Published daily by the Lowy Institute

Disruptors disrupted: Australia’s new encryption law

Law enforcement and technology companies are battling over the privacy implications of contentious new laws.

Photo: Roger Marks/Flickr
Photo: Roger Marks/Flickr

Last week the Australian government successfully passed contentious national security legislation granting security and law enforcement agencies greater access to the encrypted messages of suspected criminals.

The Telecommunications and Other Legislation (Assistance and Access) Bill is part of a wider push by Five Eyes governments (Australia, Canada, New Zealand, the United Kingdom, and the United States) to compel technology companies to provide access to information on their encrypted platforms.

The focus of the new legislation is access to information – not mandatory decryption.

The new legislation, based on the UK’s Investigatory Powers Act, introduces obligations for both domestic and foreign tech companies to assist law enforcement in accessing private data. This will be achieved through an industry assistance regime, consisting of:

  • Technical Assistance Requests which are requests for voluntary cooperation from communications providers. These can be issued by the Australian Security Intelligence Organisation (ASIO), the Australian Secret Intelligence Service (ASIS), the Australian Signals Directorate (ASD), and other interception agencies.
  • Technical Assistance Notices which are compulsory requests issued to a communication provider to use an interception capability they already have.
  • Technical Capability Notices which can be issued by the Attorney-General to compel a communication provider to build a new interception capability to assist law enforcement investigations.

Why now?

The original Telecommunications (Interception Access) Act came into force in 1979. At that time, Australia had a fixed-line telecommunications network managed by a single operator. Today, the market is open, data-based, mobile-driven, and device-centric. The Assistance and Access Bill seeks to address the reality of a converged telecommunications sector by ensuring that over-the-top service providers and other technology companies  – the majority of which are foreign owned – are subject to Australian law.

The legislation has come under fire from tech companies and industry groups who claim its scope is overly broad and its authorities intentionally vague.

At the centre of the debate is section 317ZG of the bill. This provision prohibits communications providers from being required to build or implement a “systemic weakness” or systemic vulnerability – a backdoor – into their product or service.

In its submission to the Parliamentary Joint Committee on Intelligence and Security (PJCIS), Digital Industry Group Inc (an industry association representing the interests of Amazon, Google, Facebook, and Twitter) said that the Bill would “undermine public safety,” and make it “easier for bad actors to commit crimes against individuals, organisations, or communities.”

Likewise, Apple’s submission to the PJCIS asserts that the legislation:

Could allow the government to order the makers of smart home speakers to install persistent eavesdropping capabilities into a person’s home, require a provider to monitor the health data of its customers for indications of drug use, or require the development of a tool that can unlock a particular user’s device regardless of whether such tool could be used to unlock every other user’s device as well.

Significantly, the legislation has been amended to include the definitions for what is meant by “systemic vulnerability” and “systemic weakness.”

Claims that surveillance powers will go unfettered, however, are overblown.

Access to information is sought under warrant and ASIO’s current digital data interception collects and accounts for less than 0.003 per cent of the total volume of data downloaded by all Australians.

Pro-access vs. anti-encryption

The focus of the new legislation is access to information – not mandatory decryption.

Under the banner of Alliance for a Safe and Secure Internet, technology companies and human rights groups have joined forces to frame the Assistance and Access Bill as “anti-encryption” or “anti-cryptography.”

But the real intent of the Bill is to formalise a system of engagement and cooperation with communication service providers who, in some instances, have proved unwilling to provide lawful and non-arbitrary access to information for the purpose of criminal investigations.

Companies like Google and Facebook have built their businesses on the disclosure of their users’ data: they aggregate and sell it to the highest bidder.

The hypocrisy is glaring.

Under the new legislation Technical Assistance Requests, Technical Assistance Notices, and Technical Capability Notices cannot be issued unless they are “reasonable and proportionate” and “technically feasible.”

Australia is not “going it alone”. There is a consensus among global leaders that data regulation is needed for the protection of national security.

In 2017, G20 leaders issued the Hamburg statement on countering terrorism which, for the first time, affirmed that “the rule of law applies online as well as it does offline.”

Over the past three months in a rare set of public speeches, the heads of three global intelligence agencies have signalled an ongoing commitment to the spirit of the Hamburg statement, with particular reference to encryption.

  • On 29 October, Mike Burgess, Director-General of Australian Signals Directorate, stated that encryption presents a challenge “when it comes to uncovering the secrets of those who pose a threat to Australia's national security.”
  • On 5 December, David Vigneault, Director of the Canadian Security Intelligence Service, said encryption “greatly undermines the efforts of … CSIS to investigate, disrupt, and prosecute the terrorist threat.”
  • And, on 6 December, Alex Younger, Chief of MI6, warned of the “existential challenge the data age poses” to the security of Britain and its allies.

What now?

The Assistance and Access Bill is earmarked for significant amendments once Parliament resumes in February 2019. After 18 months of coming into force, it will be due for a mandatory review by the Independent National Security Legislation Monitor to ensure that it is meeting its original intent.

Once the amendments are made, the legislation could lead to the most effective cooperation between security agencies and communication service providers since the estrangement imposed by the Snowden revelations.

You may also be interested in