Under new powers to be given to police and intelligence agencies, companies may be required to help decrypt communications on platforms such as WhatsApp, Telegram and Signal, and even insert code to help capture data.
The bill had support from both major parties and, late on Thursday, the opposition Labor party said it was withdrawing amendments it had previously demanded. That allowed the upper house to vote in support of the legislation, meaning it becomes law.
The new law thrusts Australia to the center of a global battle between tech companies and governments over privacy and security. In 2016, the U.K. gave authorities sweeping powers to hack, intercept and retain the communications of all British citizens, while China’s Cyber Security Law requires internet operators to cooperate with criminal and national security investigations.
“There has been similar legislation in the U.K. and possibly a few other jurisdictions but their legislation doesn’t go anywhere near as far as what’s happening here,” said Mark Gregory, an associate professor specializing in network engineering and Internet security at Melbourne’s RMIT University. “The government here can coerce the company to actually provide backdoors into their systems and into devices and force the company to build systems that can help with investigations.”
Read more: The battle over privacy versus security
In arguing for the legislation, Prime Minister Scott Morrison’s government said 95 percent of people being monitored by security agencies use encrypted messages. The technology has resulted in law enforcers effectively “going blind or going deaf,” according to Alastair MacGibbon, the government’s cyber security adviser.
The Digital Industry Group, an association whose members include Facebook and Google, campaigned against the legislation in a loose alliance with Amnesty International and the Melbourne-based Human Rights Law Center. Critics warned the legislation could undermine security across the Internet, jeopardizing activities from online voting to market trading and data storage.
The legislation will be subject to a review by a parliamentary committee for 12 months. The new powers will be limited to tackling serious crimes. And there would be strict oversight of so-called “technical capability notices” that would seek to force companies to amend their services to help police access data.
Many technology companies began to add encryption to their products after former U.S. government contractor Edward Snowden exposed the extent of U.S. spying. That’s left security agencies facing an uphill struggle to keep up with new technology, and caused repeated tussles with tech giants.
In 2016, the U.S. Justice Department clashed with Apple Inc. when the company refused to unlock an iPhone connected to a mass shooting in San Bernardino, California. The U.K. government, meanwhile, has been deeply critical of WhatsApp’s end-to-end encryption, which was used by a terrorist shortly before he killed five people in London in March 2017.
Read more: World leaders seek broad powers to get around encryption
Lobby group Digital Rights Watch said “some extremely dangerous elements” of the Australian legislation had been addressed by the agreement between the government and the opposition.
“But the fundamental fact remains that the powers being sought by law enforcement are ill-informed, badly drafted and a gross overreach,” Digital Rights Watch said in a statement. “This bill is still deeply flawed, and has the likely impact of weakening Australia’s overall cyber-security, lowering confidence in e-commerce, reducing standards of safety for data storage and reducing civil right protections.”
RMIT University’s Gregory said the effect of the laws would likely spread beyond terrorist or criminal activities and into private-sector investigations.
“It’s too rushed, too broad, not well-defined and ultimately will be misused,” he added. “People will also be able to use this not just for criminal law matters but also corporation law matters.”
Monique Mann, a researcher in technology, law and regulation at the Queensland University of Technology, agreed there were problems with the legislation, which she described as “world first” in its scope.
“There are issues around transparency, accountability, oversight, and the potential and scope for misuse,” Mann said. DM