One definition in the draft exposure of a designated communications provider is if a "person provides an electronic service that has one or more end-users in Australia".

The draft bill explicitly states a service includes a "website", but it does exclude broadcasting and datacasting services. This could provide an avenue for agencies to look at data and communications collected and stored on companies' internal networks and customer apps.

"The persons who are potentially subject to the government requiring them to provide assistance or capability is not limited to communication and tech companies," Mr Brookes told The Australian Financial Review.

"The scope will include access to any person providing material over the internet. They could include banks, media companies, insurers, most small and large businesses and universities.

Malcolm Turnbull, Home Affairs Minister Peter Dutton, Defence Minister Marise Payne, Angus Taylor and National Cyber Security co-ordinator Alastair MacGibbon. Alex Ellinghausen / Fairfax Media

"The government has been faced with rapidly advancing technology, which has resulted in a game of whack-a-mole for the agencies to try to catch offending users."

New laws stretch to 'any entity'

Australian Strategic Policy Institute International Cyber Policy Centre head Fergus Hanson agreed the draft legislation had implications for the majority of businesses.


"They're [the government] going to get push-back on that for sure. They will probably need to tighten it up," he said.

"They are trying to future-proof it by making it broad to capture future technologies."

Law Enforcement and Cyber Security Minister Angus Taylor's office confirmed the laws would apply to "any entity operating a website".

"The scope of the laws is deliberately broad to adequately reflect the range of entities that contribute to the supply of communications in Australia," a spokeswoman said.

"Securing assistance at different points in the communications supply chain, and from different providers in this chain, assists agencies to access evidence of criminal conduct without fundamentally impacting the security of communications."

End-to-end encryption

The spokeswoman said important limitations would apply to the assistance demanded of companies and individuals.

They can be asked to give assistance for "eligible activities" only, which would not include core activities that fell outside that scope, such as provision of legal services for a law firm.


Eligible activities are limited to: removing electronic protection; providing technical information; installing, maintaining, testing and using software or equipment; assisting access to facilities, equipment and software; and notifying agencies of changes to electronic services.

"In all circumstances, requests must be reasonable, proportionate, practical and technically feasible and relevant to the functions of the requesting agency," the spokeswoman said.

"The government will consider all submissions received within the public consultation period."

Under the laws, security agencies and police can request that companies be compelled to or voluntarily provide technical assistance to access communications or devices, including building a capability or secretly installing software.

However, they cannot be forced to break end-to-end encryption used by some apps that allow only the sender and receiver to read messages.