A new law in Australia could compel tech companies to create tools that would circumvent the encryption built into their products — one of the most assertive efforts by lawmakers to rein in tech companies, and one with global implications.

Share story

SYDNEY — A new law in Australia gives law enforcement authorities the power to compel tech-industry giants like Apple to create tools that would circumvent the encryption built into their products.

The law, the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018, applies only to tech products used or sold in Australia. But its impact could be global: If Apple were to build a so-called back door for iPhones sold in Australia, the authorities in other countries, including the United States, could force the company to use that same tool to assist their investigations.

The Australian law went into effect last month. It is one of the most assertive efforts by lawmakers to rein in tech companies, which have argued for decades that unbreakable encryption is an imperative part of protecting the private communications of their customers.

In recent years, law enforcement officials have complained that tough encryption has made it impossible for them to gain access to the online discussions of crime suspects, particularly in time-sensitive terror investigations.

The tension between tech and law enforcement came to a head about four years ago when Apple resisted a federal request to help investigators gain access to a locked iPhone that had belonged to a man who took part in a shooting that killed 14 people in San Bernardino, California.

The FBI eventually found a way around the iPhone’s security without Apple’s help. But if Apple had already created a workaround — a back door, in industry terms — to sell phones in Australia, the U.S. authorities could have simply ordered Apple to use the tool.

“This may be an encryption back door for the U.S.,” said Sharon Bradford Franklin, director of surveillance and cybersecurity policy for the New America think tank’s Open Technology Institute. “A back door to an encryption back door.”

The Australian law has limited oversight mechanisms. A notice sent to a company must be “reasonable and proportionate,” and the authorities must have a warrant to gain access to a phone or service. But the agency issuing the notice decides what is reasonable.

There is an appeals process if a company is asked to build a new interception capability. A firm can ask an independent assessment panel consisting of a technical expert and a former judicial officer to review the notice.

The law says Australian authorities cannot ask a company to build universal decryption capabilities or introduce systemwide weaknesses. But security experts and tech companies like Apple said that did not reflect what they would have to do to comply with an order. It is impossible, for example, to create a workaround for one iPhone’s encryption without potentially introducing something that could work for all of them, they said.

“All of Australian technology is tarnished by it,” said Mike Cannon-Brookes, one of the founders of Atlassian, a business software company that is among Australia’s biggest tech companies.

Australia is a member of the so-called Five Eyes intelligence alliance, and it is not the only country in the alliance with a law like this. Britain passed the Investigatory Powers Act in 2016. For British law enforcement to gain access to data, it must first ask a judicial approver.

“We’re not the first,” said Michelle Price, chief executive of the nonprofit Australian Cyber Security Growth Network. “But Australia’s version has gone much further.”

Apple officials called the law “dangerously ambiguous” and “alarming.”

“Encryption is simply math,” Apple wrote in a statement submitted to the Australian Parliament’s Joint Committee on Intelligence and Security on Oct. 12. “Any process that weakens the mathematical models that protect user data for anyone will by extension weaken the protections for everyone.”

But politicians said the risk of encryption technology’s being used by terrorists was too significant. Prime Minister Malcolm Turnbull of Australia said in July, “The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia.”

Technology companies in the United States have argued that they cannot be compelled to create tools for breaking the encryption in their products because computer code is a kind of free speech protected under the First Amendment. But building tools to satisfy the Australian authorities would essentially make that argument moot. Countries around the world could demand access to the tool.

Apple is hardly the only tech company that could feel the impact of the Australian law. Anyone with a website is considered a communications provider, subject to the law. Any company that “provides an electronic service that has one or more end-users in Australia” is required to comply.

A long list of companies meets that description, such as smartphone makers and Facebook and its WhatsApp messaging service.

“Once WhatsApp, for example, builds a system at the behest of the Australians, everyone gets to use it,” said Nate Cardozo, the senior information security counsel on the Electronic Frontier Foundation’s legal team, who has studied the new law.

The law allows government agencies like the Australian Secret Intelligence Service or the Australian Federal Police to compel tech companies to install software on a user’s device to get around encryption. It can also compel the company not to alert the user.

“So if WhatsApp gets one of these notices and does not comply, they’re subject to asset seizure and even hypothetically having executives hauled into jail for contempt if they refuse to do so,” Cardozo said.

There is confusion about other secrecy requirements of the law. For example, would it require employees who received requests to keep them secret from their employers? The Australian Department of Home Affairs, which coordinates strategy and leadership of the country’s national security policy, says it would not. But security experts at the Electronic Frontier Foundation and at companies like the password manager 1Password say it is actually unclear.

Australia does not have a strong tech industry, but it is growing, with investors and startups and a few established companies. And in the tightknit tech community that does exist, the new law has been a gut punch.

“We never thought it would pass,” said Alan Jones, chief executive of M8 Ventures, a tech investment firm in Sydney. “We all just figured that Australia’s political leaders would consider the expert advice that told them this was nuts.”

Sarah Moran, chief executive of Girl Geek Academy, which teaches young women to code, said she had planned to begin tech startups in Australia until the law passed.

“I was looking to found two tech companies, but why would you build tech here now?” she asked. “I don’t think the government understands how drastically it impacts not just the tech that’s built here but also the enthusiasm and entrepreneurial investment that Australians will be willing to make.”

Moran, who is based in Melbourne, said she was questioning even the program she currently runs. “Why would I tell young girls to go build tech here if there’s not going to be any tech industry?” she asked.

Casey Ellis, 37, was raised in Sydney but lives in San Francisco, where he runs a cybersecurity firm called Bugcrowd. He has already heard about companies that have become wary of hiring Australian firms, he said.

“People are factoring it in as a risk when you’re looking at hiring an Australian now,” Ellis said. “It’s causing a chilling effect around Australian companies.”