Encryption – vital laws or a backdoor for hackers?

The “Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018” (known as the A&A Act) has an innocuous name though many may believe it to be something of a misnomer, certainly with respect to the “assistance” and “access” references!

Passed on 6 December 2018, the impetus for the new encryption laws is national security, and the rush was Christmas on the apparent basis that the potential for acts of terror increases during the festive season.  Just why we needed to pass this legislation before this Christmas, allowing only four days to push 173 proposed amendments through both Houses of Parliament, is not clear.

What is clear is that the rushed laws may well have some serious and unintended consequences.  The Law Council of Australia detailed their concerns, including the possibility of overreach by intelligence and law enforcement and pointed out that safety must not come at the cost of weakening the rule of law.

The Encryption Act affects a wide range of suppliers across the IT industry including equipment and device manufacturers, infrastructure providers, cloud-based storage services, software developers and web-and-app based communications services including social media.

According to Business Insider Australia, ‘Tech companies use encryption technology to ensure that only the sender and recipient of a message can read its content. Services like WhatsApp and iMessage are encrypted, meaning if the police asked Facebook or Apple for message, the tech companies would not be able to provide it.

Australia is asking for a so-called “back door,” a feature that would allow a provider like Apple to decrypt specific messages for law enforcement. Most security experts believe that these kind of features weaken privacy for all users, not just criminals.’

Per Itnews, ‘Citing a Fitch Solutions Macro Research report issued on Thursday, the Australian Financial Review (AFR) has reported the ratings agency has advised clients that the new laws translate to a “negative for Australia’s tech sector, but they will have the most impact globally, as they target international companies.”

The guidance from Fitch goes on to caution that if technology companies are required to follow the laws in Australia other nations are will seek similar powers weakening messaging security and “increase the threat of non-state actors” the AFR reported.

The entry of global ratings agencies into the encryption law debate is a first rate headache for Australia’s security agencies and politicians because it suggests a serious miscalculation about how the new laws would be perceived by international capital markets.’

What sets the Encryption Act apart is the wide acknowledgement that the Act, as passed, is seriously flawed.

The Supplementary Explanatory Memorandum to the Bill outlines the proposed amendments as follows, saying that they will:

  • enhance existing oversight arrangements for agencies and provide review mechanisms—namely legislative review by the Independent National Security Legislation Monitor within 18 months of commencement, and review by the Parliamentary Joint Committee on Intelligence and Security in early 2019
  • provide for explicit inspection powers of Schedule 1 measures by the Commonwealth Ombudsman and enhancing the ability of the Ombudsman to inspect the exercise of these powers in conjunction with underlying interception and surveillance device warrants
  • add to reporting requirements on the use of Schedule 1 and Schedule 5 powers
  • ensure the Inspector-General of Intelligence and Security and the Commonwealth Ombudsman are notified of the issue, variation, extension and revocation of all industry assistance measures
  • define ‘systemic weakness’ and ‘systemic vulnerability’ to enable technical reporting to assist in whether a technical capability notice would breach the legislative limitations, and applying this definition more broadly to Schedule 1
  • enhance the protections against systemic weakness and vulnerability by making clear that industry assistance cannot be requested or required if it would, or would be likely, to jeopardise the security of any information held by a person other than a person connected with a target technology, including if the act or thing or requested or required would create a material risk that otherwise secure information can be accessed by an unauthorised third party
  • enhance the independent assessment (on referral) of whether requirements to build a new capability create a systemic weakness and are reasonable, proportionate, practicable and technically feasible
  • extend decision-making requirements and the limitation against building or implementing systemic weaknesses to voluntary measures in Schedule 1
  • narrow the functions for which intelligence agencies can seek voluntary assistance limit the application of the industry assistance measures to the investigation and prosecution of serious offences (offences with a maximum period of imprisonment of 3 years’ or more)
  • make the activities that may be required by a notice in Schedule 1 exhaustive and
  • clarify that they can be used to facilitate or assist in giving effect to warrants and authorisations
  • ensure decision-makers consider the necessity of measures under Schedule 1 and that any conduct would be the least intrusive to third parties
  • impose time-limits of 12 months for technical assistance notices and technical capability notices
  • allow for ‘designated communications providers’ to disclose information about a technical capability notice with agreement from the relevant agency and subject to conditions
  • clarify that disclosures can be made between law enforcement agencies and oversight bodies for Schedules 1 and 2
  • clarify the appropriate civil penalties in line with other similar assistance obligations under the Telecommunications Act
  • clarify that for the purposes of Part 15 of the Telecommunications Act a reference to ‘Minister’ is a reference to the Minister for Home Affairs
  • provide for Commonwealth scrutiny of technical assistance notices by the chief officer of an interception agency of a State or Territory
  • allow designated communication providers to refer technical capability notices to the Attorney-General for review to determine if the notice creates a systemic weakness
  • limit the definition of ‘interception agency’ to Commonwealth, State and Territory police
  • require double-lock approval of technical capability notices by both the Attorney-General and the Minister for Communications
  • limit the circumstances in which a technical capability notice may be varied and require approval of both the Attorney-General and the Minister ensure that ‘ASIO computer access intercept information’ and ‘general computer access intercept information’ is subject to restrictions on use, disclosure and requirements which relate to destruction
  • allow for notification on concealment activities for ASIO and law enforcement computer access warrants, and
  • place further safeguards on the exercise of compulsory powers in Schedule 5.

It is important to note that these amendments (over 60 pages in total) were not actually made before the legislation was passed.

In its coverage, the Australia Finance Review (paywall) pointed out that security experts are saying that the laws may have disastrous consequences or, conversely, they may simply have no consequence as the systems at play may be too complicated.  They also make the point that although “the new legislation prohibits the creation of “systemic vulnerabilities” and “system weakness”, the complexity of the telecommunications, hardware and software ecosystems makes it difficult to guarantee that targeted vulnerabilities and weaknesses won’t spread beyond the targets and become systemic”.

Labor were originally holding out for amendments, however SBS News quotes opposition leader Bill Shorten as saying that “There are legitimate concerns about the encryption legislation but I wasn’t prepared to walk away from my job and leave matters in a stand-off and expose Australians to increased risk in terms of national security.”

In additional SBS coverage, Labor justified their capitulation in passing the Bill without amendment by saying “We will not be waiting for the Senate to pass superfluous amendments on the encryption bill.” The coverage asserted that “the government had repeatedly argued it was vital to pass the encryption laws before the holiday period, when intelligence agencies said they would come in handy to deal with an annual spike in terror threats”.

There is something incongruous about passing a vital law, as it would “come in handy”.

Let’s hope that the Opposition keeps its promise to revisit the proposed changes when Parliament resumes sitting in 2019!

DGA provides regulatory guidance to Members, subscribers and participants. The information provided is general in nature only; it is not comprehensive and does not constitute legal advice.  You should obtain legal or other professional advice before acting or relying on this information.