI’s “Going Dark” campaign.
The real target appears to be end-to-end encryption (E2EE) services, such as WhatsApp, Signal, and Telegram, which prevent messages from being captured and decrypted by signals intelligence. While the bill and its authors insist that no encryption backdoor will be created nor will communications providers be compelled to build weaknesses into their products, its intent is clear: to gain access to E2EE protected communications.
Below is a quick explanation of the bill so that users can assess it for themselves and leave an informed opinion with the government, which is now accepting public comment.
What is the Assistance and Access Bill
This bill clearly draws from the UK’s Investigatory Powers Act in that it introduces mandatory decryption obligations for both domestic and foreign tech companies to assist law enforcement in accessing private data. The explanatory document accompanying the bill states on the first page that “this includes accessing communications at points where it is not encrypted,” but section 317E of the bill contains a more complete list of what a tech or telecommunication company could be compelled to do. It also states companies can be compelled to provide access to email accounts and physical device storage.
What are the main requirements from tech companies?
The Attorney-General, after obtaining a warrant to spy on a suspect, can request to access someone’s data in two ways: a technical assistance request, which solicits the organization’s “voluntary” cooperation, or a technical assistance notice, which compels assistance, provided it’s technically feasible. However, even if assistance is not technically feasible, the Attorney-General can issue a technical capability notice, which would require an organization to build a new capability that would allow them to give access to authorities. Essentially, a technical capability notice requires organizations to devise a way to crack their own security systems.
With these powers, the government can compel a company to do almost anything, including:
- Install malware on their users’ devices as a way to work around encryption. This malware could then be used to access their accounts and unencrypted communications
- Modify the service they are providing, including potentially blocking messages.
- Assist law enforcement without alerting the end user.
Any company that refuses one of these orders can face a fine of up to AU$10 million (about $7.3 milion). Individuals, such as tech company employees or individual app developers, can be fined up to AU$50,000 ($36,000). A whistleblower who alerts the public to an Assistance and Access order would face five years in prison.
Furthermore, this would be a far-reaching law. According to the bill, any person or organization that “provides an electronic service that has one or more end-users in Australia” is a designated communications provider and therefore subject to the law. A company in California, of course, is not required to obey Australian law, but there may be ways to reach foreign companies, such as by targeting their Australia-incorporated subsidiaries.
How will it affect you?
If the law passes, it would give the government broad powers to access data on Australians’ personal devices. It would also substantially weaken the security of all Australians’ data. Companies that do not comply with these orders from the AG could end up being blocked in Australia. Even if you are not Australian, the passage of the Assistance and Access Bill could embolden other governments to pass similar legislation.
For users of Proton VPN, Proton Mail, and other Proton products, your data will be protected for a number of reasons. First, we have very little data to share because of our strict no logs policy. Second, as a Swiss company we are subject to Swiss law. Any request for assistance from a foreign government would have to adhere to Switzerland’s strong privacy protections.
Why it matters
While it’s true this is not an encryption backdoor, the government is playing a semantics game. Forcing companies to create vulnerabilities outside of their encryption is technically not a backdoor because it is not a systemic weakness in the encryption itself. But in practice, there would be no difference. Any deliberate vulnerability can be exploited by others and compromise the security of all. If users cannot trust the services they use, the chilling effect on free speech is just as if there were no encryption at all, something we cover in greater detail here.
What you can do to defend the right to privacy
The Assistance and Access Bill 2018 will be open for public comment until Sept. 10. We strongly advise anyone who is concerned about the privacy of the Internet to read the bill and the accompanying explanatory document. Read other analyses of it. Then make up your mind.
The surveillance state has proved incredibly resilient. The best way to prevent creeping government intrusion is to make informed decisions about where to draw the line between legitimate policing and the right to privacy.
Any comments or opinions our Australian community may have on the bill should be shared via the official government channel at AssistanceBill.Consultation@homeaffairs.gov.au.
Join our mission
We are the only VPN that is community supported, meaning we fight for you. Our mission is to ensure that a private and secure Internet is available to everyone, everywhere, including in Australia. To achieve this, we will continue to speak out against any efforts that we believe compromises online privacy, security, or freedom. Our paid users make Proton VPN possible, so if you wish to support our mission, please consider upgrading to a paid account.
Best Regards,
The Proton VPN Team
You can follow us on social media to stay up to date on the latest Proton VPN releases:
Twitter | Facebook | Reddit
To get a free Proton Mail encrypted email account, visit: proton.me/mail
Kudos to the ProtonVPN for devoting resources to answering questions from users, even if some of us are somewhat repetitive.
I see here that you have no employees in Australia, therefore no one to serve orders on. How then are servers serviced? Replaced?
If there are local contractors are they vulnerable to orders served from Australian authorities? Or are old servers airlifted automatically by drone back to homebase for destruction?
Jokes on that last one, but these are the kinds of questions all VPN providers should be answering. Thanks in advance for any answers.
This is a good question. We only use dedicated physical servers and every server that we use is encrypted. You are correct that the local contractors are subject to Australian law. However, in addition to encrypting all our servers, we do not store any user data on remote servers and we ensure that management access is secured.
Perfect
Sorry if I am necro’ing this thread but what actions have you taken in relation to staff in Australia?
“The Electronic Frontier Foundation has said police could order individual IT developers to create technical functions without their company’s knowledge.”
Do you have any Australian based staff or dependencies that would compromise your Australian access points without your knowledge?
This is a good question. We do not have any staff in Australia, which eliminates our vulnerability to Australia’s A&A Bill. We have also applied full-disk encryption to our VPN servers in Australia as an added precaution. https://protonvpn.com/blog/disk-encryption/
If this ill is passed and protonmail is blocked in Australia, would they also have to block use of protonvpn? Otherwise presumably protonmail would still be accessible through vpn.
Hello Colin! As a Swiss company, we are not subject to laws passed in Australia. Any requests for assistance from the Australian government would have to adhere to Switzerland’s strong privacy protections.
Hi,
If swiss court ask you for user data information,what kind of data you need to give them?
Hello! The law enforcement is handled this way: we will only disclose the limited user data we possess if we receive an enforceable court order from either the Cantonal Courts of Geneva or the Swiss Federal Supreme Court. The only information we keep about the user is a single login timestamp which only contains the username and time when the user logged into his/her account. We do not log, track or record any other information about our users.
I’ve just made my submission to the email, and shortly I’ll be encouraging my friends and family to do the same. Hopefully we can make some noise about this before it’s too late.