Here’s why Australia’s cybersecurity bill is a terrible idea

2 min read
Lexie

Hi, I'm Lexie! I write about information security, Bitcoin, and privacy.

An Australian flag sits atop a series of alphanumeric digits.

Despite international protest, Australia has passed a new bill that essentially outlaws encryption technology, making its population of 25 million (and 10 million annual visitors) less safe.

The “Telecommunications and Other Legislation Amendment (Assistance and Access) Bill” of 2018 requires tech companies to build backdoors and weaknesses into any communication systems, including apps, phones or web services.

The law will force popular apps like WhatsApp or Telegram to make their chats available to Australian law enforcement. In some cases, the law even makes it illegal for companies to inform their users about the lack of protections, and there is close to no judicial oversight.

Power made available to all agencies, except those fighting corruption

The new legislation makes it impossible to safely conduct engineering work in Australia or rely on Australian suppliers or subcontractors. Any software originating from Australia is now likely to include weaknesses that could be exploited by competitors, spouses, or criminals.

The lack of accountability also makes it also far easier for malicious system administrators or hackers to inject vulnerabilities into existing systems, which they could easily then blame on the existing state intrusions.

While an initial draft of the bill “only” made these new powers available to federal agencies, the final, approved version allows all law enforcement to force engineers and companies to remove information security protections, except anti-corruption agencies.

With crime generally in decline in Australia over recent years, it is unclear why the government needs these new powers, or what crimes the police expect to be able to fight with these provisions.

Is the new Australian cybersecurity law enforceable?

Although tech giants like Facebook, Google, and Amazon do not carry out a lot of security-sensitive tasks in Australia, the law will only discourage companies from conducting such business Down Under. ExpressVPN, too, does not host sensitive information, encryption keys, or employees in Australia.

While this hurts the local tech industry, it makes it hard for the Australian government to enforce this law abroad. WhatsApp and iPhones will probably continue to remain available in their secure form to Australian consumers, which will lead to foreign products becoming more attractive to consumers, weakening the Australian tech industry further.

Is it too late to stop the Australian encryption bill?

Unfortunately, yes. But, if you are in Australia, it is still worth showing your opposition to this law. Support parties and candidates that seek to repeal it.

To protect yourself from backdoors and weak encryption, use well-audited open-source software. The open nature of open-source tools makes it harder for states to sneak in backdoors and weaknesses, and alterations can more easily be spotted.

Lexie is the blog's resident tech expert and gets excited about empowerment through technology, space travel, and pancakes with blueberries.