Australia's encryption bill reveals challenges of regulating borderless technologies

7 December 2018 10:07am

4 December 2018. By James Panichi and Laurel Henning.

Australians pride themselves on their directness, which is why a senior politician’s recent tirade against US technology giants, Facebook, Google and Cisco Systems over their opposition to a proposed encryption law didn’t raise many eyebrows. Home Affairs Minister Peter Dutton calls it how he sees it.

In a thinly veiled shout-out to Facebook’s Cambridge Analytica woes, Dutton described Silicon Valley companies as brazen misusers of personal data who ignored their social responsibilities. If they're not on-selling your personal details, the tech giants are dodging Australian taxes, he said.

The warning shots against big technology companies were part of the government’s domestic political narrative, which paints a picture of hamstrung law-enforcement and intelligence-gathering agencies being outfoxed by criminals using encrypted messaging systems to communicate.

Yet the government’s domestic focus appears to sidestep the international dimensions of the proposed legislation — referred to in submissions as the “extraterritorial” aspect of the laws. If you weaken encryption in Australia, the Americans say, you weaken it all over the world. This is a global issue.

Not that you’d know this by following the political debate in Australia. The argument here has centered on the conditions under which tech companies would be compelled to grant law-enforcement agencies access to encrypted messages, with the international implications of the bill often overlooked.

Should a judge or an independent arbitrator be required to oversee all aspects of the process? Does the wording of the proposed legislation allow for the creation of “back doors” into software — a permanent point of entry allowing police to read encrypted messages? What government bodies will have the power of review?

Yet a careful review of submissions being considered by the parliament’s Joint Committee on Intelligence and Security points to a clear consensus that if the proposed law is enacted, it will face immediate challenges in foreign jurisdictions — challenges that could make the law unworkable.

Foreign liabilities

Apple’s submission welcomed the fact that the wording of the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill would allow for companies to claim the contravention of foreign jurisdictions’ laws as a defense in any civil lawsuit brought against them.

On paper, this means that demands made by Australian law-enforcement agencies for encrypted messages could be rejected if they involve breaking laws in other parts of the world. For example, if data are stored in Europe, EU privacy legislation may prevent the release of the communications.

But this is just the start of Apple’s concerns. The company says that while it may be legally protected in Australia, Australian legislation doesn’t — and can’t — offer legal protection against criminal and civil liability abroad.

“Forcing business with operations outside Australia to comply with [demands] that violate the laws of other countries in which they operate will just incentivize criminals to use service providers that never assist Australian authorities or ones that operate underground in jurisdictions unfriendly to Australian interests,” Apple’s submission argues. 

The joint submission by Amazon, Facebook and Google goes even further, warning Australian lawmakers that the approval of the proposed encryption rules could see other jurisdictions imposing retaliatory measures.

“[The bill] potentially places service providers in an impossible situation and also potentially jeopardizes Australian national security if other governments introduce similar provisions,” the companies argue, through the submission of the Digital Industry Group.

Decryption arms race

Cisco Systems, a California-based manufacturer of networking hardware and telecommunications equipment, says that the bill’s language is so broad that it could fuel “the cross-border application of statutes in a way that creates untenable conflicts of laws for multinational companies.”

As a worse-case scenario, Cisco suggests the Australian law could spark a global decryption arms race, with what it calls “less liberal regimes” leading the way, in order to be able to spy, unhindered, on their own citizens.

The unusual twist to this claim is that when Dutton excoriated US technology companies in his recent speech, one of the accusations leveled against them was their readiness to cozy up to dictators. Cisco’s argument is that Canberra’s proposed legislation would itself be a boon to repressive regimes.

The United Nations’ top privacy official, Joseph Cannataci, used extraterritorial concerns to venture even further into a dystopian future, in which Australia could be expected to pass on information obtained through its encryption laws through international intelligence-sharing agreements.

In a heated exchange with legislators, the UN’s special rapporteur on the right to privacy said it would be important to establish “that Australia is not becoming the launderer of international requests for data, particularly as Australia has no enforceable human-rights protections at a federal level.”

As was the case for the technology companies, the UN’s take on the bill is that Canberra hasn’t thought through its international implications. The argument is that the weakening of encryption will not be bound by geography. Australia is setting a new global standard.

CCPA Report