Global Privacy Landscape
The past few years have seen a dramatic increase in public awareness of how their data is being used (or misused) by companies they had entrusted to protect their interests. This has been informed by changes in regulations, pushing in two opposed directions:
- Better consumer privacy awareness and controls, including mandatory breach reporting, such as the EU GDPR laws and Australian Privacy Act.
- Ensuring that law enforcement and state controlled interests can still gain access to data, where required.
Protecting the rights of consumers to know who can see and use their information, and that they have the right to access and delete their information, is something we have always believed in: we're pleased to see this enshrined in law in the EU. We hope these protections will extend in time across the world.
We are an Australian company, and we are a happily law-abiding business. We don’t want our service to be a safe haven for people conducting illegal activities.
Access and Assistance Bill
There's a new draft piece of legislation under discussion in Australia, the (weighty 176 page) Telecommunications and Other Legislation Amendment (Assistance and Access) Bill. This is an attempt by the Australian government to ensure that, when guided by proper due process, law enforcement and government can ask (or compel) service providers such as ourselves to give them access to data we hold on behalf of our customers.
It seems clearcut on the surface: we'd all like murderers and child pornographers brought to justice.
But there are risks which the Bill, as it stands, does not seem to understand, or address.
Some platforms provide end to end encryption. Where the service provider does not hold a master key, there is no way to compel them to give access to the data, short of compromising a user's device or the encryption itself, which only gives rise to increased risk that malicious attackers could also gain access through the hole made for law enforcement.
Under GDPR, Australia is not recognised as having inherently good enough consumer protection enshrined in law, forcing companies to apply their own additional measures in contracts in order to maintain their footing. This Bill only weakens our international standing.
Any request to gain access to customer data must be "reasonable, proportionate, practicable and feasible", but the Bill doesn't elaborate on what this means, and how an organisation can go about denying a request that it feels does not meet this criteria.
Where we stand
The Australian Telecommunications Act already has provision in it that covers legal access, why is there a new law being proposed? The new bill widens the scope for legal access requests to more than just Telecommunications Providers, and it has provisions in it for a service provider to be compensated for the time and effort required to develop the access required if it doesn't already have the capability.
Our role under the current Telecommunications Act won't change with the introduction of potential Access and Assistance Bill. Where requests for access are issued legally, we comply. Where requests are not legal (they are issued by foreign governments/organizations, or are unaccompanied by warrants), we do not.
We are using our membership with Electronic Frontiers Australia (EFA) to work with them and other industry organizations to coordinate a response to the draft legislation that considers not just the feasibility of the bill but also the potential commercial impact as we feel it has the potential to undermine the ability of other businesses in Australia.
We have put forward a submission to the Department of Home Affairs to point out the impact this bill will have on innovation in Australia. We are concerned it:
- could further damage the reputation of Australia in the global marketplace as a country that does not sufficiently protect the electronic rights of its citizens;
- may require additional compliance of businesses, potentially driving emerging innovations overseas;
- does not understand the impact of developing, testing and safeguarding any additional work required in order to provide secure access capabilities.
What it means for our customers
We don't see this bill having any additional consequences for our customers.
While obviously having an immediate focus on Australian citizens, this bill still potentially affects all our customers, no matter their nationality. While requests for access must come through Australian channels, it's possible for foreign organizations and governments to obtain Australian warrants through mutual assistance treaties, Interpol and similar international efforts. This has always been the case even under the existing Telecommunications Act.
We will continue to uphold our responsibility to protect our customers from illegal or disproportionate access requests. For instance, we will not hand over our entire database if the request is for data on a single account. We have always done this and will push back on requests that are not appropriate, or would put our other customers at risk.
EFA: Home Affairs Wants to Know - What Do You Think of its ASS Access? Electronic Frontiers Australia has a blog post on the subject, including information on how you can register your concerns with the Department of Home Affairs.
State of IT: Assistance and Access Bill Analysis A great in-depth look at the pitfalls present in the bill.