Advocating for Privacy in Australia
Learn about the new Access and Assistance Bill (AABill) in Australia including what it means for services using encryption, our criticisms of the law as written, and why our service is not affected.
For over twenty years, the Telecommunications (Interception and Access) Act has governed how Australian law enforcement can request data from Australian service providers like ourselves. It allows law enforcement to get a warrant for subscriber information and stored communications, while providing safeguards for user privacy.
Australia’s parliament recently passed the Access and Assistance Bill (AABill), which focuses on services built with end-to-end encryption. This new bill allows law enforcement to compel companies to modify their services and intercept data from their customers in its unencrypted form.
How Fastmail uses encryption
While we securely encrypt all your data, we have the keys to decrypt that data in order to let you search your email, use standard internet protocols, and recover access to your data if you lose your password (which happens more often than you might think!). Server-side processing of data is essential to the services we offer.
Of course, should our users choose to end-to-end encrypt their mail via PGP, we have no way to access that content, even under the AABill. Our blog explains why we have never offered PGP ourselves, and describes third-party PGP tools you can use with Fastmail if you wish to manage your own encryption.
The AABill doesn’t change your privacy or data security with Fastmail
Fastmail won’t be making changes to our technology or policies in response to this bill. Law enforcement has always been able to request information from us through the Telecommunications Act with a lawful warrant. Because we have the ability to decrypt all data, there is no need to make changes that circumvent encryption.
Every warrant we receive is reviewed by senior staff for legitimacy and scope before data is provided. Each account whose data is requested must be individually identified. Responding for one user does not require us to expose or share the data of our other customers.
If you’d like more information on what is actually in the AABill, this article has a clear breakdown.
Our criticisms of the AABill
The AABill has raised concerns from technology companies and privacy supporters around the world, and deservedly so. While Fastmail is not directly affected, we don’t support this legislation because it carries serious implications for the Australian tech industry. We are working with industry groups and digital privacy organisations to campaign for changes.
Encryption is a tool that provides many positive protections: most websites on the internet are now encrypted so that onlookers can’t see what you’re viewing. Nobody would shop on the internet without the protection of encryption guarding your bank information!
This bill has the capacity to weaken encryption. Compromising security can have unintentional consequences, and the focus of most industry pushback is on embedding backdoors to give law enforcement access to information that they otherwise could not read. Technologists know it’s hard to control access to backdoors, and worry about them being weaponised by bad actors.
Both the bill itself, and the controversy around the process by which it passed, have damaged the reputation of Australia in the international marketplace. The AABill was passed in spite of an overwhelming number of submissions pointing out flaws. Many now view Australian service providers, companies, and contractors with suspicion.
There are also concerns that individual employees may be forced to build a backdoor, without being able to alert their employer. While frightening for anyone working in technology, we believe this fear is largely unfounded. Most organisations have practices (pair programming, code reviews, risk evaluations) that would reveal such behaviour quickly.
Actions we are taking
Bad actors exist, and law enforcement needs tools to stop them. As the AABill stands, we believe the risk it adds to the general public’s privacy and security is too high for the access it can gain. Besides our general issue advocacy, we’re taking a number of specific actions:
- We submitted our opposition to the bill during the parliamentary enquiry back in September.
- We are composing an updated statement to submit to the PJCIS (Parliamentary Joint Committee on Intelligence and Security) who are on their third round of inquiries.
- We have been contacting our members of parliament and senators since the last vote, to help them understand the technology they’re policing and the ways in which this bill is negatively impacting our industry and our customers.
- We are working with industry bodies like Electronic Frontiers of Australia (EFA) and Digital Rights Watch, and other Australian tech firms to put forward a united call for sensible amendments to the law.
How you can help
Social media is great for raising awareness but insufficient to create change in legislation. We encourage you to reach out directly if this issue matters to you.
- Australians: Contact your MP, on behalf of yourself, or your company (if you have the authority to do so). The EFA has a step-by-step guide on how to find out who your representative is, and the best way to get a result.
- Educate your friends, your colleagues, your family and ask them to also talk to their MPs.
- Australians and others: Submit a letter to the PJCIS by the end of March 2019. The inquiry is there to record concerns from anyone affected by the bill. Don’t hold off submitting because you think someone else will do it, or because you’re not sure what to say. Every entry helps our lawmakers see the breadth and depth of the impact of the new law.
If you’re not an Australian, be aware that the appetite for this type of law is not limited to Australia. Stay informed and engaged with this topic in your part of the world.
Public awareness of online privacy and security is increasing. We at Fastmail believe we have a responsibility to be proactive about educating and advocating for good privacy principles and practices. Digital privacy is no longer the sole domain of the deeply technical user, but a fundamental right and responsibility of every individual online.
Update (January 2021)
Upon legal advice, we have moved our process for handling data requests away from the Telecommunications Act and across to the Crimes Act and similar legal instruments. The content in this blog has been left for historical reference, and the intent still stands: we remain unaffected by the AABill/TOLA, as law enforcement agencies can already request information from us through other appropriate, legal ways. ↩︎