A little over a week since the window closed for public submissions on the government's draft Assistance and Access Bill, Minister for Home Affairs Peter Dutton on Thursday introduced the Bill into the House of Representatives.
"The legislation will not weaken encryption or mandate backdoors into encryption. The Bill specifically provides that companies cannot be required to create systemic weaknesses in their encrypted products, or be required to build a decryption capability," Dutton said in a second reading speech.
"The Bill provides law enforcement agencies with additional powers for overt and covert computer access. Computer access involves the use of software to collect information directly from devices."
Dutton's optimistic view of the Bill was not shared by a panel of experts discussing it on Thursday morning in Sydney, who pointed out the Bill is problematic due to lacking definitions of basic terms like "systemic weakness", being very wide ranging in scope, and containing internal conflicts.
Released as a draft in mid-August, the Bill provides for Australian interception agencies -- defined within the Bill to be Australian federal, state, or territory police forces and anti-corruption bodies -- to issue voluntary requests for assistance to strip "electronic protections" from communications either as a wide-ranging voluntary request without oversight, or as a compulsory notices that are more constrained and do have oversight.
"You almost have to congratulate them about the way that they have constructed the elements of this legislation which, when you view each of them on their own, looking concerning, [and] when you combine them, definitely scary," Stanton said at a Communications Alliance and Baker McKenzie forum.
"When you think about the scope of the Bill, where it expands on an unholy trinity of how many agencies can take advantage of the powers of the legislation, how many players in Australia and abroad that it seeks to direct and control, and the virtually unlimited scope of the acts that it can require to be undertaken -- that really is breathtaking, I think.
"And when you look into those acts about the potential to remove electronic protection, to give up source code, to install software to create systemic weaknesses in devices, that really opens up a Pandora's box."
Stanton said he was concerned that such a complex piece of legislation was able to clear the Coalition party room so quickly.
"One of the key indicators will be when the government introduces the Bill and refers it to PJCIS [Parliamentary Joint Committee on Intelligence and Security] -- which I expect they will do -- will be the amount of time that they give the PJCIS to report," he said
"If you see them refer it to the committee and say 'Come back to us in four weeks', you'll know that is one more chapter of a consultative and an inquiry process that is a sham."
Labelling the original drafting of the TSSR Bill as a shocker, Stanton said at least it was widely consulted on, and went to a number of committees before amendments were made, however the government did not fulfil all its obligations.
"On TSSR, the [PJCIS] identified a number of remaining weaknesses in the legislation and made recommendations to government about how to fix them, they'd worked with industry on that and it was a good collaborative effort. The government's response was: 'Tell you what, we don't need to amend the Bill, we're going to fix it all by issuing revised administrative guidelines and deal with it that way'," he said.
"The department said to industry: 'We'll have all that done by the end of six months' -- of the twelve month implementation period -- 'don't worry, you won't have to rush to figure out what those revisions mean and how to comply with them'.
"So this week the act came into force, revised guidelines? Yeah, nah -- haven't shown up, and no explanation from the department as to whether or when they will ever keep that commitment."
The draft legislation was alarming enough that it drew out the Internet Architecture Board (IAB), which warned the Bill's provisions represented an existential threat to the internet's security and integrity.
IAB chair Ted Hardie stated a method to compel an infrastructure provider to break encryption or provide false trust arrangements will introduce a systemic weakness that threatens to erode trust in the internet itself.
"The mere ability to compel internet infrastructure providers' compliance introduces that vulnerability to the entire system, because it weakens that same trust," Hardie said. "The internet, as a system, moves from one whose characteristics are predictable to one where they are not."
If similar legislation where implemented by other jurisdictions, the IAB said the end result could be the fragmentation of the internet itself.
"This approach, if applied generally, would result in the internet's privacy and security being the lowest common denominator permitted by the actions taken in myriad judicial contexts. From that perspective, this approach drastically reduces trust in critical internet infrastructure and affects the long term health and viability of the internet."
During Thursday's panel, the provisions of the Bill to require corporations to violate other nation's laws to comply with Australian law was highlighted as particularly problematic.
At the same time in Canberra, the Home Affairs Minister was stating the Bill was reasonable and proportionate.
"The government has undertaken extensive industry and public consultation on the bill and has made amendments to account for the constructive feedback received," Dutton asserted in a second reading speech.
Draft legislation intended to give cops and spooks access to encrypted communications should keep encryption strong. But the powers it proposes aren't just about fighting paedophiles, terrorists, and organised criminals.