The Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 introduced into the House of Representatives today
September 20, 2018 |
The Attorney General has introduced The Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 today. It is a monolith of a Bill, extending beyond 300 pages. The Explanatory Memorandum is of similar length. What it is about has been the subject of significant debate between the rarified world of privacy, digital and techie activists and experts and law enforcement and the Federal Government. Its aim is to permit law enforcement to access encrypted communications.
The Minister’s second reading speech provides:
As for me I think it is the legislative and technical equivalent of that famous saying from the Vietnam war of ” It became necessary to destroy the town to save it.” The likely costs of implementing this complex legislation will be significant. But where it will really have an impact is on trust. Young users are fickle and wary of any intrusion into their communications. The US National Security Agency’s PRISM program of intercepting and reading communications and capturing their data smashed trust in the US and ruined the reputation of tech companies that co operated, such as Yahoo. The other issue is unintended consequences. Encrypted communications are so fundamental to commerce on line that it will have an impact on the way business is done and interaction with overseas sites.
The other issue that this Bill does not address is that there are encrypted programs that can be accessed not based in Australia with operators not caring about Australian laws.
The Australian article provides:
I am often asked what the challenges are for police in keeping Australia safe. My answer is that we must always have the tools and capabilities to keep up with serious criminals, especially those trying to evade the law by hiding behind technology .
Today the government will introduce the Assistance and Access Bill 2018 to parliament, and I welcome its arrival. The Australian Federal Police has been working closely with government for some time to ensure we have appropriate legislation to assist members of my force to combat crimes that are increasingly being perpetrated online and through mobile technologies.
The use of encryption underpins modern information and communications technology, and we value knowing that our online communications and transactions are protected. Encryption protects personal, commercial and government information and promotes confidence in a secure cyberspace.
Sadly, encryption is also used by those who would do us harm, be they terrorist groups, organised criminals seeking to steal our money or hijack our identity online, those who conspire to exploit or groom our children, or target the businesses that underpin our economy. More than 90 per cent of telecommunications being lawfully intercepted by the AFP now uses some form of encryption. This makes the job of accessing these communications to investigate crime increasingly difficult.
With appropriate authority and oversight, police have the power to intercept communications. This bill does not change that in any way. What this bill does, in essence, is give police a fighting chance to be able to obtain those communications in an era when the information that we gather is encrypted by default.
Importantly, this bill includes safeguards to ensure the privacy of Australians — the integrity of our personal devices is not compromised. There is no “backdoor” opportunity for any agency, as the bill does not change the existing mechanisms that must be lawfully used to access telecommunications content and data for investigations.
Co-operation is at the heart of this legislation. The AFP has always enjoyed a strong working relationship with domestic and international communication providers.
Industry assistance in supporting the AFP could include the ability to monitor the locations of a phone, which is an extremely valuable investigative tool. For instance, where a child has been abducted, location tracking provides valuable information that can further inform investigators and assist physical surveillance activity. However, at present only some domestic telecommunications carriers have the network infrastructure to support police in providing this near-real-time location information.
The increasing use of cloud services to communicate, store and back up information makes access to these cloud services a valuable source of evidence against serious criminal behaviour. The ability to directly access these services during the search of a premises pursuant to a lawful search warrant is a power already conferred on the AFP. Perpetrators, including those who are part of pedophile networks, organised crime syndicates or terrorist cells, are not always willing to furnish the passwords to provide access, even when served with an order to do so.
Aspects of this bill will assist the communications provider to facilitate timely access to cloud-based backups, data and communication services, including closed forums. This could enable the identification of evidence or other participants, and even help disrupt planned future activity.
I encourage those who would seek to criticise the bill to understand the context in which it has been brought forward.
In my opinion, the Assistance and Access Bill is an effective modernisation of existing powers to assist law enforcement agencies to protect Australians. It strikes the right balance between guaranteeing the civil liberties and privacy of Australians while ensuring that the AFP and our counterpart agencies in the states and territories have the ability to protect Australians in today’s rapidly changing digital world. I look forward to working with parliament to progress this critical legislation.
The Zdnet article provides:
A little over a week since the window closed for public submissions on the government’s draft Assistance and Access Bill, Minister for Home Affairs Peter Dutton on Thursday introduced the Bill into the House of Representatives.
