Because the Assistance and Access Act is widely misunderstood as doing things that it doesn't.
The media drastically overreacted to that act, to the point where the Department of Home Affairs now has an entire page dedicated to addressing the false reporting [0].
The TL;DR is that the act doesn't allow the government to introduce mass surveillance. Section 317ZG [1] expressly forbids any law enforcement request from _having the effect_ of introducing any systemic vulnerability or weakness and _explicitly_ calls out new decryption capabilities as under that umbrella.
The media's widespread report that e2e encryption was dead in Australia was therefore false. The purpose of the act was more like if Facebook or Google have data that are encrypted at rest and they hold the keys, they can be compelled to decrypt it.
Under the new legislation, section 27KP(2)e(ii) refers to MITM attacks on network traffic if it'd be reasonable for the ISP to implement, or section 27KP(2)i refers to a surveillance device being provided to the ISP which then must integrate with it for whatever purpose (MITM attack or something else).
Isn't this the purpose of the Assistance and Access Act where the ISP in question doesn't have a present ability to perform MITM attacks on network traffic, and would therefore have to build and engineer at a significant cost a new solution for law enforcement use? And once that is achieved, 27KP(2)e(ii) of this new legislation is then reasonable for an ISP to perform because the capability has been built and is now present?
I believe section 317ZK, subsection (3) of the act [0] prohibits a provider from bearing the costs of compliance. If I read correctly, the cost is negotiated between the provider and the government and the government bears the cost.
And section 317ZGA [1] explicitly puts compliance with interception warrants (which I believe are the warrants in the new bill) out of scope.
I _think_ the effort a provider has to put in to comply with the new act is primarily limited by 27KP(2)e's "reasonable" wording.
The media drastically overreacted to that act, to the point where the Department of Home Affairs now has an entire page dedicated to addressing the false reporting [0].
The TL;DR is that the act doesn't allow the government to introduce mass surveillance. Section 317ZG [1] expressly forbids any law enforcement request from _having the effect_ of introducing any systemic vulnerability or weakness and _explicitly_ calls out new decryption capabilities as under that umbrella.
The media's widespread report that e2e encryption was dead in Australia was therefore false. The purpose of the act was more like if Facebook or Google have data that are encrypted at rest and they hold the keys, they can be compelled to decrypt it.
[0]: https://www.homeaffairs.gov.au/about-us/our-portfolios/natio...
[1]: http://classic.austlii.edu.au/au/legis/cth/consol_act/ta1997...