The Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 introduced into the House of Representatives today

September 20, 2018 |

The Attorney General has introduced The Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 today.  It is a monolith of a Bill, extending beyond 300 pages.  The Explanatory Memorandum is of similar length.  What it is about has been the subject of significant debate between the rarified world of privacy, digital and techie activists and experts and law enforcement and the Federal Government.  Its aim is to permit law enforcement to access encrypted communications.

The Minister’s second reading speech provides:

That this bill be read a second time.
New communications technology, including encryption, is eroding the capacity of Australia’s law enforcement and security agencies to investigate serious criminal conduct and protect Australians.

The Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 contains amendments to various legislation to create a package of reforms that strengthens the ability of Australia’s law enforcement and national security agencies to deal with the challenges of encryption.
Encryption underpins modern information and communication technology. It is a tool that protects personal, commercial and government information and supports confidence in a secure cyberspace. These technologies allow us to confidently transact online and to use the internet for services such as banking and shopping.
However, criminal syndicates and terrorists are increasingly misusing and, indeed, exploiting these technologies.
Terrorist organisations in Australia and overseas are using secure messaging services to obscure their identities and plans from the authorities. For example, ISIL-inspired terrorists used secure messaging services to plan the November 2015 Paris attacks.
The lack of access to encrypted communications presents an increasingly significant barrier for national security and law enforcement agencies in investigating serious crimes and national security threats.
According to ASIO, encryption has impacted intelligence operations in at least nine out of every 10 of its priority cases.
The AFP advise that encrypted communications have directly impacted around 200 operations conducted by the AFP in the last 12 months, all of which related to the investigation of serious criminal offences carrying a penalty of seven years imprisonment or more.
The uptake of encrypted communications platforms by criminal and terrorist groups has been sudden. It represents a seismic shift in the operational environment for our law enforcement and security agencies.
In June 2013, only three per cent of internet communications intercepted by ASIO, under warrant, were encrypted.
By 1 July 2017, that figure had increased to more than 55 per cent. Most of the material of intelligence value is in the encrypted proportion.
Similarly, more than 90 per cent of data lawfully intercepted by the AFP is now encrypted in some form.
No responsible government can sit by while those who protect our community lose access to the tools they need to do their job. In the current threat environment, we cannot let this problem get worse.
The bill represents a package of reasonable and proportionate measures which will enhance our approach. The government has undertaken extensive industry and public consultation on the bill and has made amendments to account for the constructive feedback received.
The supply of communications is a global industry. With major technology providers headquartered overseas, we must work with international partners to adapt to a world characterised by ubiquitous encryption. The communications industry is in a unique position to assist in tackling the challenges we face.
Encrypted products are developed and operated by a range of private providers—both inside and outside of Australia—and in a range of forms across the communications supply chain.
National security and law enforcement agencies already work cooperatively with industry partners on these issues, to protect Australians.
The bill seeks to enhance those existing relationships to achieve lawful and non-arbitrary access to available information in the context of serious criminal and national security threats.
It complements the existing obligations of domestic service carriers to provide reasonable assistance to law enforcement under the Telecommunications Act 1997.
The bill facilitates a multilevel approach to industry assistance, creating a framework to support the wide range of providers that assist law enforcement and intelligence agencies voluntarily, including foreign providers.
This is reinforced and clarified by the creation of two new powers: the technical assistance notice and the technical capability notice.
Technical assistance notices will be issued by an agency head or their delegate to compel assistance that a provider is capable of giving.
Technical capability notices will be issued by the Attorney-General and require a company to take reasonable steps to develop and maintain a capability to respond to agency requests.
The legislation will not weaken encryption or mandate backdoors into encryption. The bill specifically provides that companies cannot be required to create systemic weaknesses in their encrypted products, or be required to build a decryption capability.
This is also not a new vehicle to collect personal information. Surveillance and interception must be authorised by existing warrants and authorisations, which are subject to their own safeguards, including judicial oversight.
