OAIC calls for sunset clause on encryption-busting Bill and warns of privacy risks

The Office of the Australian Information Commissioner seeking greater transparency and judicial oversight to Australia's proposed Assistance and Access Bill.

The Office of the Australian Information Commissioner (OAIC) has called upon the Australian government to introduce a sunset clause in its encryption-busting Assistance and Access Bill, which would allow the nation's interception agencies to request or demand access to encrypted content.

The recommendation was made to give industry, enforcement agencies, and the public an assurance that Canberra would consider the effectiveness of the scheme and its oversight at some point, OAIC said in its submission [PDF] to the Parliamentary Joint Committee on Intelligence and Security.

Alternatively, OAIC said it would settle for a parliamentary review akin to that used in the Telecommunications (Interception and Access) Act.

Despite the changes made to the Bill by the Department of Home Affairs, OAIC warned that the proposed laws still contain privacy risks.

Under the proposed law, Australian government agencies would be able to issue three kinds of notices:

  • Technical Assistance Notices (TAN), which are compulsory notices for a communication provider to use an interception capability they already have;
  • Technical Capability Notices (TCN), which are compulsory notices for a communication provider to build a new interception capability, so that it can meet subsequent Technical Assistance Notices; and
  • Technical Assistance Requests (TAR), which have been described by experts as the most dangerous of all.

Specifically, OAIC wants to see the terms "systemic weakness" and "systemic vulnerability" defined, and provisions that do not allow service providers to build systemic weaknesses to handle compulsory notices extended to voluntary requests for assistance, particularly in the case of small providers that may not have the resources available to determine whether complying to a TAR would.

OAIC is also calling for judicial oversight and technical assessment to all notices and requests before they are issued; consideration for whether a warrant is already in place for accessing particular content; and for the legislation to spell out exactly what "acts or things" notices and requests can be used for.

"If passed, the Bill would invoke exceptions to the Australia Privacy Principles," OAIC said.

The office called on the government to include more practical examples of how the legislation would work in the Bills' explanatory memorandum so that providers could more easily determine whether requests would create a systemic weakness or expose individuals not the target of investigations to data misuse or unauthorised access.

"The OAIC considers that the Bill should ensure that weaknesses and vulnerabilities are not unintentionally created because the impact of a particular request is not fully understood by the agency or the designated service provider," the office warned.

In another submission made to the Parliamentary Joint Committee on Intelligence and Security -- which is currently reviewing the legislation as the government attempts to ram it through Parliament -- Cisco said the Bill would create backdoors.

"We have defined a 'backdoor' to include any surveillance capability that is intentionally created and yet not transparently disclosed," Cisco said.

"To the extent that the Bill would require via a TCN the creation of a capability while simultaneously preventing the [communication providers] from documenting the existence of that capability, the law would result in the creation of backdoors."

The networking giant said in its submission that in order to maintain customer trust, any "form of surveillance technique" in its products must be publicly disclosed.

"Cisco is most certainly not alone in having foresworn the existence of backdoors in technology products and services. As such, this issue is a significant concern that should be promptly addressed via an amendment to the Bill," the company said.

It further warned that other governments would likely follow Australia's lead if the Assistance and Access Bill is passed in its current form, and that it does not customise its lawful communication interception capabilities for any nation, and all such capabilities are described in product documentation.

"Without further amendment, we believe the net result of these changes would harm the security interests of Australia by setting a precedent that could be adopted by less liberal regimes," Cisco said.

Tasked with overseeing Australia's intelligence agencies, Inspector-General of Intelligence and Security (IGIS) Margaret Stone warned in her submission that technical assistance requests could allow for the voluntary creation of backdoors.

"This raises the legal possibility that ASIO, ASIS, or ASD could negotiate an agreement with a provider to voluntarily create or fail to remediate a 'backdoor'," Stone wrote.

"While it is foreseeable that many providers would decline any such request because it is incompatible with their commercial and reputational interests, the possibility appears to exist that an individual provider could be persuaded to do so, and, if so, compensated in accordance with a contract, agreement, or other arrangement."

Stone called on the government to add increased reporting provisions to the Bill that would force agencies to notify IGIS of when requests were made.

Speaking to the National Press Club last Wednesday, Minister for Home Affairs Peter Dutton said the changes already made to the Bill have resulted in it being compromised.

Dutton said Opposition Leader Bill Shorten needs to decide whether he is on the side of Silicon Valley multinationals or with "law enforcement and intelligence agencies in this country who want to protect Australians".

Related Coverage

Dutton frames Encryption Bill debate as battle between protecting Silicon Valley or protecting Australians

Australian Minister for Home Affairs Peter Dutton claims the Bill is already watered down, and Labor should support it.

Australian industry and tech groups unite to fight encryption-busting Bill

The new mega-group has called on Canberra to ditch its push to force technology companies to help break into their own systems.

Encryption Bill sent to joint committee with three week submission window

Fresh from rushing the legislation into Parliament, the government will ram its legislation through the Parliamentary Joint Committee on Intelligence and Security.

Home Affairs makes changes to encryption Bill without addressing main concerns

Services providers now have a defence to use if they are required to violate the law of another nation, and the public revenue protection clause has been removed.

Internet Architecture Board warns Australian encryption-busting laws could fragment the internet

Industry groups, associations, and people that know what they are talking about, line up to warn of drawbacks from Canberra's proposed Assistance and Access Bill.

Australia's anti-encryption law will merely relocate the backdoors: Expert

If the Assistance and Access Bill becomes law as it stands, it could affect 'every website that is accessible from Australia' with relatively few constraints in the government's powers.

Five Eyes governments get even tougher on encryption

Official statements from the Five Country Ministerial meeting make it clear: Voluntarily build lawful access into encrypted messaging systems, or else. It's not a good look.