Georgetown Law
Technology Review

On December 6th, the Australian Parliament passed an encryption bill despite strong opposition from technology companies and human rights advocates alike. The Telecommunications and Other Legislation Amendment (Assistance and Access) Bill allows law enforcement to more easily target “criminals and terrorists” using encryption technology.

The bill’s language creates and allows for the issuance of ‘technical assistance notices’ and ‘technical capability notices’ by law enforcement agencies, which require a “designated communications provider” to “do certain acts or things.” Opponents criticized the bill’s language and argue that its vagueness could lead to gross discretionary abuses of power. In practice, the bill will require communication companies, upon receiving one of these notices, to provide access to private, encrypted information on personal devices. In other words, the bill hypothesizes the building of individualized back doors.

The Australian Parliament has been quick to defend the bill’s provisions, stating that they prohibit the creation of systemic back doors for everyone using a service like WhatsApp or Apple’s iMessage. However, technology companies like Apple claim that the creation of these tools for one user “weaken[s] the protections for everyone.” These companies argue that the bill could allow hackers to gain access to and control of the encryption tools through the law enforcement agency’s network, making it easier to access encrypted communications on any device using those tools. After the bill’s original introduction, several technology companies and their advocates sent commentary and amendment proposals to Parliament. Many of these criticisms were not addressed in the final version of the bill, which was pushed through in just three months. A large portion of the Australian technology community doubted the bill would ever pass, and claim that it is already having a negative impact on business. Some have said that it will dissuade potential startups from putting down roots in the country.

The Assistance and Access Bill closely resembles the Investigatory Powers Act passed by the United Kingdom in 2016. Australia, the United Kingdom, the United States, Canada, and New Zealand are parties to an intelligence alliance named the Five Eyes. The Five Eyes issued a joint statement at the end of 2018 on access to encryption tools for law enforcement purposes. Despite giving lip service to the importance of encryption technologies for the advancement of human rights and the paramount importance of due process, the statement expressed a clear intent to compel technology companies to give law enforcement more access to private data. Questions about the potential of a similar law in the United States have been raised with increasing frequency since 2015, after Apple refused to unlock an iPhone owned by one of the gunmen in the San Bernardino shooting.

In the United States, many federal and state statutes protect data privacy from encroachment by private companies, but few address encroachment by government actors. One such federal provision, the Privacy Act of 1974, aims to curtail improper surveillance and investigation of citizens. However, the Privacy Act makes an explicit exception for law enforcement activities. The Federal Trade Commission Act has regularly been used for the enforcement of data privacy standards against technology companies. Despite the broad range of US data privacy laws used to protect consumers’ data privacy against companies, none of these laws explicitly provide statutory protections for technology companies or consumers against compulsory de-encryption.

In a 2015 report, the United Nations called encryption a tool “essential” in the protection of free speech. The report is a targeted response to governments adopting laws similar to Australia’s Assistance and Access Bill. Should the United States consider similar legislation, it may run afoul of the First Amendment. However, the applicability of free speech protections to the encryption of personal data by private companies has not yet been determined.