The bill requires that any obligations within a technical assistance notice and technical capability notice are reasonable, proportionate, practicable and technically feasible. We are not in the business of asking industry to do the impossible.
The legislation provides for cost recovery by providers for complying with new requirements and also provides immunity from civil liability.
Alternative capabilities for law enforcement
Modern information and communications technology has provided more ways to stay connected and to store information. These capabilities include a wide variety of electronic protection. Agencies need expanded capabilities to adapt and to meet the needs of the evolving digital environment.
To this end, the bill provides law enforcement agencies with additional powers for overt and covert computer access. Computer access involves the use of software to collect information directly from devices. Commonwealth, state and territory law enforcement agencies would be able to use this power to investigate offences with a federal aspect.
The Surveillance Devices Act will include a new covert computer access power for law enforcement, like those powers currently available to ASIO. This will enable law enforcement agencies to apply for computer access warrants when investigating serious federal crimes with a maximum penalty of three years imprisonment or more, including terrorism and child exploitation.
The cross-border storage of information and overseas location of service providers makes Australia’s mutual assistance framework critical in enabling Australian and foreign authorities to gain access to information to inform investigations and to obtain evidence. Under that framework, foreign authorities will be able to make a request to the Attorney-General to authorise an eligible law enforcement officer to apply for, and execute, a computer access warrant to assist in a foreign investigation or investigative proceeding.
Amendments will be made to the Crimes Act search warrant framework to ensure law enforcement officers do not have to physically be on premises in order to access a computer under a search warrant. Amendments to the Customs Act will enable a judicial officer to issue a search warrant authorising the ABF to search a device (such as a smartphone) held on a person. Currently, devices can only be searched when found on a premise or premises.
The Crimes Act and the Customs Act will be amended to increase the maximum penalty for a person who fails to provide assistance to law enforcement in accessing a device which is the subject of a search warrant.
These assistance orders must be issued by a judicial officer. The maximum penalty will be increased to five years. An aggravated offence will be created for serious offences like espionage, terrorism, child exploitation and pornography, with a maximum penalty of 10 years imprisonment.
The increased penalties for noncompliance with orders for access to a device reflect the value of evidentiary material on devices and the fact that persons who have undertaken criminal activity would rather accept the current low penalties than provide data that could be evidence in a more serious prosecution.
Given the increased complexity of devices and higher volumes of data stored, law enforcement agencies will now have 30 days to conduct forensic examinations of seized computers and data storage devices. This is an increase on the currently inadequate 14-day time frame for police forces and 72-hour period for the Australian Border Force.
ASIO powers
ASIO is responsible for investigating some of the gravest threats to Australia’s national security, including espionage, terrorism and attacks on Australia’s defence systems. ASIO’s ability to collect intelligence using traditional means, such as telecommunications interception, is declining due to encryption.
To mitigate this decline, the bill will introduce a new framework to ensure that persons and bodies who voluntarily assist ASIO are given appropriate legal protections for this assistance. The purpose of this new framework is to give members of the public the highest degree of confidence that they may lawfully help ASIO to protect
Australia’s national security.
The bill demonstrates the government’s commitment to ensuring that law enforcement and national security agencies have the tools they need to keep Australians safe. The government has consulted extensively with industry and the public on these measures and has made amendments to reflect the feedback in the legislation now
before the parliament. The government is committed to ensuring that our legislative response to the challenges of an evolving technological landscape is reasonable, is proportionate and meets national security and law enforcement needs. I commend this bill to the House.
There have been opinion pieces in the media today with the pro Bill law and order themed “it – will – help – fight – crime – and – get – the – terrorists – and – paedos” themed New bill empowers police in their fight against online-enabled crime.  A stolid we need it and you can trust us piece.  Zdnet is far less complimentary with its Australian encryption Bill raises for outrageous legislation: Comms Alliance.  This ties in with the earlier Internet Architecture Board warns Australian encryption-busting laws could fragment the internet and Australia’s anti-encryption law will merely relocate the backdoors: Expert.
The techies hate the Bill while the law and order types think it is the last best word on crime fighting.  The power lies with the latter at the moment.

