Brand new laws to let police into WhatsApp, Wicker, iMessage and other encrypted communications will potentially impact everyone who uses those services, according to experts.



At around 7.30pm on Thursday night, the Senate passed the government's new laws targeting encrypted communications, after a marathon day of debate in the Senate and after Labor dropped attempts to further amend the bill.

Under the legislation, state police, the Australian Federal Police (AFP) and the Australian Security Intelligence Organisation (ASIO) can now force tech companies like Apple, Google, Facebook, Wickr, and Signal to assist and develop means to get into the encrypted communications for people being investigated for criminal acts.

Law enforcement need a warrant signed off by a judge in the first place, and in the new powers can only be used in the case of investigating crimes that carry a maximum jail sentence of three years or more.

During the debate in parliament on Thursday, Labor MP Tim Watts claimed that people who weren't the target of the legislation had nothing to worry about.

"If you are not a subject of law enforcement inquiries, you are not going to have to worry about being a target of this bill," he said. "If you are not a security threat, as identified by ASIO, you are not going to have to be worried about being a target of the bill."

But the legislation has wider impact on the broader community if ways into encrypted communications on one person's device, like an iPhone, would also weaken someone else's iPhone if the same software was somehow leaked and installed on their device.

The legislation defines that tech companies can only be required to act in a necessary and proportionate way, and that "electronic protection" (i.e. encryption) can not be weakened as part of the process (such as creating a backdoor or a key into that encrypted communications), and the method to get into a suspected criminal's encrypted chats can't be done in a way that creates a "systemic weakness" for everyone else.

The problem with the original draft of the legislation was that the government hadn't defined what a "systemic weakness" actually was in the legislation.

The Victorian information commissioner Sven Bluemmel told the parliamentary committee overseeing the legislation that this was a big risk that a "one off" weakness created for one person could be used against everyone.



In response, the Department of Home Affairs said that a weakness created for one phone or device that could potentially work on others wasn't a "systemic weakness" because it wasn't going to be used on other people.

"Custom firmware built to address one notice or request is not a systemic weakness unless it is deployed to users other than the targeted user," the department said.

"So long as the capability is held in reserve, it does not jeopardise the security of other users and is not a systemic weakness."

In one of the 173 amendments put up by the government in response to the joint Coalition and Labor committee's recommendations on Thursday, the government defined "systemic weakness" as something that would affect a "whole class of technology".

This, according to cybersecurity associate professor at the University of Melbourne, Vanessa Teague, actually made it worse.

"They've made it as restrictive as it possibly can be. They've defined away the collateral damage," she told BuzzFeed News.

"If anything the amended version of the bill is even worse. The comfort all along, to the extent that there was any, was that they weren't allowed to introduce a systemic weakness."

She said that the law enforcement can be "as destructively invasive as they like" so long as they argue that not absolutely every single user who has that device would be affected by it.

What this could mean, in practice, is that law enforcement could ask Google to create a weakness in a specific version of the Android operating system for a specific phone, and because that doesn't affect every single version of Android in the world, it is not considered a "systemic weakness".

Or if someone is running an older version of the WhatsApp app on their phone, and law enforcement want to get into that, it would be fine because it wouldn't affect every single WhatsApp user.

One of Labor's amendments in the Senate that the party ultimately dropped in order to allow the legislation to pass before Christmas removed the narrow definition, and replace it with a definition of any method that would "render systemic methods of authentication or encryption less effective".

While encryption was the main game in the legislation, it was a package made up of several other new powers for law enforcement. The bill also expands ASIO's powers to issue warrants to get into computers, which can include adding, modifying and deleting files remotely on someone's computer as part of their investigation.



Another new power is if you refuse to unlock your phone to police you could potentially now face up to 10 years in jail. Up from a maximum of two years now.

The government has agreed with Labor to consider the amendments that were dropped in early next year, and as part of the agreed amendments, the committee review of the legislation will continue in 2019, and there will be an independent review after 18 months of the law being in operation.