Australia's two largest telcos, Telstra and Optus, have called for the government to create an efficient consultation process every time it asks for assistance under the nation's proposed new anti-encryption laws.
The Bill proposes three ways for the government to request or demand assistance in accessing communications from any "designated communications provider". These can be virtually any kind of individual or organisation or individual that manufactures, provides, or maintains any kind of communications equipment or services, or even an "information service".
- Technical Assistance (TA) Requests, which are described as voluntary requests, but which may be the least constrained;
- Technical Assistance (TA) Notices, which are compulsory notices for a communication provider to use an interception capability they already have; and
- Technical Capability (TC) Notices, which are compulsory notices for a communication provider to build a new interception capability, so that it can meet subsequent Technical Assistance Notices.
While the two kinds of notices can only be issued if they are "reasonable, proportionate, practicable, and technically feasible", the Bill only specifies a consultation process for the TC Notices.
"The decision maker will need to obtain information from the designated communications provider (DCP) about these matters. Accordingly, we believe a consultation process should also be specified for a TA Notice. Further, the 'specified period' in the notice needs to be reasonable and the requirement to consult should expressly allow consultation timeframes to be extended," wrote Telstra in its submission [PDF].
"In setting timeframes, the decision-maker should take account of the DCP's standard development and release cycles, the availability of relevant engineering and technical resources, the impacts on other planned service and network updates, the time required by a DCP to undertake their normal rigorous implementation, integration, and regression and quality testing, etc."
Also read: The race to ruin the internet is upon us
Telstra asked for the new law to make it clear that it can't be used to access the content of communications.
"The [original] Explanatory Document [PDF] states on a number of occasions the draft Bill is not intended to change the existing mechanisms that agencies use to lawfully access telecommunications content and data for investigations and that the intention is that agencies use existing warrant powers for such access," Telstra writes.
These powers exist primarily in the Telecommunications (Interception and Access) Act 1979.
As ZDNet has reported, the fact that the TA and TC notices are issued administratively by the requesting agency, not by an independent third party as happens with a warrant, could create a way to access communications without a warrant.
If this new legislation isn't meant to allow warrantless access to communications content, then Telstra wants to see that written into the law.
Telstra has also called for the legislation to make it clear that a TA Notice may not ask them to develop a technical capability they don't already have; for the format of requested data to "reference appropriate technical standards and/or be agreed with industry"; for the immunity provisions to be extended to any downstream customers who might be involved with or affected by any actions taken; and for a prohibition on DCPs being asked to do anything that would otherwise be a criminal offence.
Optus has echoed Telstra's concerns, and the company's submission [PDF] sketches out in more detail the processes they would like to see.
Before any Notice or Request is issued, Optus wants "a mandatory consultation step requiring agencies to consult service providers prior to finalising and issuing" the document. A similar mandatory consultation should be part of any variation or revocation.
Optus has also called for "further guidance to decision-makers requiring them to have regard to information submitted by a service provider in forming judgements about whether the decision-making criteria of 'reasonable and proportionate' and 'practicable and technically feasible' are met for each type of assistance request or notice".
This process should also include a "mandatory requirement" for an "efficient form of contracting".
"For example a standard form contract might be mandated or determined to cover key areas, which is then only varied in pre-determined areas to insert a description of the assistance, the agreed cost and payment arrangements, and any relevant special conditions," Optus wrote.
The telco said it will need to "stand prepared to initiate significant scoping and compliance programs" in response to this new regime.
"Optus already has major commercial, IT, and network programs in flight and which are scheduled for implementation over the next three years. In practical terms, the assistance regime may disrupt these plans," it said.
The Assistance and Access Bill 2018 has been referred to the Parliamentary Joint Committee on Intelligence and Security (PJCIS). The public consultation period is brief. Submissions close on October 12, with public hearings expected to be held on October 19.
Fresh from rushing the legislation into Parliament, the government will ram its legislation through the Parliamentary Joint Committee on Intelligence and Security.
Services providers now have a defence to use if they are required to violate the law of another nation, and the public revenue protection clause has been removed.
Industry groups, associations, and people that know what they are talking about, line up to warn of drawbacks from Canberra's proposed Assistance and Access Bill.
If the Assistance and Access Bill becomes law as it stands, it could affect 'every website that is accessible from Australia' with relatively few constraints in the government's powers.
Official statements from the Five Country Ministerial meeting make it clear: Voluntarily build lawful access into encrypted messaging systems, or else. It's not a good look.