Published on the 22/02/2019 | Written by Jonathan Cotton

Companies ‘losing revenue, losing global customers’…

New changes to extend the controversial Assistance and Access Act, which provides police with the power to compel Australian companies to provide access to encrypted user communications on their platforms, to eight more agencies, including state watchdog groups, have refocused attention on the controversial law – and its impact on Australian businesses.

The laws – the first of their kind in the world and rushed through on the last day of 2018 – assert that Australian police forces can demand that tech companies create technical backdoors in their software that give authorities access to users’ encrypted messages – without those users being aware. The sweeping powers are currently available to the Australian Federal Police, the Australian Crime Commission and state and territory police forces. New changes extend that law to include eight more agencies, included state watchdog groups.

“Small and medium-sized enterprises and start-ups could find themselves locked out of overseas markets with their products viewed as untrustworthy.”

The laws have been met with widespread criticism from security experts, digital rights advocates and the companies affected themselves, with former local MD for Microsoft, Daniel Petre saying that Australian companies are already “losing revenue, losing global customers because of this legislation”.

That’s not hot air. Not only are these new laws groundbreakingly bad for Australian business, creating unique vulnerabilities in otherwise sound – and from an export perspective, valuable – Australian products, but, let’s face it: It’s hard to sell an encrypted product that can be decrypted at the request of an ever-expanding roster of government agencies.

So how bad is it? Could Australian companies be tempted to move offshore to locations more suited to doing business? In 2017 – following the passing of intrusive data retention laws – Australian VPN provider 4TFY was an early example announcing it would be relocating to the British Virgin Islands (home of some of the most stringent privacy laws in the world).

New AIIA CEO Ron Gauci says that the economic threat posed by such a sweeping and ambiguous bill could well see “small and medium-sized enterprises and start-ups…themselves locked out of overseas markets with their products being viewed as untrustworthy”.

He says the AIIA is also “very concerned” about the economic impact caused by “international players who would now have to consider what it means to provide products around security in this country.”

He’s got a good point: When the FBI demanded Apple technicians crack the iPhone of one of the perpetrators of the 2015 San Bernardino attack, Apple refused to play ball. While the FBI ultimately figured it out on its own, had a technical backdoor have existed – such as one created to allow Apple products to be sold in Australia – Apple would likely have been forced into using it. And that might well be enough to scare off some international companies who see doing business in Australia and with Australian companies as one for the too-hard basket.

“The enforcement of criminal laws in other countries may mean international requests for data will be funnelled through Australia as the ‘weakest-link’ of our Five Eyes allies,” says Monique Mann, research fellow at Queensland University of Technology.

“Notices can be issued to enforce domestic laws and assist the enforcement of the criminal laws of foreign countries.

“They can also be issued in the broader interests of national security, or to protect the public revenue. These are vague and unclear limits on these exceptional powers.”

A bad idea is a bad idea, and as it stands these laws have the hallmarks of bad legislation: vague terms, limited oversight and now, with the addition of eight more agencies with stand-and-deliver powers – scope creep.

Further amendments will not be debated until April, when discussions will compete for time with senate discussions of the federal budget.

Readers interested in seeing the full Act can access it here.