The Australian government has passed the controversial Assistance and Access Bill 2018 (AA Bill) on the final sitting day of the year, and without any of the amendments originally proposed by the Labor party.
The bill will allow law enforcement to access encrypted communications they believe may contain plans for illegal or terrorist activity.
However, concerns have been raised any back-door access would inherently weaken security. If it’s possible for the authorities to access encrypted data, it’s possible for cyber criminals to access it, too.
Speaking to StartupSmart about the bill in October, Josh Jessop-Smith, co-founder of blockchain startup Loki, said for startups like his that are built on encryption, the passing of the bill would “100% undermine the entire project we have here”.
One of the major concerns about the bill is it will drive tech companies and startups out of Australia, with Jessop-Smith saying Loki was “seriously considering doing the majority of our work elsewhere”.
The reaction among the startup community on Twitter has been largely one of rage from locals and disbelief from afar, with some questioning whether ministers fully understood what they were voting for.
— Sarah Moran @ Crossroads #StartupAus (@SarahMoran) December 6, 2018
I honestly don’t think that Labor mps understand what they are voting for. Or perhaps they do and they just don’t care about breaking the internet or throwing tech professionals / companies under the bus #aabill #auspol
— Mehreen Faruqi (@MehreenFaruqi) December 6, 2018
HOLY FUCK AUSTRALIA JUST PASSED #AABILL
WHAT R U PEOPLE DOIN
Get COVID-19 news you can use delivered to your inbox.You’ll also receive special offers from our partners. You can opt-out at any time.
— SwiftOnSecurity (@SwiftOnSecurity) December 6, 2018
Speaking to StartupSmart, Monique Mann, a research fellow in regulation of technology at the Queensland University of Technology, says the threat of startups leaving Australia is very real.
She points out there has been debate across what constitutes a “systemic weakness” under the bill, however, it hasn’t really been noted “it’s the obligation of the company or developer to be able to audit this — and there are associated costs”.
While large companies may have the resources to manage those costs, for “small fish”-like startups, there’s a chance “it will essentially put them out of business”.
The fines for non-compliance are also significant. While fines for breaching the EU’s General Data Protection Regulation are 4% of a company’s annual turnover, fines for breaching the AA Bill legislation could reach $10 million, regardless of a company’s turnover.
Again, these fines are manageable for to a large or multi-national organisation, but could be devastating for a startup.
Mann predicts the government will “try and come after non-compliers with a stick”, noting there is also a risk of up to five years’ jail time if companies do not hand over data.
The new legislation is also “fundamentally incompatible” with GDPR, which protects the data privacy right of all European Union citizens — including those living in Australia — and is generally seen as a benchmark for data protection policies, globally.
GDPR requires “data protection by design and default”, Mann says. The AA Bill, on the other hand, mandates “information insecurity by design and default”, she says.
“There are real questions around what the implications will be on the Australia tech industry and startup industry.”
A statement from StartupAus noted the need to combat criminal activity, but said the bill “is both ineffective at doing so and creates a significant burden for the local technology sector”.
In the statement, Alex Gruszka, chief executive officer at StartupAUS, pointed to the “increasingly hostile political attitude” towards startups and tech companies outlined in the StartupAus Crossroads report released last week.
“In an environment where legislation is difficult to pass on any issue, it is particularly frustrating to see bipartisan support for a bill that furthers Australia’s tech-phobic position in comparison to its international peers,” Gruszka said.
The bill places a unique regulatory burden on startups, limiting the security they can build into their systems and burdening them with additional costs.
“While some reimbursement possibilities are included in the bill, startups typically exist with very short cash runways and are put at existential risk when having to conduct significant activity that takes away from core business,” Gruszka said.
Finally, startups will be “left hamstrung” in export negotiations, he said.
“No global company will choose a weakened system provided by a company whose employees can be legally forced to comply with the Australian government.”