On Monday, the Australian government introduced the Assistance and Access Bill 2018. This bill would give law enforcement authorities new tools to pressure telecommunication and tech companies into complying with government requests to grant access to an individual’s online profile or message history. The Australian government, and Minister for Law Enforcement and Cybersecurity Angus Taylor in particular, have bemoaned the way encryption has eroded the mass-surveillance and evidence-gathering capability of law enforcement and intelligence agencies, similar to the FBI’s “Going Dark” campaign.
The real target appears to be end-to-end encryption (E2EE) services, such as WhatsApp, Signal, and Telegram, which prevent messages from being captured and decrypted by signals intelligence. While the bill and its authors insist that no encryption backdoor will be created nor will communications providers be compelled to build weaknesses into their products, its intent is clear: to gain access to E2EE protected communications.
Below is a quick explanation of the bill so that users can assess it for themselves and leave an informed opinion with the government, which is now accepting public comment.
What is the Assistance and Access Bill
This bill clearly draws from the UK’s Investigatory Powers Act in that it introduces mandatory decryption obligations for both domestic and foreign tech companies to assist law enforcement in accessing private data. The explanatory document accompanying the bill states on the first page that “this includes accessing communications at points where it is not encrypted,” but section 317E of the bill contains a more complete list of what a tech or telecommunication company could be compelled to do. It also states companies can be compelled to provide access to email accounts and physical device storage.
What are the main requirements from tech companies?
The Attorney-General, after obtaining a warrant to spy on a suspect, can request to access someone’s data in two ways: a technical assistance request, which solicits the organization’s “voluntary” cooperation, or a technical assistance notice, which compels assistance, provided it’s technically feasible. However, even if assistance is not technically feasible, the Attorney-General can issue a technical capability notice, which would require an organization to build a new capability that would allow them to give access to authorities. Essentially, a technical capability notice requires organizations to devise a way to crack their own security systems.
With these powers, the government can compel a company to do almost anything, including:
- Install malware on their users’ devices as a way to work around encryption. This malware could then be used to access their accounts and unencrypted communications
- Modify the service they are providing, including potentially blocking messages.
- Assist law enforcement without alerting the end user.
Any company that refuses one of these orders can face a fine of up to AU$10 million (about $7.3 milion). Individuals, such as tech company employees or individual app developers, can be fined up to AU$50,000 ($36,000). A whistleblower who alerts the public to an Assistance and Access order would face five years in prison.
Furthermore, this would be a far-reaching law. According to the bill, any person or organization that “provides an electronic service that has one or more end-users in Australia” is a designated communications provider and therefore subject to the law. A company in California, of course, is not required to obey Australian law, but there may be ways to reach foreign companies, such as by targeting their Australia-incorporated subsidiaries.
How will it affect you?
If the law passes, it would give the government broad powers to access data on Australians’ personal devices. It would also substantially weaken the security of all Australians’ data. Companies that do not comply with these orders from the AG could end up being blocked in Australia. Even if you are not Australian, the passage of the Assistance and Access Bill could embolden other governments to pass similar legislation.
For users of Proton VPN, Proton Mail, and other Proton products, your data will be protected for a number of reasons. First, we have very little data to share because of our strict no logs policy. Second, as a Swiss company we are subject to Swiss law. Any request for assistance from a foreign government would have to adhere to Switzerland’s strong privacy protections.
Why it matters
While it’s true this is not an encryption backdoor, the government is playing a semantics game. Forcing companies to create vulnerabilities outside of their encryption is technically not a backdoor because it is not a systemic weakness in the encryption itself. But in practice, there would be no difference. Any deliberate vulnerability can be exploited by others and compromise the security of all. If users cannot trust the services they use, the chilling effect on free speech is just as if there were no encryption at all, something we cover in greater detail here.
What you can do to defend the right to privacy
The Assistance and Access Bill 2018 will be open for public comment until Sept. 10. We strongly advise anyone who is concerned about the privacy of the Internet to read the bill and the accompanying explanatory document. Read other analyses of it. Then make up your mind.
The surveillance state has proved incredibly resilient. The best way to prevent creeping government intrusion is to make informed decisions about where to draw the line between legitimate policing and the right to privacy.
Any comments or opinions our Australian community may have on the bill should be shared via the official government channel at AssistanceBill.Consultation@homeaffairs.gov.au.
Join our mission
We are the only VPN that is community supported, meaning we fight for you. Our mission is to ensure that a private and secure Internet is available to everyone, everywhere, including in Australia. To achieve this, we will continue to speak out against any efforts that we believe compromises online privacy, security, or freedom. Our paid users make Proton VPN possible, so if you wish to support our mission, please consider upgrading to a paid account.
The Proton VPN Team
To get a free Proton Mail encrypted email account, visit: proton.me/mail