How the government plans to access your phone data
GOOGLE, Apple, Facebook and telecommunication providers like Telstra will be compelled to hand over sensitive data or grant systems access to Australian authorities - or face fines of up to $10 million under proposed new laws.
The draft legislation, released today, has been a long time coming after the Turnbull government last year vowed to crack down on criminals and terrorists using encrypted services to conduct activities outside the reach of Australian spies and law enforcement.
The new laws - which will need to be approved by the federal Parliament - target providers of communication services and device makers and will include the power to force companies to disclose encrypted information on devices such as phones, computers and on social media platforms.
It will not force companies to build a so-called "back door" into their encrypted services. The government was concerned about creating vulnerabilities that could be exploited by hackers - something that it was continually warned about during consultation with industry.
Nigel Phair, director of the NSW Canberra Cyber, said he was pleased the government wouldn't seek to compel companies to build any cyber back doors into their systems.
"It's reassuring they're not talking back doors," he told news.com.au. "That would not be good for society."
But Mr Phair cast doubt over how the new powers would work in practice, given the international nature of many of the companies that would be subject to them.
The government will have three levels of requests. The first stage is voluntary while the second stage is compulsory and includes fines up to $10 million and $50,000 for an individual. The third stage is also compulsory and demands companies proactively work to build mechanisms to help authorities collect information.
"How well this plays out in terms of the three stages of compliance will be another factor altogether," Mr Phair said. He believed demanding co-operation was easier said than done and expected the government would encounter "jurisdictional and procedural" problems with the implementation of the laws.
"You can put a fine on it all you like, but if these companies are domiciled off in another country it will be very difficult to enforce their compliance," he said.
As a former police officer, Mr Phair said the legislation would be welcomed "100 per cent" by law enforcement. And the fact the government was not talking about back doors might "placate" the naysayers and opponents of the legislation.
Cyber Security Minister Angus Taylor said it did not want to be seen as trying to weaken encryption protocols.
"We believe encryption is absolutely crucial to protecting Australians. So the legalisation explicitly excludes the potential for law enforcement to ask industry to create a weakness in their encryption systems," he told the ABC.
The new laws seek to modernise police powers in the age of smartphones and the internet but Mr Phair says more legislation was not necessarily the answer.
"There's lots of other ways to get data, we leave digital footprints about ourselves everywhere, there's lots of metadata out there that's easy to get. However, content is another thing and content is difficult to get," he conceded. Theoretically the legislation would make it easier for law enforcement to get that content.
When you send a message over an encrypted messaging service like WhatsApp, for example, the message is encrypted as it goes over the network and decrypted when it gets to the intended recipient.
While police won't be able to force Facebook (which owns WhatsApp) to provide a way to crack the encryption, if they had a warrant, they could view the message at the same time as the recipient when it is decrypted.
The legislation is also very broad in its wording.
"Any company that writes software that could get installed on a computer connected to a network will become a 'designated communications provider' if you were wondering how broad this not-a-backdoor legislation is," IT expert Justin Warren wrote on Twitter.
The issue of encryption and surveillance has been a sticking point for the Coalition government in recent years.
The government says that 95 per cent of the dangerous actors being targeted by the Australian Security Intelligence Organisation (ASIO) use encrypted messaging, hindering intelligence agencies' ability to investigate.
In a common line from the government, Mr Taylor said technologies such as encryption were being used by organised criminals, terrorists and paedophiles to evade detection.
"We know that more than 90 per cent of data lawfully intercepted by the Australian Federal Police now use some form of encryption," he said in a statement today.
"This has directly impacted around 200 serious criminal and terrorism-related investigations in the last 12 months alone. We must ensure our laws reflect the rapid take-up of secure online communications by those who seek to do us harm."
Agencies like ASIO or the Australian Federal Police will have the ability to request telecommunication and tech companies help them with their investigations.
Mr Taylor said tech and telecommunication companies could also be asked to help locate a suspected criminal.
"Where we need to track a suspected terrorist … we want access to GPS data. We can't track potential terrorists without knowing where they are. So that is going to be crucial information in a serious case," he said.
Under the law, Australian government agencies could compel companies to provide technical information such as design specifications to help in an investigation, remove electronic protections, assist in accessing material on a device subject to a warrant and even build or install software or equipment that could help authorities gather information.