New Australian Assistance and Access Bill allows easy snooping

Assistance and Access Bill

The new Australian Assistance and Access Bill undermines Internet Security, claims cybersecurity expert Marty P. Kamden, CMO and cybersecurity expert at NordVPN.

The new Australian Assistance and Access Bill (details here) is full of flaws and should be sent back for more discussion.

Australian citizens have just lost their online privacy. The Assistance and Access Bill, passed in October, gives the Australian government backdoor access to encrypted messages. 

 The government has given itself three surveillance powers –

  • The right to request assistance from any company to get private information
  • To demand information from any company
  • To build backdoor access into any technology without users’ consent.

 The United Nations Special Rapporteur on the right to privacy, Joe Cannataci, said

The Assistance and Access Bill is an unnecessary infringement of basic liberties” and should be discarded. He called for a new approach to address the challenges caused by encryption.

Its aims do not justify a lack of judicial oversight, or independent monitoring, or the extremely troubling lack of transparency.”

Commentators say the Assistance and Access Bill is defective

It is defective because major decisions depend on judicial oversight and agency heads to approve their employees’ actions. This can lead to human errors or biased judgements.

Greater confidence would be generated in domestic and international quarters if the legislation established an independent mechanism that verifies proper conduct and use of far-reaching power by decision makers, Cannataci wrote in his report.

 The tech community has criticised the bill, saying it will create an even greater danger to privacy and security.

Accessing encrypted communications takes away privacy and online security from all internet users and creates a dangerous situation. Hackers and cybercriminals can easily access unencrypted devices and communications putting your private data at risk. It’s not the first time we see Australia pass laws that limit online freedom, but this is the harshest we’ve ever seen. It could also set a precedent for other countries.

NordVPN, an encryption service provider, has seen the numbers of Australian users skyrocket after the bill passed. A VPN encrypts all Internet traffic between a user’s computer and a VPN server with a secure tunnel. VPN providers are may be much harder for the Australian government to control and to extract decrypted user information from as many of them, including NordVPN, do not keep any user logs.

Marty P. Kamden said

When Australia passed its mandatory data retention law,NordVPN saw a 300% increase in Australian users. We think Australians will turnto VPNs in even bigger numbers now toprotect their privacy.

Apple has also questioned the controversial surveillance bill

it argues the bill’s ‘dangerously ambiguous’ wording will create a risk of weakened cybersecurity.

In its submission to a joint committee on intelligence and security, Apple argued it was imperative that law included a firm mandate to prohibit the weakening of encryption or security protections.

Encryption is the single best tool we have to protect data and ultimately lives. Software innovations of the future will depend on the foundation of strong device security. To allow for those protections to be weakened in any way slows our pace of progress and puts everyone at risk.

Some suggest that exceptions can be made, and access to encrypted data could be created just for only those sworn to uphold the public good. That is a false premise. Encryption is simply math.

It would be wrong to weaken security for millions of law-abiding customers to investigate the very few who pose a threat.”

Digital Industry Group Inc (DIGI), a consortium which includes Amazon, Google, Facebook, Oath and Twitter, have concerns that the bill’s vague wording may lead to systemic weaknesses being built into products.

DIGI wrote that the technical assistance and technical capability notices might lead to vulnerabilities since a services provider can be required to provide assistance or build capabilities that impact the security of the service provider’s system, product or services in a non-systemic way.