Australia’s vague anti-encryption law sets a dangerous new precedent

australia assistance and access

On Thursday, the Australian government and its Labor partners rammed a shockingly invasive anti-encryption law through Parliament, over the objections of experts, businesses, and civil rights groups.

The Assistance and Access (A&A) law requires tech companies to help law enforcement agencies break into individuals’ encrypted data. Using secret warrants, the government can even compel a company to serve malware remotely to the target’s device.

The goal of the law is to give police more latitude to investigate criminals using encrypted communications software. But Assistance and Access goes far beyond that. It endangers the security of everyone who uses online services, it weakens civil rights like privacy and due process, and it places an unprecedented burden on tech companies to attack the very users they set out to serve.

There is nothing new about a government seeking to break encryption. From the British Investigatory Powers law to the NSA’s possible decryption programs, law enforcement agencies around the world are working hard to gain an edge over information security technology. But Australia’s new law goes much further, deputizing tech businesses as accomplices in a surveillance scheme so loosely conceived that no one really knows its limits. “The definition of ‘acts or things’ in the Bill is so vague as to potentially permit almost limitless forms of assistance,” the Australian Human Rights Commission wrote to Parliament.

Does the Assistance and Access (A&A) law impact ProtonMail?

Fortunately, there is virtually no way to enforce this law outside of Australia because it has no foreign equivalent. ProtonMail, a Swiss company with datacenters only in Switzerland, is not under Australian jurisdiction. Any request for assistance from Australian agencies under the A&A law would need to pass the scrutiny of Switzerland’s criminal procedure and data protection laws. Tech companies with a corporate presence in Australia however, are more likely to be impacted.

But just because this particular law does not affect ProtonMail and ProtonVPN does not mean we are indifferent. A&A is one of the most significant attacks on digital security and privacy since the NSA’s PRISM program. But the Australian measure is more brazen, hastily forced through Parliament over the loud objections of every sector of society, from businesses to lawyers groups. We thoroughly condemn the new law, and as the world’s largest encrypted email provider, we remain committed to protecting our users anywhere in the world, including in Australia.

What’s wrong with the Assistance and Access law?

The Australian government had been an outspoken advocate for encryption backdoors, requiring tech companies to build systematic weaknesses in their encryption to allow law enforcement in. Privacy advocates successfully argued that there is no such thing as a backdoor that only lets the good guys in. So the government went back to the drawing board. The result is the Assistance and Access law.

From the center-left to the far-right, Australian lawmakers voted Thursday to break encryption once and for all. While the law does not technically require a backdoor, it would require companies to help police build software capable of decrypting a targeted user’s data (i.e. with targeted malware).

But the law is extremely confusing and vague, so it is difficult to know how it will be interpreted in practice. The Australian Computer Society, a trade association for IT professionals, outlined several problems in their letter to Parliament. To paraphrase a few:

  • Not every company has the technical know-how to safely implement malware that won’t accidentally backdoor the entire product (particularly with IoT devices), putting the security of people’s homes and organizations at risk.
  • Businesses can’t easily plan or budget for possible covert surveillance work with the government.
  • A companion “explanatory document” outlines some safeguards to protect civil rights and privacy that don’t actually appear in the law itself.
  • Once police have gained access to a suspect’s device, they could easily remove evidence from the device that could prove the person’s innocence. There would be no way to know.

These are just a few of the issues, and that’s barely scratching the surface.

The Assistance and Access law makes us less safe

A&A forbids the implementation of “systemic weaknesses,” but the law does not adequately define the term. Without a better definition, police could deploy tactics that result in unintended consequences. In our view, this is one of the most dangerous aspects of the law.

To illustrate this danger, the Australian Human Rights Commission described a potential scenario in which police order Facebook to send a push notification to a single user asking that person to install a software update. This in itself would not constitute a systemic weakness, but if large numbers of Facebook users stop downloading software updates (including security updates) because they’re afraid of government spyware then that could create systemic weaknesses.

Even though A&A is confined to Australian jurisdiction, it sets a precedent with far-reaching dangers to cybersecurity. Online privacy and security are often predicated on trust in the service provider. Australian Parliament has single-handedly undermined global confidence in any software maker with an Australian presence, including Facebook (by extension WhatsApp and Instagram), Google, and Apple.

The law’s easy passage may also encourage other governments to create their own versions. But because Australia is a member of the Five Eyes intelligence-sharing arrangement, some foreign intelligence agencies may not even have to wait to reap the benefits. The governments of the US, UK, Canada, and New Zealand can gain access to whatever information Australian spies collect using their new A&A powers.

