Encryption Bill sent to joint committee with three week submission window

Fresh from rushing the legislation into Parliament, the government will ram its legislation through the Parliamentary Joint Committee on Intelligence and Security.
Written by Chris Duckett, Contributor

Australia's encryption-busting legislation has been referred to the Parliamentary Joint Committee on Intelligence and Security (PJCIS), with the public given a mere three weeks to make a submission, before hearings are set to follow the week after.

Submissions must be made by Friday October 12, and a hearing is set for Friday October 19.

"In its inquiry, the committee will consider and review the provisions of the Bill. In addition the committee will examine safeguards and limitations in the Bill that are intended to ensure that communications providers cannot be compelled to build systemic weaknesses or vulnerabilities into their products that undermine the security of communications," committee chair Andrew Hastie said on Friday.

Speaking on Thursday, Communications Alliance CEO John Stanton said a sign of how serious the government took the consultation process would be the time given to the committee to report back.

"If you see them refer it to the committee and say 'Come back to us in four weeks', you'll know that is one more chapter of a consultative and an inquiry process that is a sham," Stanton said.

At the time of writing, a date to report back was not posted on the inquiry website.

Stanton said the encryption-busting legislation -- which would allow the nation's police and anti-corruption forces to ask, before forcing, internet companies, telcos, messaging providers, basically anyone deemed necessary, to break into whatever content they want to access to -- set a new benchmark for "outrageous and cheeky" legislation, a mark previously held by the Telecommunications Sector Security Reforms (TSSR).

Labelling the original drafting of the TSSR Bill as a shocker, Stanton said at least it was widely consulted on, and went to a number of committees before amendments were made, however the government did not fulfil all its obligations.

"On TSSR, the [PJCIS] identified a number of remaining weaknesses in the legislation and made recommendations to government about how to fix them, they'd worked with industry on that and it was a good collaborative effort. The government's response was: 'Tell you what, we don't need to amend the Bill, we're going to fix it all by issuing revised administrative guidelines and deal with it that way'," he said.

"The department said to industry: 'We'll have all that done by the end of six months' -- of the twelve month implementation period -- 'don't worry, you won't have to rush to figure out what those revisions mean and how to comply with them'.

"So this week the act came into force, revised guidelines? Yeah, nah -- haven't shown up, and no explanation from the department as to whether or when they will ever keep that commitment."

The government made some minor tweaks to the legislation it rushed into parliament yesterday: Allowing service providers to use violation of another nation's law as a defence; laying out a list of criteria for those issuing compulsory notices to have regard of, including the "legitimate expectations of the Australian community relating to privacy and cybersecurity"; and removal of a clause allowing for use to protect public revenue.

Patrick Fair, partner at law firm Baker McKenzie, told ZDNet the changes were a step forward, but failed to take the concerns expressed by the technical community into account.

"I think the listing of criteria is interesting, although it is probably in the opposite direction to what people where hoping for," Fair told ZDNet. "What the submissions asked for ... is something which measures down the meaning of reasonable and proportionate by relating it to the reason that the particular assistance is being sought."

Fair said the criteria are so broad that it would now be harder for a service provider to say compliance is costly and risky, than it was before. But even disputing a decision is going to be hard.

"The way they've set it up, it's an administrative decision by a government decision-maker, so it's not something that is easy to overturn, probably," he said.

Related Coverage

Home Affairs makes changes to encryption Bill without addressing main concerns

Services providers now have a defence to use if they are required to violate the law of another nation, and the public revenue protection clause has been removed.

Australian encryption Bill raises bar for outrageous legislation: Comms Alliance

The latest tranche of Australian national security legislation is building upon other unholy laws that industry has to deal with, Communications Alliance CEO John Stanton has said.

Internet Architecture Board warns Australian encryption-busting laws could fragment the internet

Industry groups, associations, and people that know what they are talking about, line up to warn of drawbacks from Canberra's proposed Assistance and Access Bill.

Australia's anti-encryption law will merely relocate the backdoors: Expert

If the Assistance and Access Bill becomes law as it stands, it could affect 'every website that is accessible from Australia' with relatively few constraints in the government's powers.

Five Eyes governments get even tougher on encryption

Official statements from the Five Country Ministerial meeting make it clear: Voluntarily build lawful access into encrypted messaging systems, or else. It's not a good look.

No backdoors for Australian encryption, just a riddling of ratholes

Draft legislation intended to give cops and spooks access to encrypted communications should keep encryption strong. But the powers it proposes aren't just about fighting paedophiles, terrorists, and organised criminals.

Editorial standards