Tech giants warn Coalition bill opens customers up to cyber attack

Paul Karp
The Digi industry group says it must first ‘protect the public’s privacy and data from attack’. Photograph: NurPhoto/NurPhoto via Getty Images

The peak body representing tech giants Facebook, Google, Twitter and Amazon has blasted a Coalition bill that would force them to assist law enforcement agencies in decrypting private communications.

The Digital Industry Group Inc has rejected government claims the draft bill, released last Tuesday, would not require communications providers to build weaknesses into their products and warned it would open users’ data up to attack.

The bill grants the attorney-general a power to issue a “technical capability notice” requiring tech companies to build a new capability that would enable them to give assistance to Asio and interception agencies.

Companies cannot be asked to “implement or build a systemic weakness, or a systemic vulnerability, into a form of electronic protection” but could be asked to help break open particular communications.

In a statement on Monday, the Digi managing director, Nicole Buskiewicz, said that protecting the public is a priority for both government and industry, but that includes “protecting the public’s privacy and data from attack”.

She warned such an attack “would likely be an unintended consequence of this bill”.

“The reality is that creating security vulnerabilities, even if they are built to combat crime, leaves us all open to attack from criminals.

“This could have devastating implications for individuals, businesses, public safety and the broader economy.”

Under the proposed legislation, the director general of security or head of an intercepting agency can issue a “technical assistance notice” for a company to assist in decryption where a warrant has already been issued to intercept telecommunications.

But no warrant is required for a “technical capability notice” issued by the attorney-general, only consultation with the affected party.

Buskiewicz said that DIGI was “extremely concerned at the lack of judicial oversight and check and balances with this legislation”.

Fergus Hanson, the head of international cyber policy at the Australia Strategic Policy Institute said the government proposal was “a big improvement” on earlier suggestions companies could be required to introduce systemic vulnerabilities.

Hanson said the bill still allowed law enforcement to demand encryption be peeled back where there is an existing capability, such as a key, that allowed decryption.

The shadow attorney general Mark Dreyfus said Labor was still in the process of analysing the exposure draft bill.

“It is important that this bill does not produce any systemic weaknesses that would erode privacy and security for all,” he said, “and create vulnerabilities that could just as easily be exploited by criminals seeking to target law-abiding members of the community.”

The Coalition argues the bill is necessary because more than 90% of data intercepted by the Australian federal police used some form of encryption.

The law enforcement and cyber security minister, Angus Taylor, has said encryption has “directly impacted around 200 serious criminal and terrorism-related investigations in the last 12 months alone”.

Taylor said the reforms “will allow law enforcement and interception agencies to access specific communications without compromising the security of a network”.

The Greens oppose the legislation. Senator Jordan Steele-John has said the legislation would allow security agencies to install software to capture data as it is decrypted on the receiving end “undermining the very principle of end-to-end encryption”.