Australia's parliament passed controversial legislation on Thursday that will allow the country's intelligence and law enforcement agencies to demand access to end-to-end encrypted digital communications. This means that Australian authorities will be able to compel tech companies like Facebook and Apple to make backdoors in their secure messaging platforms, including WhatsApp and iMessage. Cryptographers and privacy advocates—who have long been staunch opponents of encryption backdoors on public safety and human rights grounds—warn that the legislation poses serious risks, and will have real consequences that reverberate far beyond the land down under.

For months, the bill has faced criticism that it is overly broad, vaguely worded, and potentially dangerous. The tech industry, after all, is global; if Australia compels a company to weaken its product security for law enforcement, that backdoor will exist universally, vulnerable to exploitation by criminals and governments far beyond Australia. Additionally, if a company makes an access tool for Australian law enforcement, other countries will inevitably demand the same capability.

"The Australian legislation is particularly broad and vague, and would serve as an extremely poor model." Greg Nojeim, CDT

The new law also allows officials to approach specific individuals—such as key employees within a company—with these demands, rather than the institution itself. In practice, they can force the engineer or IT administrator in charge of vetting and pushing out a product's updates to undermine its security. In some situations, the government could even compel the individual or a small group of people to carry this out in secret. Under the Australian law, companies that fail or refuse to comply with these orders will face fines up to about $7.3 million. Individuals who resist could face prison time.

Australian lawmakers nonetheless lauded the bill, saying it will enable crucial capabilities in organized crime and anti-terrorism investigations. Even the bill's opponents within parliament, who had initially called for significant amendments to the draft, eventually relented on Thursday.

“We will pass the legislation, inadequate as it is, so we can give our security agencies some of the tools they say they need,” Bill Shorten, the opposition Labor party leader, told reporters.

Global Impact

Though Australia will become the testing ground, technologists and privacy advocates warn that the law will swiftly impact global policy. All of Australia's intelligence allies—the United States, the United Kingdom, Canada, and New Zealand, known collectively as the Five Eyes—have spent decades lobbying for these mechanisms.

"The debate about simplifying lawful access to encrypted communication carries a considerable risk of regulations spilling to other countries," says Lukasz Olejnik, a security and privacy researcher and member of the W3C Technical Architecture Group. "Once the capabilities exist, there will be many parties interested in similar access. It would spread."

Just last week, US deputy attorney general Rod Rosenstein advocated what he called "responsible encryption" at a Washington, DC symposium. And the UK already passed the Investigatory Powers Act at the end of 2016—often called the Snoopers' Charter—that attempts to set up a framework for compelling companies to give investigators access to users' encrypted communications. So far, the UK law has been dogged by judicial challenges, and it doesn't allow government requests to be made of individuals like Australia will. But efforts to develop a legal framework for such surveillance requests continue to proliferate.

Privacy advocates note that the Five Eyes have increasingly used euphemisms like "responsible encryption," implying some sort of balance. For example, Australia's new law has a section called "Limitations," which says, "Designated communications provider must not be requested or required to implement or build a systemic weakness or systemic vulnerability."

"It’s just shocking to see this happen." Danny O'Brien, EFF

Which sounds promising in theory. But the definition indicates some double speak. "Systemic vulnerability means a vulnerability that affects a whole class of technology, but does not include a vulnerability that is selectively introduced to one or more target technologies that are connected with a particular person," the Australian law says. In other words, intentionally weakening every messaging platform out there with the same backdoor wouldn't fly, but developing tailored access to individual messaging programs, like WhatsApp or iMessage, is allowed.