Tech companies could potentially be persuaded by Australian law enforcement agencies to build backdoors into private communications, but home affairs minister Peter Dutton insisting his new legislation would not force them to.
Dutton says his new legislation, aimed at forcing tech companies to give law enforcement access to its users' secret communications, won't force tech companies to create backdoors on their devices, or services to undermine encrypted communications for Australians.
In a speech at the National Press Club on Wednesday Dutton said the legislation omitted backdoors and "there will be no weakening of encryption".
"In fact, the bill specifically provides the companies cannot be required to create systemic weaknesses in their encrypted products or be required to build a decryption capability," he said.
Required is the key word in that sentence, according to the inspector-general of intelligence and security (IGIS), which oversees Australia's spy agencies
In a submission to the Home Affairs Department's consultation on the draft legislation, released this week, IGIS warned that the legislation could allow the companies to voluntarily put in a backdoor if agencies asked.
Under the legislation there are technical assistance or technical capability notices, which law enforcement can send to tech companies to take some action to help agencies access encrypted communications as part of their criminal investigations.
The notices can't force companies to introduce weaknesses that would allow agencies to access the encrypted communications of anyone using that service, nor can it require companies to build new ways to decrypt the communications.
But law enforcement agencies can also ask tech companies to voluntarily comply with what is called technical assistance notices, and under the legislation, there is nothing stopping the companies from being asked to build backdoors, IGIS said in its submission.
"This raises the legal possibility that ASIO [Australian Security Intelligence Organisation], ASIS [Australian Secret Intelligence Service] or ASD [Australian Signals Directorate] could negotiate an agreement with a provider to voluntarily create or fail to remediate a ‘backdoor’," IGIS said.
The company could not be sued for creating a backdoor, either, under the legislation.
IGIS admits it is foreseeable that tech companies would refuse to create backdoors because of the reputational damage it could cause – as was the case with Apple in the US – but that there is still the possibility they could be persuaded to do so and be compensated for doing it.
"If there is such an intention, any use of requests in this way would raise significant propriety risks, including in the assessment of the impacts of a ‘backdoor’ on the users of the relevant services, equipment or devices, whose information security may be unknowingly compromised," IGIS said.
Employees who wanted the blow the whistle on any company doing this would also face prosecution under the legislation, IGIS said.
The bigger tech companies aren't likely to do this. As BuzzFeed News has previously reported, the biggest tech companies in the world are opposed to the legislation as it is currently drafted. On Wednesday Dutton accused these companies of avoiding paying tax and misusing personal data, and called on Labor to support the quick passage of the legislation through the parliament.
"The decision for [opposition leader Bill] Shorten is whether he supports the Silicon Valley multi-billion-dollar companies or is on the side of protecting Australians," he said.
A parliamentary committee is currently reviewing the legislation, and Dutton indicated he was open to more amendments if any arose out of that review, but claimed the legislation was already a "compromise" based on "extensive consultation" with tech companies.
The legislation was introduced into parliament just 10 days after submissions closed on the draft legislation.
Tech companies including Amazon, Apple and Microsoft, through lobbying orgisations such as the Software Alliance, have told the government that at the very least there should be more judicial oversight over when they can be compelled to help law enforcement access encrypted communications, but Dutton said he wanted it to be "practical and manageable" for law enforcement.