Why it matters: Regardless of how well protected stored information is, the Australian government will soon be able to request a copy of it for investigation of criminal activities. Any encrypted data must be handed over or harsh penalties may be imposed. This sets a precedent among first-world countries.
Debate over how law enforcement and government agencies should combat encryption on modern devices has been ongoing for years now. In a surprise move, Australia's parliament passed a bill that requires technology firms to provide access to encrypted data.
Any business failing to hand over data within a specified time period can face fines of up to $7.3 million. Prison sentences can also be given to any individual that refuses to hand over data that is believed to be connected with illegal activities.
As part of the Five Eyes intelligence alliance, Australia is the first to take action after all alliance members have made statements indicating that malicious actors are finding ways to communicate privately. Parliament members have attempted to justify the new legislation by saying it is necessary to fight organized crime and prevent militant attacks.
Google, Facebook, Apple, Microsoft, Amazon, Twitter, and many more renowned tech companies have all voice intense opposition to the newly passed bill. A statement made by Digital Industry Group Inc., a coalition where many of the top tech businesses are members, reads "Several critical issues remain unaddressed in this legislation, most significantly the prospect of introducing systemic weaknesses that could put Australians’ data security at risk."
Even though Australia is not requiring that firms provide decrypted data, a feat that should not ever be possible, there is no safeguard in place to prevent an amendment from adding such a troubling clause. As cloud computing services continue to grow, it only becomes that much easier for an organization with plenty of money available to try and circumvent encryption measures in place. On the flip side, mobile devices that are often a target for governments are being packed with native hardware encryption and stronger algorithms.
In reality though, mobile devices still are not very secure when physical access is available. This is demonstrated time and time again at pentesting events that offer bug bounties and also by data recovery firms that will unlock mobile devices for relatively low cost.