The proposed legislation would give Australian law enforcement agencies new powers to demand technical assistance from the overly broad range of "designated service providers" covered by the bill, in order to grant investigators access to encrypted data.
Despite a provision stating that the provider "must not be required to implement or build a systemic weakness or systemic vulnerability," this short-sighted bill would end up doing just that. If passed, the bill will result in providers undermining the security of their devices, software, and services, not just in one-off instances, but across the board. I previously submitted comments on the initial "exposure draft" of the bill, critiquing it for its dire computer-security ramifications and negative human-rights impact. Others have called out additional problems with the bill, such as its threats to due process and transparency.
The latest draft of the bill fails to fix the problems I identified in my earlier comments. The new amendments show the Australian government continuing to talk the talk about its concern for computer security, without actually walking the walk. (To be clear, walking the walk would mean walking away from this bill.) The amendments try to enhance the appearance of caring about computer security by adding an "assessment and report" process for evaluating whether a proposed demand to a provider would result in a systemic weakness or vulnerability. But the bill renders that process toothless by making it optional, placing all costs on the provider (which would dissuade smaller entities), and allowing the government to proceed even if the report concludes that the demand would indeed do systemic harm.
My latest comments are available here. I continue to oppose this Bill, and I urge my Australian readers to keep contacting your legislators and letting them know you oppose it too. I pray that sense and reason brings this bill to a halt.