The law also defines "systemwide weaknesses" in a way that, uhh, allows for having actual systemwide weaknesses without being able to claim that they're being made to introduce "systemwide weaknesses" under the text of the law.
What counts as a systemwide weakness"? For example, if it allows the Australian government to decrypt things, but does not make it any easier for anyone else to decrypt things unless they do so by going through the Australian government (either with Australia's cooperation, or by hacking them, or by the Australian government leaking private keys), would that be a systemwide weakness?
You either store the keys centrally, or use a weaker encryption strategy. Those are the only ways to decrypt something. Either one makes it easier for anybody to hack.
The classic metaphor is that of a castle wall. If you put a gate in it, no matter how well your fortify that gate, it remains a weak point compared to the rest of the wall.
> You either store the keys centrally, or use a weaker encryption strategy. Those are the only ways to decrypt something. Either one makes it easier for anybody to hack.
That was right before 1973. The development of public key cryptography in 1973 adds another option. Take the symmetrical key the device uses to encrypt user data and encrypt a copy of that key using a public key of the entity that the back door is for.
The authorized back door user can decrypt that copy using their private key. If the public key system parameters are chosen correctly anyone else trying to get in who does not have a copy of that private key faces a problem at least as hard as brute forcing the underlying device encryption.
They still hold a copy of their own private key somewhere, you're just punting the issue a little bit. Plus, there would have to be a single key for all users, or you'd have to give every user's key to the institution as well. That means more travel over the wire, that means central storage of skeleton keys, etc. Each of these factors introduces another vector of possible attack. If there's a gate, there's a way to get in, and no matter how many keys are required or where they're kept, they'll always be more vulnerable than a wall with no gate.
By giving that party another key. Key escrow is even harder to implement than regular security, but it is in use. FileVault on macOS and Mobile Device Management for iOS have Institutional Recovery Keys already implemented. https://developer.apple.com/business/documentation/MDM-Proto...
It's an interesting position. Labor (our sorta left-wing party) are considering amendments to the bill:
>Labor’s amendments would also clarify that a “systemic weakness” is one that “would or may create a material risk that otherwise secure information would or may in the future be accessed, used, manipulated, disclosed or otherwise compromised by an unauthorised third party”. [0]
I'm not sure how this doesn't cover all exploits - there have been a few cases of vulnerabilities discovered by state agencies being leaked/disclosed [1].
I've seen this proposed as an enormous loophole, since every backdoor is a "systemwide weakness", and the lawmakers just don't understand that fact.