Atlassian believes Australia's encryption-busting legislation continues to have a negative impact on the country's technology sector, both from the perspective of partnering with an Australian company and attracting tech talent down under.
"The Act's passage has significantly degraded the global reputation of the Australian tech sector, as local companies and multinationals alike question whether actions compel them to the Act will degrade industry's ability to secure customer data and place their employees at individual peril," Atlassian head of IP, policy, and government affairs Patrick Zhang said.
"We have received inquiries from customers asking about the impact of TOLA and what it may obligate Atlassian to do … our fear is that these questions are not ones that we will necessarily hear from customers and customers who shy away from our products or services may never tell us that it is due to TOLA, so understanding that is a difficult proposition to accept, but there has been, at the very least, anecdotal outreach from our customers, especially in Europe around the security of their data."
Zhang was appearing before the Parliamentary Joint Committee on Intelligence and Security (PCJIS) and its review of the amendments made by the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (TOLA Act).
The TOLA Act was rammed through Parliament back in late 2018. Under the laws as currently written, agencies can issue:
- Technical Assistance Notices (TAN), which are compulsory notices for a communication provider to use an interception capability they already have;
- Technical Capability Notices (TCN), which are compulsory notices for a communication provider to build a new interception capability, so that it can meet subsequent Technical Assistance Notices; and
- Technical Assistance Requests (TAR), which have been described by experts as the most dangerous of all.
TANs and TARs can currently be approved by the head of the requesting law enforcement or intelligence agency. TCNs must be approved jointly by the attorney-general and the minister for communications.
Zhang said the "very rushed" nature in which TOLA was created, alongside the rights granted to the government under the Act, are to blame for its negative global impact.
"The impact is twofold … the first is around TANs and TCNs … in terms of the breadth of the rights that are being granted to law enforcement and national security agencies to request not just assistance in decrypting intercepted data but in actually making changes to the systems and products of technology companies," he explained.
"I think the fear is that by working with an Australian company … is that company going to be subject to orders by the government to weaken its security or to build backdoors that will make the product less secure and expose a weak link, if you will, in the technology supply chain?"
The other part of the damage, according to Zhang, is around individual employees, pointing again to the unclear nature of definitions used in the Bill.
"Under a strict, literal reading of the language, and the definition of DCPs (designated carriage providers) that individual employees could be characterised as a DCP and be made subject to notices by the government that compel them to do certain acts and, when coupled with the secrecy provisions, it would make it appear that the employee was being made to work in a way that is at odds with his employer and held to a secrecy standard that would prevent him from seeking assistance from his employer," Zhang continued.
"I think there has been a concern that Australian employees are in some sense more vulnerable to this right to compel by the government and that has damaged the reputation of the Australian tech sector and potentially the willingness of technology talent residing outside of Australia to come to Australia and work here."
While Zhang accepts the Bill was born of legitimate concerns to give law enforcement a way to combat the trend of "going dark" due to greater use of encryption technologies, he said such powers "must be granted in a clear and proportionate way and with safeguards that retain the public's trust in the government's exercise of power".
"They must also not create self-inflicted wounds for industry as it looks to secure customer data in today's challenging cybersecurity environment," he said.
The hearing follows a report from Australia's now-retired Independent National Security Legislation Monitor (INSLM) who earlier this month made a handful of recommendations, mostly centred on the creation of an independent body to oversee the approval of warrants.
Atlassian agrees with many of the recommendations made by the INSLM, with Zhang saying the company was encouraged by them.
"Access, especially given the amount of data that is potentially made available under the TAN/TCN framework should be governed by a separate authorisation that is independent and apart from the agency that is seeking that information," Zhang added.
He said independent oversight would also help with the "troubling" definitions the Bill contains.
"The current definitions are troubling in that they are open to a broad range of interpretations," he continued.
"Especially without independent oversight, it appears to me that it would be difficult to understand the authority, who is authorising the notice, what definition that they're using, what definition that they're applying -- I think there is a lot of ambiguity of that exercise of power."
He said the introduction of an avenue for industry to take part in the process -- that is, to participate in an appeals process on any decisions -- would also be a welcome idea.
- INSLM recommends taking encryption-busting approvals power from Australian Ministers
- Home Affairs considers expanding the list of agencies who can access metadata
- Home Affairs report reveals deeper problems with Australia's encryption laws
- Cops are getting full URLs under Australia's data retention scheme
- Australia keeps telco data longer than all but three countries