As for me I think it is the legislative and technical equivalent of that famous saying from the Vietnam war of ” It became necessary to destroy the town to save it.”   The likely costs of implementing this complex legislation will be significant.  But where it will really have an impact is on trust. Young users are fickle and wary of any intrusion into their communications.  The US National Security Agency’s PRISM program of intercepting and reading communications and capturing their data smashed trust in the US and ruined the reputation of tech companies that co operated, such as Yahoo. The other issue is unintended consequences.  Encrypted communications are so fundamental to commerce on line that it will have an impact on the way business is done and interaction with overseas sites.

The other issue that this Bill does not address is that there are encrypted programs that can be accessed  not based in Australia with operators not caring about Australian laws.

The Australian article provides:

I am often asked what the challenges are for police in keeping Australia safe. My answer is that we must always have the tools and capabilities to keep up with ­serious criminals, especially those trying to evade the law by hiding behind technology .

Today the government will ­introduce the Assistance and ­Access Bill 2018 to parliament, and I welcome its arrival. The Australian Federal Police has been working closely with government for some time to ensure we have ­appropriate legislation to assist members of my force to combat crimes that are increasingly being perpetrated online and through ­mobile technologies.

The use of encryption underpins modern information and communications technology, and we value knowing that our online communications and transactions are protected. Encryption protects personal, commercial and government information and promotes confidence in a secure cyberspace.

Sadly, encryption is also used by those who would do us harm, be they terrorist groups, ­organised criminals seeking to steal our money or hijack our identity online, those who conspire to exploit or groom our children, or target the businesses that underpin our economy. More than 90 per cent of telecommunications being lawfully intercepted by the AFP now uses some form of encryption. This makes the job of accessing these communications to investigate crime increasingly difficult.

With appropriate authority and oversight, police have the power to intercept communications. This bill does not change that in any way. What this bill does, in essence, is give police a fighting chance to be able to obtain those communications in an era when the information that we gather is encrypted by default.

Importantly, this bill includes safeguards to ensure the privacy of Australians — the integrity of our personal devices is not ­compromised. There is no “backdoor” ­opportunity for any agency, as the bill does not change the ­existing mechanisms that must be lawfully used to access tele­communications content and data for investigations.

Co-operation is at the heart of this legislation. The AFP has ­always enjoyed a strong working relationship with domestic and international communication pro­viders.

Industry assistance in supporting the AFP could include the ability to monitor the locations of a phone, which is an extremely valuable investigative tool. For ­instance, where a child has been abducted, location tracking provides valuable information that can further inform investigators and assist physical surveillance ­activity. However, at present only some domestic telecommunications carriers have the network ­infrastructure to support police in providing this near-real-time ­location information.

The increasing use of cloud services to communicate, store and back up information makes access to these cloud services a valuable source of evidence against serious criminal behaviour. The ability to directly access these services during the search of a premises pursuant to a lawful search warrant is a power already conferred on the AFP. Perpetrators, including those who are part of pedophile networks, organised crime syndicates or terrorist cells, are not ­always willing to furnish the passwords to provide access, even when served with an order to do so.

Aspects of this bill will assist the communications provider to ­fac­ili­tate timely access to cloud-based backups, data and communication services, including closed forums. This could enable the identification of evidence or other participants, and even help disrupt planned future activity.

I encourage those who would seek to criticise the bill to understand the context in which it has been brought forward.

In my opinion, the Assistance and Access Bill is an effective modernisation of ­existing powers to assist law ­enforcement agencies to protect Australians. It strikes the right balance between guaranteeing the civil liberties and privacy of Australians while ensuring that the AFP and our counterpart agencies in the states and territories have the ability to protect Australians in today’s rapidly changing digital world. I look forward to working with parliament to progress this critical legislation.

The Zdnet article provides:

A little over a week since the window closed for public submissions on the government’s draft Assistance and Access Bill, Minister for Home Affairs Peter Dutton on Thursday introduced the Bill into the House of Representatives.

“The legislation will not weaken encryption or mandate backdoors into encryption. The Bill specifically provides that companies cannot be required to create systemic weaknesses in their encrypted products, or be required to build a decryption capability,” Dutton said in a second reading speech.

“The Bill provides law enforcement agencies with additional powers for overt and covert computer access. Computer access involves the use of software to collect information directly from devices.”

