Australian industry groups issue wish list of encryption law changes

Some old, some new, some borrowed from the Labor party.

The Communications Alliance, Australian Industry Group, Australian Information Industry Association, Australian Mobile Telecommunications Association, Digital Industry Group Inc, and Information Technology Professionals Association have combined to create a wishlist of changes to Australia's encryption laws.

Free PDF

Australia’s encryption laws: An insider’s guide

Australia now has world-first encryption laws. This guide explains what the laws can do, what they cannot do, and how Australia ended up here.

Read More

The contentious laws passed on the last evening of Parliament for 2018, following the capitulation of the Labor opposition, which dropped its own amendments and waved the legislation through the Senate under the belief Parliament will consider the amendments when it resumes in February. The government successfully had its 67 pages of amendments added to the Bill in the lower house.

Following the legislation's passage, the Parliamentary Joint Committee on Intelligence and Security opened a review of the new laws, and is due to report back by April 3.

In a submission to the review, the industry groups endorsed a number of Labor's dumped amendments, including judicial consent for warrants, and the removal of the definition of systemic weakness.

"It appears very difficult to adequately define the terms 'systemic weakness/vulnerability' and 'target technology'. As currently drafted in the Act, these definitions are difficult to understand, ambiguous and are significantly too narrow," the submission said.

Must read: Australia's encryption laws will fall foul of differing definitions

"It is unclear what constitutes a class of technology, (e.g. would a 'class' be all mobile handsets, or Android phones, but not iPhones, or the mobile handsets offered by one service provider but not another, or some other combination of factors?).

"Assuming this term has a common-sense meaning (to the extent this exists), then the application to the whole class of technology creates a far too narrow characterisation of what constitutes a systemic weakness or vulnerability."

The groups also pointed out that the current threshold to use the laws, investigating offences with a maximum prison term of 3 years or more, would include prank calls and the improper use of emergency call services. Matching the threshold with the one in the Telecommunications (Interception and Access) Act 1979, the groups recommend the threshold be bumped up to at least seven years.

Alongside the removal of Technical Assistance Notices (TANs) altogether, the submission said the consultation requirements for TANs and Technical Capability Notices (TCNs) should be strengthened.

"It appears that many of the requirements can easily be avoided by the requesting agency simply stating that the request is urgent (something that it is easy to imagine agencies would almost invariably do)," it said.

"Further, the processes underlying the consultation requirements are somewhat unclear and/or mean that effective consultation can be bypassed."

The groups also called for the legislation to be amended to allow providers to be fully compensated for the cost of compliance and to recoup the cost of any damage incurred as a result, and to ensure that the head of an organisation is issued with a request or notice, not an employee, and where that does not happen, the information is allowed to be shared with management.

"The legislation shows a blatant disregard for and misunderstanding of how the Internet works, how online encryption operates and is used to secure millions of legitimate communications every day, and will almost certainly not prevent a single act of terrorism, child abuse or other serious crime that couldn't have been prevented otherwise," Information Technology Professionals Association director Robert Hudson said.

"Instead, the privacy and security of law-abiding citizens is now almost certain to be compromised for commercial, criminal, or other non-legitimate purposes as tools prove to be as useful as a chocolate teapot for the purpose they were developed for, and instead are released or leaked into the hands of those who would do us harm."

Related Coverage

Australia's encryption laws are 'highly unlikely' to dragoon employees in secret

Relax, developers, the Assistance and Access Act is 'highly unlikely' to force employees to deceive their bosses by creating secret backdoors. Nor does it breach Europe's GDPR digital privacy laws.

Australia's encryption laws will fall foul of differing definitions

A cryptographer's rebuttal to a GCHQ interception concept highlights how participants in the encryption-busting debate are talking past each other. What even is a "systemic weakness", anyway?

Australia's encryption laws are a cyber cane toad: Husic

Shadow Minister for the Digital Economy Ed Husic continues to state problems with the Bill his party rolled over on and passed.

Here we go again: PJCIS opens review of Australia's encryption laws

The Joint Committee will follow its rushed inspection of Australia's encryption laws with a rushed review of the amendments made on Parliament's last day of 2018.

What's actually in Australia's encryption laws? Everything you need to know

The controversial Assistance and Access Bill was 176 pages long, then 67 pages of amendments were rushed through in the final hours of debate. This is what we've ended up with.

Australia now has encryption-busting laws as Labor capitulates

So-called protections in the Bill are necessary, Opposition leader Bill Shorten has said.

Why Australia is quickly developing a technology-based human rights problem (TechRepublic)

Human rights advocates have called on the Australian government to protect the rights of all in an era of change, saying tech should serve humanity, not exclude the most vulnerable members of society.