Data privacy under Australia’s Assistance and Access Bill 2018
Australia’s Assistance and Access Bill 2018 gives authorities the right to demand access to encrypted forms of communication and fine companies which refuse to cooperate. But at a time when everyone is concerned with safeguarding data privacy, the AA Bill has proven highly controversial. Security specialist Sam Bocetta explains.
Data privacy advocates concerned by Australian legislation
News of a data breach from a major website or Internet service has become an almost everyday occurrence. People have come to realise that the information they store online is never safe from an ever growing number of data privacy and cybersecurity concerns.
Governments everywhere have taken action in response to these growing threats.
In 2013, Edward Snowden worked with journalists to reveal how a number of surveillance programs were giving the U.S. government secret access to online data. Snowden was charged with theft of government property and violation of the Espionage Act of 1917.
More recently, Australian passed into law the Assistance and Access (AA) Bill 2018 which punishes with imprisonment anyone who leaks information pertaining to government-collected data.
Moreover, the bill allows government agencies to demand access to encrypted customer communications from major tech companies no matter where they are located in the world. The Australian government can issue notices to non-Australian entities requiring they enforce domestic laws and assist with the enforcement of Australian criminal laws.
Although specific details related to just how criminal laws will be enforced in other countries are vague (more about the bill's limitations at the end of this article), in theory all international requests for data will be funnelled through Australia, the “weakest-link” of the Five Eyes allies, the anglophone intelligence alliance comprising Australia, Canada, New Zealand, the United Kingdom, and the United States. Australia is considered the weakest-link as its federal data privacy protection laws are quite limited.
What is the AA Bill?
This bill has (predictably) created an uproar in online communities, especially among web developers and online business owners. The impact is expected to be long-lasting and to spread across the globe.
At its root, Australia’s Assistance and Access Bill 2018 (AA Bill) is intended to aid with investigations and matters of national security. The law allows for government agencies to demand that specific companies who operate within the country provide special access to backend data, even if that information is supposed to be encrypted.
These companies could include telecommunication companies, Internet service providers, email providers, and social media platforms like Facebook.
Let's take Facebook Messenger as an example since the application is available in Australia and, therefore, affected by the AA Bill. Facebook says that the database that stores message information is fully encrypted so that company employees cannot spy on individual users.
But under the AA Bill, the Australian government can force Facebook to create a backdoor workaround to the encryption method so that agencies can access data to help with an active investigation. If an access point does not exist, Facebook will be required to create one within a specified period of time. If a company does not comply with a request issued under the AA Bill, then the organisation's leaders will be liable to pay fines or potentially even face jail time.
Potential conflict with EU's GDPR
The immediate impact of the AA Bill will be felt by software developers and web designers who market to the Australian user base and may be required to build vulnerabilities into their code for the sake of government rules. Under the law, domestic organisation are required to assist Australian law enforcement and security agencies with accessing information.
But so are foreign entities which is why European residents should be just as alarmed.
The AA Bill creates a direct theoretical conflict with the General Data Protection Regulation (GDPR) that was instituted by the European Union in 2018. GDPR requires that websites and applications inform all users about how their personal information is stored and shared with third-parties. This regulation applies to any company that offers a service to European users.
Again, to use Facebook Messenger as an example, Facebook is required by GDPR to indicate whether user data is protected by encryption and in what circumstances it could be shared externally. But with the AA Bill in play, the company may be forced to open new access channels and, therefore, break their GDPR compliance.
Safeguarding data privacy under the AA bill
No matter where you are geographically located, there are some immediate steps you can take to improve the overall security of your computers, mobile devices, and private digital data. Obviously anything that you put online is vulnerable to a breach or hack, but encryption can help to limit the damage.
When you open a browser and load a website, the request starts at your internet service provider (ISP) before routing out to the open internet. Under the AA Bill, the Australian government can instruct companies to intercept traffic at the ISP level or at the receiving server end.
To combat this, consider a virtual private network (VPN). This type of service uses advanced cryptography to protect personal data online and can easily be set up on computers and mobile devices. They work like a secure tunnel between your browser and the websites you access and change how your web traffic is routed.
Once connected to a VPN client, your data is immediately encrypted using an algorithm that only the VPN provider can decode, shielding your online privacy from criminals and spies. Then the request is sent past the ISP and arrives at its intended destination. Hackers sitting in between will not be able to intercept and understand the information you are sending.
The security of a VPN client is completely dependent on the provider offering the encryption services. You will find many VPN solutions online that claim to offer a free service, but these often offer poor performance or include known vulnerabilities. Make sure you select a VPN provider with a good reputation and one that does not store access logs or share them with third parties.
Fallout of AA Bill yet to be seen
The saving grace for Internet users may be the limitations put on the AA Bill, specifically the one allowing companies to reject requests for information if that information would jeopardise the overall security of the related systems. So if a company like Facebook can prove that a backdoor access route to their encrypted databases would introduce a dangerous vulnerability to all users, then that might be their legal standing to refuse the request.
Nevertheless, many are concerned that countries across the globe will look at the AA Bill and see an opportunity to increase the scope of their surveillance programmes, even at the expense of individual privacy.
Watch this space for further developments. And be sure to get in touch with EuroDNS's Customer Support department if you have questions concerning your account's privacy .
Sam Bocetta is a freelance journalist specialising in U.S. diplomacy and national security, with emphasis on technology trends in cyber warfare, cyber defence, and cryptography.