Since 2014, the Australian parliament has passed 40 national security related bills into law. The most recent was the Access and Assistance Bill, which was passed before Christmas. Despite concerns expressed by security experts, technologists, privacy experts, business, and civil society groups, both government and the opposition voted in favour of the bill.
The new laws provide for 'back door' access to personal electronic devices. If a security agency sees the need to access devices of a suspect under investigation, it can request assistance to do so from any business involved in the supply line of the software or hardware concerned. Creating a 'back door' interferes with the inbuilt security of devices, permitting security agencies secret access to targeted phones and computers.
Inbuilt security features of all software and hardware that connect to the internet, including data encryption, is essential to protect our information online. Banking and e-commerce rely on encryption to function safely online. Without it, it is far easier for criminals to access our bank accounts and financial details. It is not only money at risk: our personal or sensitive information (for example, health records) might also be easily stolen in a weakened online environment.
In anticipation of concerns about developing systemic weaknesses in online security, the government attempted to limit the scope of the assistance provided. The legislation thus prohibits the creation of 'systemic' weaknesses. In a deal negotiated with the opposition, the government has promised to define 'systemic weaknesses'. What this will look like is open to conjecture.
According to technologists, any so-called back door is necessarily a systemic weakness. The concept behind the new powers is to target individual devices: perhaps by secretly installing code that opens it to scrutiny by security agencies. However, this concept fails to grasp the network environment of contemporary computing and how software is developed and tested. While security agencies may be interested only in a single device, it is not possible to alter that single device through a networked system. To target one device will inevitably mean targeting them all.
Even if this legislation can provide a means of targeting potentially dangerous criminal suspects, we have to ask whether the cost is worth it: undermining the entire online security infrastructure.
Further, the cost to Australian businesses is huge. Without considering the cost of complying with security requests, the legislation makes Australian technology businesses uncompetitive internationally. Ironically, at the time of the passage of the legislation