'Outlandish' encryption laws leave Australian tech industry angry and confused

ABC Science

By technology reporter Ariel Bogle

The Australian technology industry is "incredulous to fuming mad" after the Government's controversial encryption bill passed the Senate.

Under the new laws, security agencies have greater powers to get at the encrypted messages of criminal suspects — in some cases they can demand companies build new capabilities to allow them access.

Labor members called the bill flawed during debate on Thursday, but the Opposition later pulled its amendments at the last minute and voted to support the Government.

The situation has left Australian technology companies struggling to understand the potential impact on their global standing and bottom line.

John Stanton, chief executive of the Communications Alliance, said the bill's passing was a "magnificent triumph of politics over policy".

Partner at M8 Ventures Alan Jones argued the bill will have unintended consequence for the security reputation of Australian businesses — "crippling" attempts to export their technology.

"It could be just enough to lose a deal to a competitor in Israel and the US," he said.

The 'perception of mistrust'

Prior to the bill's passing, members of the Australian technology industry argued the bill's technical capability notices (TCNs) would undermine the perceived trustworthiness of Australia-made hardware or software.

TCNs could force a company to make a secret modification to its product to help a government agency access a suspect's messages.

Such a notice must be "reasonable and proportionate". Neither can it cause a "systemic weakness", although there is debate about the protection the bill's definition of the term affords.

The bill proposes three key powers:

·         A technical assistance request (TAR): Police ask a company to "voluntarily" help, such as give technical details about the development of a new online service

·         A technical assistance notice (TAN): A company is required to give assistance. For example, if they can decrypt a specific communication, they must or face fines

·         A technical capability notice (TCN): The company must build a new function to help police get at a suspect's data, or face fines

"I hope that it's possible for some of these companies to move offshore before they are tainted with the stain of originally being an Australian company," Mr Jones said.

This echoed the warning of Francis Galbally, chairman of the encryption provider Senetas, who told a Senate inquiry last month Australia was currently regarded as being among the world's most trustworthy countries for cybersecurity products.

But not if the bill passed. "This bill gives a perception of mistrust," he said.

Chris Duell, the chief executive of the customer onboarding start-up Elevio, said the bill was "so outlandish and stupid I didn't think it would get this far".

While his company does not handle communication data, he said some European customers had already reached out to query the potential impact of the new legislation.

Mr Duell said if served with a notice, his company could potentially be in breach of European privacy law as well as provisions in its own contracts that demand it notify customers of any security breach.

The head of Girl Geek Academy Sarah Moran, who teaches cybersecurity, said local start-ups were angry the laws were rushed.

Like Mr Jones, she suggested it could now be more difficult for Australian technology companies to sell their products overseas.

"Something is either secure or it just isn't, and giving the keys to the government is not something that makes your business easy to sell to customers," she said.

A lack of oversight

Many Australian technology leaders expressed concern the bill was being rushed during the last few days of Parliament.

Mike Cannon-Brookes, the co-founder of Atlassian, tweeted that "rushing such complex legislation through in days is reckless".

Whatever you feel about the #AABill in Australia, I agree with the @thelawcouncil that rushing such complex legislation through in days is reckless. At the least, these unprecedented laws need far more expert scrutiny & debate. 

The Communication Alliance's Mr Stanton, who represents companies such as Telstra and Verizon, said amendments to the bill had improved it "marginally".

"It still holds enormous potential to damage our IT industry and the thousands of people who work in it," he said.

In particular, he is concerned about the bill's secrecy provisions that mostly prevent the disclosure of a notice.

"A network can be compromised and the people on those networks won't even know," he said.

"If they don't know there's a vulnerability in their system, they can't guard against it."

Mr Stanton also described the lack of a warrant framework around the issuing of notices under the bill as "extraordinary".

In most cases, authorities would still need an "underlying warrant or authorisation" to access the actual content of encrypted communications, but not to issue a notice.

Amendments at the last moment added additional safeguards to the TCN regime, but fell short of requiring judicial scrutiny each time one is issued.

"Given the risks and the power associated with those notices, we think that there's a severe lack of oversight," he added.

Opposition pledges to amend the law

Opposition leader Bill Shorten claims he has a deal that the laws will be improved when Parliament returns in February.

However, the Government has pledged to only support amendments consistent with a parliamentary report from the intelligence committee.

In a statement, Shadow Attorney-General Mark Dreyfus said the Government never properly addressed the concerns of business about the legislation's impact.

"Labor believes there are remaining deficiencies in this legislation, and encourages those concerned to participate in the renewed Intelligence Committee inquiry which will be taking submissions," he said.

But that may prove cold comfort for technology companies over the summer holidays.

"They've left us with this Christmas bonbon, and we don't understand what will be coming to our businesses in the future," Ms Moran said.

"Do the politicians not understand the internet? … Or do they understand and do not care?"

A Department of Home Affairs spokeswoman said the new regime was designed to be collaborative, not undermine trust.

"Clear prohibitions against undermining security will ensure that providers can't be asked to do things that make their products less safe," she said.