Protecting encryption in the wake of Assistance and Access

We are not opposed to law enforcement, and we respect the important role that law enforcement has to play in ensuring security both online and offline. Similarly, many law enforcement officials also understand the importance of technologies like end-to-end encryption, and many even use ProtonMail themselves. As we have previously noted, the widespread use of encryption can actually further governments’ national security goals. It is critical that we strike the right balance. In our opinion, the A&A law does not do this, and in the long run, will make us all less safe.

The solution is education. The way we protect privacy rights is by helping citizens and lawmakers understand that data security and crime prevention are not opposing ideas. Simply put, encryption prevents far more crimes than it enables. But more importantly, privacy is a pillar of democracy, and encryption is how we ensure our democracy survives. The fact that it also makes our online data safer in the process is an added bonus.

For these reasons, we remain committed to our mission to expand access to privacy and security online. You can support these efforts simply by switching to a ProtonMail secure email account and educating those around you about why privacy and security matter.

Best Regards,
The ProtonMail Team


You can get a free secure email account from ProtonMail here.

We also provide a free VPN service to protect your privacy.

ProtonMail and ProtonVPN are funded by community contributions. If you would like to support our development efforts, you can upgrade to a paid plan or donate. Thank you for your support!

About the Author

Ben Wolford

Ben Wolford is a writer at Proton. A journalist for many years, Ben joined Proton to help lead the fight for data privacy.


Comments are closed.

11 comments on “Australia’s vague anti-encryption law sets a dangerous new precedent

  • A&A is another example of authority of all kinds living in the “we know best” bubble and refusing to recognize the validity of views which do not support their own personal interests. This salami approach to slicing ever more privacy from the public reminds me of the famous Benjamin Franklin quote “People willing to trade their freedom for temporary security deserve neither and will lose both”.
    Please let us know in advance if Protonmail is going to be compromised.

    • ProtonMail will never be compromised. We will never build a backdoor into our systems. Moreover, ProtonMail is a Swiss company governed by Swiss law. Australia’s law cannot force us to comply with encryption weakening technics. We will do our best to continue offering our service to Australian users.

  • I live in Australia and know that the average Australian will not accept a Government that gives us the same rights as Communist China. We have an election in 6 months and will have a change of Government

  • Sorry…but I only just learnt of “Assistance and Access Bill 2018” yesterday 31/05/2019. Yes its F……ING enraging.
    Been living in car, in Australia, since Sept 2014, and naturally, I don’t give a toss for watching the attention-seeking TV, newspaper, radio, politicians, or police’s habitual lies.

    I understand ‘humanities’: to be what is gained from cut snakes cowardly conducts, loving itself behind the lens and talking with dramatic ideals.
    When it comes to politics/law/polices employing themselves all the more from removing human rights, especially in sudden irrational removals of rights at political 11th hour, is obviously stat-dependent on police also creating consequential/left-over crimes.

    It’s not funny how America gained sympathies for greater “anti-terrorist” controls; now being all Governments conduct round the world, occurred after America’s greed brought “9/11” upon themselves. Now, when any of the worlds Governments go looking for terrorists, they (the Governments) effectively become the terrorist.

    Media’s sickeningly polite inquiry of Australian Gov/police vague intentions of bypassing tech-achieved encryption is criminally unimaginative towards established human rights (if they exist) and the need of tech-safety from police-corruption creating crime. You don’t need to be a serious criminal, terrorist, drug cartel, or child molester to be molested by polices stat-quota curiously applying hubris.

    There is also a point to making, and or bothering to read books like “National insecurity” : the Howard government’s betrayal of Australia / Linda Weiss, Elizabeth Thurbon, and John Mathews, to learn that when politicians sprout unreasonable “security-concerns”; they are without fail, determined to treacherously molest unarmed public futures.

    Statistics intrigue: created from media arranged ‘controversial’ terminologies on politicians behalves, somehow isn’t tangibly connected to public’s suffering from either side of politics?

    Remember : these inexhaustible “security-concerns” comes from Australian politics eagerly mimicking Americas same media manipulations. Media is the incremental criminal all along.

  • A further development to this issue in Australia. MP Peter Dutton again made reference to encrypted messaging this week after a foiled jihad attack. I think the government is looking for excuses to enact on banning Protonmail and Signal.

  • I really like your article. It’s evident that you have a lot knowledge on this topic. Your points are well made and relatable. Thanks for writing engaging and interesting material.