“The legislation will not weaken encryption or mandate backdoors into encryption. The Bill specifically provides that companies cannot be required to create systemic weaknesses in their encrypted products, or be required to build a decryption capability,” Dutton said in a second reading speech.
“The Bill provides law enforcement agencies with additional powers for overt and covert computer access. Computer access involves the use of software to collect information directly from devices.”
Dutton’s optimistic view of the Bill was not shared by a panel of experts discussing it on Thursday morning in Sydney, who pointed out the Bill is problematic due to lacking definitions of basic terms like “systemic weakness”, being very wide ranging in scope, and containing internal conflicts.
Released as a draft in mid-August, the Bill provides for Australian interception agencies — defined within the Bill to be Australian federal, state, or territory police forces and anti-corruption bodies — to issue voluntary requests for assistance to strip “electronic protections” from communications either as a wide-ranging voluntary request without oversight, or as a compulsory notices that are more constrained and do have oversight.
Experts have labelled the voluntary requests the most dangerous part of the legislation.
Striking out at the process, Communications Alliance CEO John Stanton said the government has hit a new benchmark in terms of “outrageous and cheeky” legislation, a mark previously held by the Telecommunications Sector Security Reforms (TSSR).
“You almost have to congratulate them about the way that they have constructed the elements of this legislation which, when you view each of them on their own, looking concerning, [and] when you combine them, definitely scary,” Stanton said at a Communications Alliance and Baker McKenzie forum.
“When you think about the scope of the Bill, where it expands on an unholy trinity of how many agencies can take advantage of the powers of the legislation, how many players in Australia and abroad that it seeks to direct and control, and the virtually unlimited scope of the acts that it can require to be undertaken — that really is breathtaking, I think.
“And when you look into those acts about the potential to remove electronic protection, to give up source code, to install software to create systemic weaknesses in devices, that really opens up a Pandora’s box.”
Stanton said he was concerned that such a complex piece of legislation was able to clear the Coalition party room so quickly.
“One of the key indicators will be when the government introduces the Bill and refers it to PJCIS [Parliamentary Joint Committee on Intelligence and Security] — which I expect they will do — will be the amount of time that they give the PJCIS to report,” he said
“If you see them refer it to the committee and say ‘Come back to us in four weeks’, you’ll know that is one more chapter of a consultative and an inquiry process that is a sham.”
Labelling the original drafting of the TSSR Bill as a shocker, Stanton said at least it was widely consulted on, and went to a number of committees before amendments were made, however the government did not fulfil all its obligations.
“On TSSR, the [PJCIS] identified a number of remaining weaknesses in the legislation and made recommendations to government about how to fix them, they’d worked with industry on that and it was a good collaborative effort. The government’s response was: ‘Tell you what, we don’t need to amend the Bill, we’re going to fix it all by issuing revised administrative guidelines and deal with it that way’,” he said.
“The department said to industry: ‘We’ll have all that done by the end of six months’ — of the twelve month implementation period — ‘don’t worry, you won’t have to rush to figure out what those revisions mean and how to comply with them’.
“So this week the act came into force, revised guidelines? Yeah, nah — haven’t shown up, and no explanation from the department as to whether or when they will ever keep that commitment.”
The draft legislation was alarming enough that it drew out the Internet Architecture Board (IAB), which warned the Bill’s provisions represented an existential threat to the internet’s security and integrity.
IAB chair Ted Hardie stateed a method to compel an infrastructure provider to break encryption or provide false trust arrangements will introduce a systemic weakness that threatens to erode trust in the internet itself.
“The mere ability to compel internet infrastructure providers’ compliance introduces that vulnerability to the entire system, because it weakens that same trust,” Hardie said. “The internet, as a system, moves from one whose characteristics are predictable to one where they are not.”
If similar legislation where implemented by other jurisdictions, the IAB said the end result could be the fragmentation of the internet itself.
“This approach, if applied generally, would result in the internet’s privacy and security being the lowest common denominator permitted by the actions taken in myriad judicial contexts. From that perspective, this approach drastically reduces trust in critical internet infrastructure and affects the long term health and viability of the internet.”
During Thursday’s panel, the provisions of the Bill to require corporations to violate other nation’s laws to comply with Australian law was highlighted as particularly problematic.
At the same time in Canberra, the Home Affairs Minister was stating the Bill was reasonable and proportionate.
“The government has undertaken extensive industry and public consultation on the bill and has made amendments to account for the constructive feedback received,” Dutton asserted in a second reading speech.