Dutton’s optimistic view of the Bill was not shared by a panel of experts discussing it on Thursday morning in Sydney, who pointed out the Bill is problematic due to lacking definitions of basic terms like “systemic weakness”, being very wide ranging in scope, and containing internal conflicts.

Released as a draft in mid-August, the Bill provides for Australian interception agencies — defined within the Bill to be Australian federal, state, or territory police forces and anti-corruption bodies — to issue voluntary requests for assistance to strip “electronic protections” from communications either as a wide-ranging voluntary request without oversight, or as a compulsory notices that are more constrained and do have oversight.

Experts have labelled the voluntary requests the most dangerous part of the legislation.

Striking out at the process, Communications Alliance CEO John Stanton said the government has hit a new benchmark in terms of “outrageous and cheeky” legislation, a mark previously held by the Telecommunications Sector Security Reforms (TSSR).

“You almost have to congratulate them about the way that they have constructed the elements of this legislation which, when you view each of them on their own, looking concerning, [and] when you combine them, definitely scary,” Stanton said at a Communications Alliance and Baker McKenzie forum.

“When you think about the scope of the Bill, where it expands on an unholy trinity of how many agencies can take advantage of the powers of the legislation, how many players in Australia and abroad that it seeks to direct and control, and the virtually unlimited scope of the acts that it can require to be undertaken — that really is breathtaking, I think.

“And when you look into those acts about the potential to remove electronic protection, to give up source code, to install software to create systemic weaknesses in devices, that really opens up a Pandora’s box.”

Stanton said he was concerned that such a complex piece of legislation was able to clear the Coalition party room so quickly.

“One of the key indicators will be when the government introduces the Bill and refers it to PJCIS [Parliamentary Joint Committee on Intelligence and Security] — which I expect they will do — will be the amount of time that they give the PJCIS to report,” he said

“If you see them refer it to the committee and say ‘Come back to us in four weeks’, you’ll know that is one more chapter of a consultative and an inquiry process that is a sham.”

Labelling the original drafting of the TSSR Bill as a shocker, Stanton said at least it was widely consulted on, and went to a number of committees before amendments were made, however the government did not fulfil all its obligations.

“On TSSR, the [PJCIS] identified a number of remaining weaknesses in the legislation and made recommendations to government about how to fix them, they’d worked with industry on that and it was a good collaborative effort. The government’s response was: ‘Tell you what, we don’t need to amend the Bill, we’re going to fix it all by issuing revised administrative guidelines and deal with it that way’,” he said.

“The department said to industry: ‘We’ll have all that done by the end of six months’ — of the twelve month implementation period — ‘don’t worry, you won’t have to rush to figure out what those revisions mean and how to comply with them’.

“So this week the act came into force, revised guidelines? Yeah, nah — haven’t shown up, and no explanation from the department as to whether or when they will ever keep that commitment.”

The draft legislation was alarming enough that it drew out the Internet Architecture Board (IAB), which warned the Bill’s provisions represented an existential threat to the internet’s security and integrity.

IAB chair Ted Hardie stateed a method to compel an infrastructure provider to break encryption or provide false trust arrangements will introduce a systemic weakness that threatens to erode trust in the internet itself.

“The mere ability to compel internet infrastructure providers’ compliance introduces that vulnerability to the entire system, because it weakens that same trust,” Hardie said. “The internet, as a system, moves from one whose characteristics are predictable to one where they are not.”

If similar legislation where implemented by other jurisdictions, the IAB said the end result could be the fragmentation of the internet itself.

“This approach, if applied generally, would result in the internet’s privacy and security being the lowest common denominator permitted by the actions taken in myriad judicial contexts. From that perspective, this approach drastically reduces trust in critical internet infrastructure and affects the long term health and viability of the internet.”

During Thursday’s panel, the provisions of the Bill to require corporations to violate other nation’s laws to comply with Australian law was highlighted as particularly problematic.

At the same time in Canberra, the Home Affairs Minister was stating the Bill was reasonable and proportionate.

“The government has undertaken extensive industry and public consultation on the bill and has made amendments to account for the constructive feedback received,” Dutton asserted in a second reading speech.

Leave a Reply