Compromises don't fix "flawed" encryption Bill
Digital Rights Watch has slammed Labor for backing down on its opposition to the government’s controversial encryption Bill, despite cautiously welcoming the proposed changes to the Bill negotiated in compromise.
Despite indications from Labor as early as last weekend that the party will break from the traditional bipartisanship on national security issues and oppose rushing through the controversial Bill, the party has reportedly negotiated a compromise position with the government.
Proposed changes to the legislation will include an ongoing committee process into 2019 rather than pushing it through this year, limiting the scope of the Bill to serious offences only and greater oversight of the main point of contention in the Bill, the Technical Capability Notice (TCN) powers.
These powers would allow law enforcement and authorities to compel providers of technology devices and services to take action to allow investigators to access encrypted communications — powers which the Bill’s many critics say would have the effect of weakening encryption itself.
“We are disappointed that, after a brief moment of standing up for the digital rights of everyday Australians, the Labor Opposition has chosen the route of bipartisanship on national security issues, as always,” said Digital Rights Watch Director Lizzie O'Shea.
“This was an opportunity to push back against a clear scaremongering campaign from a desperate and weak government — instead it is a compromise that will have long-lasting effects on the digital infrastructure of Australia as a whole.”
While she said the body welcomes the proposed changes to limit the scope of the legislation, these changes represent a mere drop in the bucket for a fundamentally flawed Bill.
“Make no mistake — this Bill is still deeply flawed, and has the likely impact of weakening Australia’s overall cybersecurity, lowering confidence in e-commerce, reducing standards of safety for data storage and reducing civil right protections,” she said.
“In its very design, it is antithetical to human rights and core democratic principles. Lawmakers are on notice that they will be responsible for the consequences of introducing weaknesses into our digital infrastructure — including adverse consequences borne by everyday people who rely on encryption to go about their daily lives in a digital society.”
Telecoms industry body the Communications Alliance meanwhile welcomed the additional oversight of enforcement agencies and the actions taken under the legislation, but warned that the Bill fails to address one of the biggest flaws in the proposed legislation, and a dangerous loophole.
“Commentary from the major parties over the past 24 hours has focused on putting some additional safeguards around [TCNs],” Communications Alliance CEO John Stanton said.
He noted that TCNs can be used to order communications providers to perform tasks including removing electronic protections from networks or devices, installing and maintaining software — such as malware and spyware — and concealing the fact that services have been altered or substituted. Therefore, any attempt to increase the safeguards around these notices is to be welcomed, Stanton said.
“Importantly, however, it appears that nothing will be done to limit the powers available to agencies via Technical Assistance Notices (TANs), which are just as dangerous as TCNs but operate with much less oversight and with fewer protections,” he said.
“TANs can be used for exactly the same purposes as TCNs — the same list of actions, and more. But TANs do not require any approval by the Attorney-General; do not require any consultation period with the communications provider and thus can take immediate effect; and can be issued, and subsequently varied by delegated officers within enforcement agencies, not just by the head of that agency.”
Stanton warned there is a real risk that even if additional protections are introduced for TCNs, agencies will merely exploit the loophole in the Bill that will allow them to simply use TANs instead.
“Any agreed amendments to the Bill need to close this loophole,” he said. “Numerous industry groups, including Communications Alliance, have highlighted this problem in testimony before the Parliamentary Joint Committee on Intelligence and Security (PJCIS). It needs to be addressed urgently before any legislation is returned to parliament.”
Meanwhile, the body is still awaiting the details of the proposed additional controls on TCNs, and whether they will provide the expected protections for consumers and industry.
Stanton also noted that the agency is waiting to see the outcome of attempts to define “systemic weakness” as a result of the proposed compromises. The proposed legislation would purport to prohibit the introduction of such weaknesses, but in its current form it lacks a definition.
“A reported statement from the Attorney-General as to government thinking about this definition is disturbing. The Attorney-General is reported overnight to have, at a press conference, described a systemic weakness as ‘a weakness that would affect all applications on all devices at any given single point in time’,” he said.
“Such a narrow definition would leave the door open to damaging consequences. For example, under the proposed definition, if an agency ordered a communications provider to install spyware on every smartphone they sold in, say, the State of Victoria, this act would introduce enormous vulnerabilities and risk to millions of Australians but would not be serious enough to classify as a systemic weakness.”
Likewise, a direction for a smartphone manufacturer to trigger spyware to be installed on their devices for all users selecting a specific language, for example, would not fall under the definition.
Finally, the Australian Cyber Security Growth Network (AustCyber) has stated that it will shortly receive a brief from the Department of Home Affairs on the details of the Bill, and that if the legislation is passed the body will advocate to have it implemented in a way that minimises the economic impact on Australia’s cybersecurity sector.
Please follow us and share on Twitter and Facebook. You can also subscribe for FREE to our weekly newsletter and quarterly magazine.
The AI regulation debate in Australia: navigating risks and rewards
To remain competitive in the world economy, Australia needs to find a way to safely use AI systems.
Strategies for navigating Java vulnerabilities
Java remains a robust and widely adopted platform for enterprise applications, but staying ahead...
Not all cyber risk is created equal
The key to mitigating cyber exposure lies in preventing breaches before they happen.