Labor's plan to fix Australia's encryption laws doesn't go far enough

The new Bill to require judicial oversight and a clarification of definitions is a great start, Labor says, but the Assistance and Access regime needs reining in much more tightly.

Australia is reviewing its metadata and encryption laws ZDNet's Chris Duckett tells TechRepublic's Karen Roby that an Australian parliamentary committee is looking into the nation's controversial laws, but it is no reason to pop champagne. Read more: https://zd.net/2YhRrHG

On Tuesday the Labor Party announced it would attempt to fix Australia's controversial encryption laws. Yes, the laws that Labor itself voted for in December 2018, enabling the government to get them over the line.

The text of the Telecommunications Amendment (Repairing Assistance and Access) Bill 2019 was then tabled on Wednesday. It's worth looking at, as much for what it omits as what it includes.

The two main features of the Bill are inserting judges into the approval process, and trying to clarify what law enforcement and intelligence agencies can and can't demand from communications providers.

How the Assistance and Access Act works today

Under the laws as currently written, agencies can issue:

  • Technical Assistance Notices (TAN), which are compulsory notices for a "designated communication provider" to use an interception capability they already have;
  • Technical Capability Notices (TCN), which are compulsory notices for a designated communication provider to build a new interception capability, so that it can meet subsequent Technical Assistance Notices; and
  • Technical Assistance Requests (TAR), which are "voluntary" requests, but really, how could you refuse?

A voluntary TAR can be issued by the director-general of the Australian Security and Intelligence Organisation (ASIO), the Australian Secret Intelligence Service (ASIS), or the Australian Signals Directorate (ASD), or by the chief officer of an "interception agency" -- the Australian Federal Police (AFP), the Australian Crime Commission (ACC), and the state and territory police forces provided they get the approval of the AFP Commissioner.

A compulsory TAN can be issued by any of those, apart from ASIS and ASD. Australia's two international spy agencies don't have domestic powers.

A TCN can only be issued by the Attorney-General following a request from ASIO or an interception agency, and only with the approval of the Minister for Communications.

How Labor's bill would change things

Under Labor's proposal, that structure stays much the same. But as well as an underlying warrant to access the communications in the first place, a TAN, TCN, or TAR would also have to be approved by a judge.

Free PDF

Australia’s encryption laws: An insider’s guide

Australia now has world-first encryption laws. This guide explains what the laws can do, what they cannot do, and how Australia ended up here.

Read More

If passed, that would address one of the biggest problems with the law, the lack of independent oversight.

The Bill would also dump the clumsy and confusing definitions of "electronic protection", "systemic vulnerability", "systemic weakness", or "target technology" and replace them with language that is intended to be clearer.

The terms "systemic weakness" and "systemic vulnerability" remain as things that the government can't ask for. They'd now be described as "implement or build a new decryption capability", "one or more actions that would render systemic methods of authentication or encryption less effective", and "any act or thing that would or may create a material risk that otherwise secure information would or may in the future be accessed, used, manipulated, disclosed, or otherwise compromised by an unauthorised third party".

The "acts or things" that agencies can ask for would also be limited to the specific things listed in in section 317E of the Telecommunications Act.

And when assessing whether a proposed Act or thing would be legal, the greatest weight would now be given to the questions of whether a systemic weakness or systemic vulnerability would be created, or whether it would breach the restrictions on TCNs listed in section 317ZGA.

That would be a clear win for the interests of citizens and the tech industry over the cops and spooks.

The rest of the 14-page Bill is largely about reporting and oversight arrangements. One of my favourites would be removing the power of the Minister for Home Affairs to "edit and delete information included in reports made by the Commonwealth Ombudsman".

It would also remove the power of the minister to add new "acts or things" via a ministerial determination. Proper parliamentary scrutiny would now be required.

What's missing: limiting the encryption laws to properly serious crimes

Throughout the debate on these laws, politicians have stressed how they're needed to fight the most heinous of crimes. Terrorism. Child abuse. The illegal drug trade. The usual suspects. But that's misleading.

The encryption laws apply to investigating "serious Australian offences", sure, but those are defined as any federal, state, or territory crime "punishable by a maximum term of imprisonment of 3 years or more or for life".

Look around the various jurisdictions. You'll soon find this could cover such existential threats as graffiti, criminal damage, menacing phone calls, or even pranks.

As I've written previously, it certainly includes white-collar crime like fraud or criminal negligence. The law could then potentially scoop up communication within almost any enterprise software application or service.

Labor's Bill does nothing to change this.

Nor does it address the persistent fears that employees could be secretly dragooned into working for the cops or spooks. Some legal analysts say they're overblown, but those fears are certainly still a thing.

Labor's challenge is breaking national security's bipartisan tradition

The big question, of course, is whether Labor can get this bill through parliament. The Senate, sure, because Labor and The Greens have the numbers. But in the Coalition-controlled House of Representatives?

Labor is obviously betting on the government supporting this bill because, effectively, it doesn't ask for anything more than the amendments that were already circulating before the federal election back in May. None of these amendments are controversial.

But addressing other issues, and to address Australia's vast array of national security and surveillance laws more broadly, will be a challenge.

The problem is the continual conflation of cybersecurity and law enforcement with national security.

All are important, of course, but Australian political parties collapse like Superman confronted with kryptonite in the face of anyone waving the national security wand.

No one wants to be "soft on security" or "weak on border protection", but no one seems to have the spine to say "Sure, but what you're proposing is wrong".

Changing that narrative would require a long-term effort to reframe the debate. One where national security is discussed in terms of protecting our freedoms as much as crushing over-hyped threats, both real and imaginary.

It would require Labor absorbing a few hits in the polls as the government fired off the usual clichéd attacks on anyone criticising national security arrangements.

But it's three years until the next federal election. It's a campaign not a battle. Labor can afford to ignore the polls for a while, if they have the stomach for it.

Related Coverage