Learn about the new Access and Assistance Bill (AABill) in Australia including what it means for services using encryption, our criticisms of the law as written, and why our service is not affected.
For over twenty years, the Telecommunications (Interception and Access) Act has governed how Australian law enforcement can request data from Australian service providers like ourselves. It allows law enforcement to get a warrant for subscriber information and stored communications, while providing safeguards for user privacy.
Australia’s parliament recently passed the Access and Assistance Bill (AABill), which focuses on services built with end-to-end encryption. This new bill allows law enforcement to compel companies to modify their services and intercept data from their customers in its unencrypted form.
While we securely encrypt all your data, we have the keys to decrypt that data in order to let you search your email, use standard internet protocols, and recover access to your data if you lose your password (which happens more often than you might think!). Server-side processing of data is essential to the services we offer.
Of course, should our users choose to end-to-end encrypt their mail via PGP, we have no way to access that content, even under the AABill. Our blog explains why we have never offered PGP ourselves, and describes third-party PGP tools you can use with Fastmail if you wish to manage your own encryption.
Fastmail won’t be making changes to our technology or policies in response to this bill. Law enforcement has always been able to request information from us through the Telecommunications Act with a lawful warrant. Because we have the ability to decrypt all data, there is no need to make changes that circumvent encryption.
Every warrant we receive is reviewed by senior staff for legitimacy and scope before data is provided. Each account whose data is requested must be individually identified. Responding for one user does not require us to expose or share the data of our other customers.
If you’d like more information on what is actually in the AABill, this article has a clear breakdown.
The AABill has raised concerns from technology companies and privacy supporters around the world, and deservedly so. While Fastmail is not directly affected, we don’t support this legislation because it carries serious implications for the Australian tech industry. We are working with industry groups and digital privacy organisations to campaign for changes.
Encryption is a tool that provides many positive protections: most websites on the internet are now encrypted so that onlookers can’t see what you’re viewing. Nobody would shop on the internet without the protection of encryption guarding your bank information!
This bill has the capacity to weaken encryption. Compromising security can have unintentional consequences, and the focus of most industry pushback is on embedding backdoors to give law enforcement access to information that they otherwise could not read. Technologists know it’s hard to control access to backdoors, and worry about them being weaponised by bad actors.
Both the bill itself, and the controversy around the process by which it passed, have damaged the reputation of Australia in the international marketplace. The AABill was passed in spite of an overwhelming number of submissions pointing out flaws. Many now view Australian service providers, companies, and contractors with suspicion.
There are also concerns that individual employees may be forced to build a backdoor, without being able to alert their employer. While frightening for anyone working in technology, we believe this fear is largely unfounded. Most organisations have practices (pair programming, code reviews, risk evaluations) that would reveal such behaviour quickly.
Bad actors exist, and law enforcement needs tools to stop them. As the AABill stands, we believe the risk it adds to the general public’s privacy and security is too high for the access it can gain. Besides our general issue advocacy, we’re taking a number of specific actions:
Social media is great for raising awareness but insufficient to create change in legislation. We encourage you to reach out directly if this issue matters to you.
If you’re not an Australian, be aware that the appetite for this type of law is not limited to Australia. Stay informed and engaged with this topic in your part of the world.
Public awareness of online privacy and security is increasing. We at Fastmail believe we have a responsibility to be proactive about educating and advocating for good privacy principles and practices. Digital privacy is no longer the sole domain of the deeply technical user, but a fundamental right and responsibility of every individual online.
Update (January 2021)
Upon legal advice, we have moved our process for handling data requests away from the Telecommunications Act and across to the Crimes Act and similar legal instruments. The content in this blog has been left for historical reference, and the intent still stands: we remain unaffected by the AABill/TOLA, as law enforcement agencies can already request information from us through other appropriate, legal ways. ↩︎
You may still be tracked even while using a “private” window like Incognito or VPN. Here are the best private browsers to protect your privacy.
Introducing nine privacy-friendly tools to control more of the information you are sharing with third parties.