Australian here. What Assistance and Access bill did is different, and clever in some ways. TL;DR: it doesn't attack encryption directly - it doesn't give the government power to direct anyone to hand over keys, for instance. In fact the bill specifically prohibits the government in asking anyone to introduce a "systemic weakness". A systemic weakness is something that would allow the government to spy on everyone - which is what India seemingly wants to do.
But as I said it's clever. It can specifically prohibit introducing new "systemic weaknesses" because they already have one that's more than good enough for their purposes. That would be silent security updates. They have given themselves the power to compel tech company (Apply/Google/Microsoft) to install a silent security update on a specific device. The "silent security update" would of course be a bug (spy intercept) of some sort. It doesn't bypass encryption because it doesn't need to - a human can only consume unencrypted data, so that's what the spy bug intercepts.
They've ensured that it will never be systemic to their own satisfaction by putting several hurdles in place, like independent judicial review of the bug and which devices will be targeted. The fundamental principle is the only acceptable reason for targeting someone is criminal activity. If those hurdles are respected (and it seems likely they would mostly be followed) it means the Chinese like surveillance society India seems to be trying to create would be very difficult in Australia, even with this law. Which I guess would make it a reasonable compromise between government privacy invasion and law and order concerns.
The flaw is it's impossible to know if they are being respected. All companies and people forced to inject these spy ware updates are automatically subject to a gag order. All that review I mentioned happens in secret, and they have specifically exempted themselves from publishing any meaningful information on who, what, why and how devices are targeted.
To finish the picture - if the Australian government was concerned about criminal behaviour happening over Signal, it's highly unlikely they would be approaching Signal as India has apparently done. (I can't for the life of me think of a reason why Signal would give a shit about what the India government thinks or wants. Ditto the Australian government.) Instead they would direct Google to inject keyboard and screen monitors into Android. Google makes a lot of money in Australia, so it's likely they would comply. Like I said - it's clever.
But not impossibly so. It only works if they can target a particular device. For a commercial products this is invariably easy - Apple, Google, Microsoft all want you to sign in with an identity so they can milk some profit out of it either by charging you or at least displaying advertising. But open source projects, like Fedora or Debian, go out of their way to not identity the users, and worse Debian creates audit trails like reproducible builds. So their users are largely immune to Australia's Assistance and Access Bill (2019). But they aren't immune to India's rubber hose approach.
But as I said it's clever. It can specifically prohibit introducing new "systemic weaknesses" because they already have one that's more than good enough for their purposes. That would be silent security updates. They have given themselves the power to compel tech company (Apply/Google/Microsoft) to install a silent security update on a specific device. The "silent security update" would of course be a bug (spy intercept) of some sort. It doesn't bypass encryption because it doesn't need to - a human can only consume unencrypted data, so that's what the spy bug intercepts.
They've ensured that it will never be systemic to their own satisfaction by putting several hurdles in place, like independent judicial review of the bug and which devices will be targeted. The fundamental principle is the only acceptable reason for targeting someone is criminal activity. If those hurdles are respected (and it seems likely they would mostly be followed) it means the Chinese like surveillance society India seems to be trying to create would be very difficult in Australia, even with this law. Which I guess would make it a reasonable compromise between government privacy invasion and law and order concerns.
The flaw is it's impossible to know if they are being respected. All companies and people forced to inject these spy ware updates are automatically subject to a gag order. All that review I mentioned happens in secret, and they have specifically exempted themselves from publishing any meaningful information on who, what, why and how devices are targeted.
To finish the picture - if the Australian government was concerned about criminal behaviour happening over Signal, it's highly unlikely they would be approaching Signal as India has apparently done. (I can't for the life of me think of a reason why Signal would give a shit about what the India government thinks or wants. Ditto the Australian government.) Instead they would direct Google to inject keyboard and screen monitors into Android. Google makes a lot of money in Australia, so it's likely they would comply. Like I said - it's clever.
But not impossibly so. It only works if they can target a particular device. For a commercial products this is invariably easy - Apple, Google, Microsoft all want you to sign in with an identity so they can milk some profit out of it either by charging you or at least displaying advertising. But open source projects, like Fedora or Debian, go out of their way to not identity the users, and worse Debian creates audit trails like reproducible builds. So their users are largely immune to Australia's Assistance and Access Bill (2019). But they aren't immune to India's rubber hose approach.