Update, 1/26/2019: Read our submission in Australia’s ongoing review of law.
Near the end of 2018, Netflix debuted a live recording of Taylor Swift’s “Reputation” tour, filmed in Texas during the tour’s last U.S. performance. Shortly after the performance, Swift and her entourage would sprint off for Australia, playing four shows from Perth to Brisbane.
We can only hope that some of the members of Australia’s Parliament were able to make it to one of those shows, because they’re going to need some tips on how to deal with their own reputation issues. That’s because, as Ms. Swift was touring across Oz, Parliament was closing its consultation on the “Assistance and Access Bill,” now the law after passage of the bill in late December.
Few laws passed in large democracies could achieve the draconian impact that the Telecommunications and Other Legislation Amendment (Assistance and Access) 2018 law is poised to unleash. Its provisions allow representatives from Australian law enforcement and intelligence agencies, without judicial oversight, to order companies to do just about anything in the pursuit of national security or enforcement of criminal law, including hacking devices and deliberately weakening the security of the products that Australians use every day.
It seems natural, then, that Australia is earning its own big reputation as the Assistance and Access law attracts international scrutiny and criticism. The law garnered nearly unanimous opposition from anyone who actually understands technology, and has caused some to compare Australia’s approach to China’s, given the threat the legislation poses to privacy and the scare tactics used to rush it through. Even Australia’s own Human Rights Commissioner reacted with alarm, pointing out during the legislative process that Australia has “passed more counter-terrorism and national security legislation than any other liberal democracy since 2001.”
Fortunately, even though the law has been implemented and is already in use, there is still a chance to influence the end game. That is because the eleventh-hour passage of the law, which took place right before the December holidays, was secured on the basis of a promise of further review in 2019, with the potential for adding badly needed amendments, safeguards, and transparency requirements.
This means, much like T-Swift herself, Australia still has an opportunity to rise from international scandal to global leadership. Here are 10 lessons Parliamentarians should consider as they initiate their review of the law.
The internet operates on trust. It’s the backbone of the digital economy, social media, communications, and just about everything else we do online. The Assistance and Access law doesn’t just erode that trust — it annihilates it entirely. The law sets up a regime where Australian government officials can pressure or compel companies to make significant changes in digital devices and services with woefully inadequate transparency, no accountability, and no system for judicial accountability or oversight of what officials decide to do.
Since trust is so critical in the digital age, the Assistance and Access law could have significant ramifications for Australians, including the loss of important products and services. While we don’t know yet how companies will respond when authorities invoke its powers (and it’s not likely the public will know about it when it happens), several prominent companies are taking a bold public stand against creating government-mandated vulnerabilities. When faced with a government order to undermine the security of their devices or services and put their users’ safety at risk, these companies may instead remove themselves from the Australian market to avoid compliance, including geo-blocking their websites so that Australians cannot access them.
Some of the worst parts of the law are its broad gag provisions. Experts deduce that companies can’t even say they haven’t received a notice under the law without risking jail time. There is a five-year penalty built in, meaning that if a company violates a gag order, it is a serious crime for which the provisions of the law can be used. That’s significant because if the law is misused or abused, there is little accountability. In addition, while there are provisions for transparency, they are minimal: providers can report total number of notices they get over a six-month period, and the government is expected to publish annual statistics for each type of notice, as well as a list of any serious offenses for which they are invoked.
While the law prohibits its authorities from being used to compel a “systemic weakness” or “systemic vulnerability,” this limitation is inadequate. To be prohibited, a mandated weakness must affect a “whole class of technology,” so the government could presumably compel changes to create a weakness and it would be allowed so long as it does not impact 100% of users or devices. There is also the risk of problems that we cannot foresee in any mandated updates to a system for deliberately introducing vulnerabilities. Consider that even official Apple systems updates, developed and planned by technologists and tested extensively over time, have inadvertently “bricked” a large number of iPads — that is, rendered them totally useless as anything but a paperweight.
This law would be frightening enough if these authorities were available only to Australian government officials. But it can also be invoked on behalf of a foreign government in relation to what that government determines a “serious crime.” The law defines serious crime as any crime with a sentence of three years or more. There is no transparency into which governments may ultimately enjoy access to these powers, and no requirement that they must provide for minimum human rights protections. Consider, then, that India metes out life sentences for sedition crimes, and in Saudi Arabia, homosexuality and witchcraft are crimes that under some circumstances are punishable with prison time or the death penalty.
While a mandated vulnerability may be intended to provide law enforcement with an assured means of accessing certain types of sensitive user data, a deliberate weakness, once created, could be available to any bad actor. Where government officials go, criminals will follow. Companies forced to comply with the law, and the customers relying on their products, would therefore become even more vulnerable to cyber attacks or data breaches. That’s a feat, considering that Australia had more than 800 data breaches in 2018 alone. Providing more ways to bypass security features on smartphones and other devices is also likely to result in increased device theft, which has reportedly been on the decline after companies began implementing hard drive encryption by default. That kind of protection, without deliberate holes in the system, meant the devices were useless to those not authorized to get access, and by extension, they were worthless on the black market.
Another problem with the law is that of omission: it fails to include provisions to assist law enforcement and intelligence investigations that would avoid the risks of the current approach. It does not provide funding to educate law enforcement on the availability of alternative methods for accessing digital evidence, nor for hiring technologists or other experts in digital security. Instead, it could endanger access to evidence, since the unchecked powers of the law might persuade the U.S. to think twice about entering into an agreement with Australia to enable direct law enforcement access to data held by U.S. companies.
While Australia’s law enforcement and intelligence agencies lobbied hard for the Assistance and Access law, taken as a whole the law threatens to be more of a headache than a helping hand. As we’ve explained, the law is likely to limit Australians’ access to products and services that are driven out of the market, increase data breaches and device theft, and hurt Australia’s chances of entering into beneficial international agreements to assist law enforcement. While these are predictable outcomes, the negative impact of the law is not likely to be measurable until it’s too late…
…which is why it would have been prudent for Parliament to postpone enactment of the law until there was more information to show that it is necessary (the current justifications are lacking). This would have given lawmakers the opportunity to study other options or, at a minimum, fix the ambiguous and confusing provisions that resulted from the rushed, inadequate process for drafting the legislation.
Australia can still shake this off. While the Australian Federal Police claims to be close to reaching agreement with several companies to exercise its authority, officials have reportedly used the law in only very limited circumstances so far. Parliament can act to substantially revise its provisions or even vacate the law altogether in favor of a more thoughtful, useful, and effective approach that would preserve digital security and protect human rights. We can only hope Parliamentarians will ask themselves, “what would Taylor do?,” and act accordingly.
In the meantime, the public has until February 22, 2019, to submit comments on the law, and you can do so online, as we at Access Now will do.