Alarm over government’s encryption bill rush

The government has introduced its bill to help mitigate the impact of encrypted communications services on police investigations just 10 days after closing a public consultation on an exposure draft of the proposed legislation.

“The government has undertaken extensive industry and public consultation on the bill and has made amendments to account for the constructive feedback received,” home affairs minister Peter Dutton said, introducing the legislation this morning in the House of Representatives.

The legislation “will not weaken encryption or mandate backdoors into encryption,” the minister said, adding that it contains a bar on requiring companies to implement “systemic weaknesses” into their products or services or build “a decryption capability”.

Labor MPs described the government’s haste as “unacceptable,” noting that submissions for organisations and individuals in response to the exposure draft are yet to be released. “This decision makes a mockery of the exposure draft process, and suggests the ‘consultation’ run by the government was nothing more than a sham,” said a statement attributed to shadow attorney-general and shadow national security minister Mark Dreyfus shadow communications minister Michelle Rowland, and shadow digital economy minister Ed Husic.

"Permission for public release is being sought from those who provided submissions on the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018," a spokesperson from the Department of Home Affairs told Computerworld.

“It is simply implausible that Peter Dutton could have in such a short timeframe given due consideration to the widespread concerns when dealing with encryption that raised by industry and other stakeholders,” the group of Labor MPs said in their statement. “Instead, the government appears to have taken a tick and flick approach to an incredibly complicated bill, with potentially far-reaching consequence for the privacy and digital security of all Australians.”

The government's proposed legislation has drawn significant opposition from civil liberty advocates, the Australian telecommunications industry and major international tech companies.

In an op-ed for The Australian, Communications Alliance CEO John Stanton wrote that the bill  “can force telcos or device manufacturers to install, maintain, test or use software (read, spyware) given to them by security agencies and designed to get around the barriers of encryption.”

“Telcos and communications providers can be forced to modify the services they provide to customers to create a weakness that the agencies can ­exploit.

“The problem with that, as many have pointed out, is that a vulnerability created for the agencies can equally be a vulnerability that criminals can discover and exploit, leaving services and the rights and safety of consumers mortally compromised.”

Some of Australia’s best known civil liberties and privacy advocacy organisations argued in their submission to the government’s consultation that the bill should scrapped because it “effectively enacts insecurity by design” and will create “extremely broad powers with almost no oversight without any substantive justification”.

Digital Industry Group Inc (DIGI) — whose members include Amazon, Facebook, Google, Oath, and Twitter — said the government’s proposals may make it “easier for bad actors to commit crimes against individuals, organisations or communities”

Comment was sought from the government about the adequacy of the consultation process and what changes have been made to the 176-page bill. “This legislation was first foreshadowed by the former prime minister and former attorney-general more than a year ago,” a government spokesperson told Computerworld.

“Since that time the legislation was developed in consultation with industry. The industry consultations led to development of the exposure draft which went out for public consideration in August.”

“The bill introduced to the parliament incorporates feedback received as part of the public consultation.

“The bill will now be referred to a parliamentary committee which will enable further public consultation and submissions.”

One change from the exposure draft is that “protecting the public revenue” is no longer one of the grounds on which law enforcement organisations can compel the assistance of tech companies.

The legislation will introduce a three-layer model for requesting or compelling cooperation from tech companies. The bill will give the attorney-general the ability to force a company to build new capabilities to allow communications to be intercepted, as long as that direction ostensibly doesn’t fall afoul of the ban on the creation of systemic weakness. The attorney-general must be "satisfied that the requirements imposed by the notice are reasonable and proportionate".

The introduction of a system of technical assistance requests, technical assistance notices, and technical capability notices is not the only measure contained in the bill. It also contains measures that will:

* Expand access to covert computer access warrants from ASIO to police organisations. This schedule of the bill also includes a range of associated powers (allowing an agency to conceal its access to a computer system, for example).

* Increase the powers of police and the Australian Border Force to collect evidence from electronic devices.

* Protect from civil liability people or organisations that assist ASIO in certain circumstances.