The world’s largest search and social media companies have raised grave concerns over a complicated draft bill that would give Australian intelligence agencies sweeping new powers to demand assistance in cracking private messages.
The draft legislation would give police and spy agencies like ASIO the power to ask tech companies to voluntarily provide access to private communications, provided they have a warrant.
The attorney-general would also get the power to force companies to “build a new capability” to help investigators with their inquiries – but that order cannot force the company to break encryption.
It could include a tool to track criminals with GPS or to create a secret profile for intelligence officers.
In a joint submission to the Home Affairs department, a group representing Amazon, Facebook, Google, Oath and Twitter raised serious concerns with the scope of the bill and a lack of oversight.
The companies argue the requirement to help crack non-encrypted messages may still “require the provider to identify a weakness in the security of data in their systems or technology and to make that weakness known to those agencies”.
“While [we] appreciate the challenges facing law enforcement, we have concerns with the bill, which, contrary to its stated objective, may serve to actually undermine public safety by making it easier for bad actors to commit crimes against individuals, organisations or communities,” the submission reads.
Cooperating closely with law enforcement to help breach private communications could “erode consumer trust” and potentially “introduce weaknesses that malicious actors could exploit”.
The Greens senator Jordan Steele-John has welcomed the criticism from the industry. Source: Facebook @Jordonsteele
The laws are designed to avoid situations like the San Bernardino terrorism investigation in the United States, where Apple famously resisted pressure from the FBI to break a suspect’s phone.
The submission argue the laws should be limited with more judicial oversight and only used on the worst suspected criminals.
“The bill proposes extraordinary powers of unprecedented scope, and their exercise should be limited to combatting serious crimes that pose a grave threat to human life or safety.”
The companies, which have billions of customers globally, also raised concerns about how the laws will apply across borders.
The assistance orders from the attorney-general could “require service providers to take actions that violate the laws of other countries”, the submission warns.
“This potentially places service providers in an impossible situation and also potentially jeopardises Australian national security if other governments introduce similar provisions.”
December 5, 2015: Remembrance to the San Bernardino victims in California. Source: AAP
Greens senator Jordan Steele-John welcomed the criticisms from the industry.
“Creating technology vulnerabilities to expand the surveillance overreach of the Five Eyes network will ultimately leave all of us more vulnerable to criminal activity," Senator Steele-John said, referencing the intelligence-sharing agreement with the United States and other English-speaking allies.
"Given some of the biggest data breaches over the last few years have come from government agencies, I’m not left feeling any safer by the prospect of this legislation," he said.
“This is massive government overreach and something we should all be extremely concerned about. It makes a mockery of our right to privacy, leaves us more vulnerable to cyber-espionage and permanently weakens existing protections we all rely on to stay safe and secure online.”
The bill proposes extraordinary powers of unprecedented scope.
The draft laws, which are yet to be presented to the parliament, do not allow agencies to force companies to break encryption or to create a so-called “backdoor” – a weakness in the code that only law enforcement can use.
Announcing the laws, then-cybersecurity minister Angus Taylor told SBS News he wanted to see “more encryption, not less” to keep Australians safe from cybercrime.
But the laws could offer agencies a variety of ways to crack encrypted communications without lifting the encryption itself.
If an agent could see what was on the screen of a suspect’s phone, for instance, the level of encryption protecting the messages would be irrelevant.
“One way is through the application. The other way is through the device. The other way is through the networks themselves,” Mr Taylor told SBS News at the time.
"There are many different ways of doing this."
The government is yet to respond to the companies’ submission.
