The government has agreed to a suite of changes to its bill that will give intelligence agencies and police the ability to force tech companies to help them crack secure messages
Tech companies will be given the right to challenge orders from intelligence agencies or police if they believe they are being asked to create a long-term weakness in their products, under amendments to the government’s encryption laws.
The Coalition has reached a deal with Labor on its wide-ranging bill, which is likely to pass the parliament this week with several significant changes.
Tech companies, which previously described the bill as a major threat to the cybersecurity of all Australians, have cautiously welcomed the “tighter controls” but still have serious concerns.
The bill will give agencies the power to force tech companies to build them new “solutions” to get around encryption – the technology that scrambles messages and other digital signals, including financial information, so it cannot be intercepted and read.
This could come in the form of a secret screen-capturing app downloaded onto a suspect’s phone, or a secret capability to track a suspect through the GPS on their device, for instance.
The bill already says this capability cannot be a “systemic weakness”, suggesting a long-term hidden fault or ‘backdoor’, but did not define that phrase.
Under the amendments, there will be a definition. The tech industry wants it to be made clear that they cannot be forced to build ‘backdoors’ that could later be discovered by hostile actors, like cybercriminals or hostile nations.
The revised laws are yet to be introduced to parliament, but SBS News asked Attorney-General Christian Porter for details on the ‘backdoor’ compromise.
He revealed the two major parties had agreed to allow tech companies to lodge an appeal if they believe an agency is asking for code that constitutes a “systemic weakness”.
“If any tech company is asked to do anything that they consider looks like creating a systemic weakness, they'll in effect be able to dispute and appeal that request,” Mr Porter told SBS News at Parliament House on Wednesday morning.
He said the cases would be heard by two people: an “expert in the area” and a retired Federal or Supreme Court judge.
“Now that is a very, very significant protection,” Mr Porter said, to ensure the bill would “never allow a systemic weakness”.
Both the tech company involved and the attorney-general will have to agree on the two people.
“So nobody could be appointed that the tech company doesn’t want,” he said.
Asked how the expert would be chosen, Mr Porter said that would be revealed when the legislation was tabled later on Wednesday.
Earlier, his Labor counterpart Mark Dreyfus said the government had made “important concessions” and the opposition was now willing to pass the laws before Christmas.
Mr Dreyfus said the new “double-lock authorisation process” was an improvement.
But he said the bill was still “far from perfect” and suggested more amendments could be required in 2019.
Tech industry ‘welcomes’ change but concerns remain
The Australian tech industry has been a vociferous critic of the laws, telling SBS News some firms would rather leave the Australian market than comply with the new obligations.
Their main concern is that firms would be required to build hacking solutions that could later fall into the wrong hands, especially if those “solutions” were systemic, latent loopholes that would remain embedded in the technology long-term.
CEO of the Communications Alliance, John Stanton, said the “tighter controls” were welcome, but expressed concern over other parts of the bill.
Agencies will also have the power to request voluntary help from agencies. The voluntary help does not require the oversight of the attorney-general and can be requested by individual agents within ASIO or the police, rather than the head of the agency.
“There is a real risk that while much is being made of additional protections around [the compulsory requests], agencies will simply exploit this loophole in the bill to direct their activities via [voluntary requests] instead,” Mr Stanton said.
Drugs, guns and murders
The major parties have also come to an agreement on which types of crime are covered by the bill.
Labor had proposed a substantial narrowing, so only terrorism and child sex crime suspects could be hacked under the new powers.
Under the new deal the crimes will still be narrowed, but will also include homicide, gun and drug offences.
Mr Porter told SBS News it was important to include types of crimes that often financed terrorism, and noted the popularity of encrypted messaging apps – like WhatsApp, Telegram, Signal and Wickr – among drug dealers.
“They are the stock in trade of drug dealers and drug importers, and so we need to be able to deal with that fact,” he said.
“Drug offences at a state and federal level that carry a maximum penalty of more than three years would be able to be the trigger for an issue of a notice."
Powers expected to pass before parliament rises
Parliament wraps up for the year on Thursday, and the laws look all-but-certain to pass with the support of the opposition before then.
The domestic intelligence agency ASIO said it planned to immediately put the powers to use on suspects within their current caseload.
But not everyone in the parliament supports the laws.
The Greens will vote no, and some on the crossbench are still undecided.
“The Labor party had an opportunity to oppose this legislation, they had an opportunity to grow a spine, and they botched it,” Greens senator Jordan Steele-John said.
Crossbench senator Rebekha Sharkie said her fellow crossbenchers still had “a few concerns”.