NZ officials consider impact of Australia's controversial encryption law

[The AchieVer]

 

New Zealand government officials say they are looking into the implications of Australia's controversial "anti-encryption" law but have not yet issued any advice to agencies.

Many Kiwi businesses and some government agencies have outsourced IT to cloud computing services in Sydney over the past several years to take advantage of economies of scale offered by the likes of Amazon Web Services (AWS), Microsoft and Google.

However, that trend may be threatened by an Australia law that means technology companies and their staff can be compelled to help Australian federal authorities gain access to encrypted communications.

MICHAEL BRADLEY/STUFF

NZTech chief executive Graeme Muller says it is not yet clear how the Australian law change will play out in practice. 

Many technologists have argued the law change – which is regarded as a potential precedent for other "Five Eyes" countries – could fundamentally undermine security by requiring internet giants such as Amazon, Apple and Google to build "backdoors" into their services that could then be exploited by hackers.

 

The Internal Affairs Department said it had not yet provided advice on the law change to Kiwi government agencies that use cloud computing services based in Australia.

SEAN GALLUP/GETTY IMAGES

Many NZ companies have outsourced their IT infrastructure to Amazon Web Services in Sydney.

But spokeswoman Amanda Duncan said it was "working with other agencies to consider the implications" of the Australian legislation.

The National government removed most restrictions on government agencies using overseas cloud computing services to store and process information in 2016.

That was despite acknowledging that could allow other countries to access their data for "law enforcement, national security or other reasons".

IAIN MCGREGOR/STUFF

Catalyst director Don Christie says officials haven't done proper due diligence on the risks of 'offshoring' government data. 

Don Christie, director of Wellington technology company Catalyst, said the Australian move would undermine the protections offered by the likes of AWS and Microsoft Azure and make it more likely that criminals would be able to access data.

Catalyst offers a New Zealand-based cloud computing service that competes with the likes of AWS and Microsoft Azure, and Christie said the Australian law change should make organisations think twice about sending data overseas.

The Government had been "negligent" in avoiding doing due diligence on the use of overseas data centres in the past and the encryption-law should bring "focus to the need for that and on how tied they are to particular platforms and services", he said.

 

"Australia has done exactly what it is able to do and made up its own law. That is what nation states do.

"If the regulations in these countries can change [the Government] needs to think about what the 'off-ramp' looks like."

Graeme Muller, chief executive of industry body NZTech, doubted the "anti-encryption" law would result in Kiwi firms abandoning cloud computing services in Sydney in big numbers and bringing their IT back home.

But he believed it might result in large global IT firms thinking more carefully about using Australia as a base, saying that could have knock-on implications for New Zealand.

"I don't think companies hosting on AWS or Microsoft Azure would be necessarily that concerned. I think it is more likely the platform providers will respond if the details of the law work out the way they [fear].

"They have servers all over the place. They can relocate data at the flick of a switch and it is more likely they will just not land it in Australia anymore."

But Muller said it was not yet clear how the law would be applied in practice.

"Even if authorities in Australia acted on it at some point and said 'we want you to break encryption and give us that data', I think there would be a legal battle before anything happened.

"It is so precedent-setting and it appears there is a lot that hasn't been thought through from a legal perspective."

Muller said there had been a lot of discussion among NZTech's members as encryption was so fundamental to trust on the internet.

"If you can't trust encryption anymore that really has a fundamental impact on the way we transact."

Christie had not yet seen New Zealand businesses repatriating their IT specifically in response to the law change, but said it had happened quickly and caught people "on the hop".

"There is a lot analysis yet to be done. Regardless of what people conclude, it demonstrates that once your data is out of your jurisdiction it really is out of your control.

"We have to think carefully about our data applications and place a lot more value on them," he said.

 

Source