As the Australian government rushed its encryption-busting Bill into the House of Representatives yesterday, the introduced legislation differed from the previously released draft.
Among the changes made were: Allowing service providers to use the violation of laws in foreign countries in order to be compliant as a defence; removing a clause allowing for powers to be used to protect public revenue; laying out a list of criteria for those issuing compulsory notices to have regard of, including the "legitimate expectations of the Australian community relating to privacy and cybersecurity"; as well as the introduction of a mechanism for a third-party to assess and report on whether systemic weakness would be introduced.
According to Patrick Fair, partner at law firm Baker McKenzie, the changes are a step forward, but fail to take the concerns expressed by the technical community into account.
"I think the listing of criteria is interesting, although it is probably in the opposite direction to what people where hoping for," Fair told ZDNet. "What the submissions asked for ... is something which measures down the meaning of reasonable and proportionate by relating it to the reason that the particular assistance is being sought."
Fair said the criteria are so broad that it would now be harder for a service provider to say compliance is costly and risky, than it was before. But even disputing a decision is going to be hard.
"The way they've set it up, it's an administrative decision by a government decision-maker, so it's not something that is easy to overturn, probably," he said.
In the case of a Technical Capability Notice (TCN), when a TCN is issued, a consultation period of at least 28 days begins, during which an agreed third-party between the Attorney-General and the service provider may now conduct an assessment and produce a report.
"On one hand it's good in the sense that if you are a service provider, you can have issues associated with Technical Capability Notice addressed through this, you might have confidence that your third party has been agreed to appoint is going to tell the government that it could have this adverse effect, so that's quite comforting," Fair said. "But on the other hand it also means you're going to have a report which pretty much binds you to the outcome.
Fair added that even though the explanatory memorandum accompanying the Bill makes a delineation between assistance notices and capability notices, in the legislation, they look the same.
"So you have this Technical Assistance Notice where there is no consultation period, where there is no limit to what they can ask you to do, where there is no joint technical testing -- as there is here for the capability notice -- with that sitting there why is anybody ever going to issue a capability notice?" he said. "It means that all the comfort around the capability notice can just be regarded as extra."
"Notices aren't being issued by a third party objectively on the criteria, they are administratively issued by the different agencies. A Technical Assistance Notice can be issued by the Tasmania Police whereas a Technical Capability Notice has got to go through the [Attorney-General]. Well, if you are the Tasmanian Police Force, why would you go to the AG? You'd just issue it yourself."
"You almost have to congratulate them about the way that they have constructed the elements of this legislation which, when you view each of them on their own, looking concerning, [and] when you combine them, definitely scary," he said.
"When you look into those acts about the potential to remove electronic protection, to give up source code, to install software to create systemic weaknesses in devices, that really opens up a Pandora's box."
The draft legislation was alarming enough that it drew out the Internet Architecture Board (IAB), which warned the Bill's provisions represented an existential threat to the internet's security and integrity.
IAB chair Ted Hardie stated a method to compel an infrastructure provider to break encryption or provide false trust arrangements will introduce a systemic weakness that threatens to erode trust in the internet itself.
"The mere ability to compel internet infrastructure providers' compliance introduces that vulnerability to the entire system, because it weakens that same trust," Hardie said. "The internet, as a system, moves from one whose characteristics are predictable to one where they are not."
If similar legislation where implemented by other jurisdictions, the IAB said the end result could be the fragmentation of the internet itself.
When introducing the Bills on Thursday, Dutton said the legislation could not be used to force companies into weakening encryption or building decryption capability.
"The Bill provides law enforcement agencies with additional powers for overt and covert computer access. Computer access involves the use of software to collect information directly from devices," he said.
Draft legislation intended to give cops and spooks access to encrypted communications should keep encryption strong. But the powers it proposes aren't just about fighting paedophiles, terrorists, and organised criminals.