- 06 December, 2018 20:23
Opinion — Government legislation intended to help police and national security agencies intercept online communications has today been passed by both houses of parliament.
At least there has been an element of consistency when it comes to the so-called encryption bill: A uniform sense of absurdity has pervaded the whole process.
In July 2017 when the government first began to reveal details of its plan to tackle encryption, then prime minister Malcolm Turnbull (with award-winning glibness) declared to ZDNet journalist Asha McLean that the “laws of mathematics are very commendable but the only law that applies in Australia is the law of Australia”.
Fast forward to November, and Prime Minister Scott Morrison and home affairs minister Peter Dutton sought to cut short scrutiny of the bill because it absolutely had to be passed before Christmas.
Well rejoice: Today Australia can finally proclaim victory over the tyranny of maths thanks to the passage of the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018.
It’s flawed legislation, shadow attorney-general Mark Dreyfus, this morning told the House of Representatives — even as he commended the bill to the house. And that was while amendments to the bill to give effect to the recommendations of the Parliamentary Joint Committee on Intelligence and Security were still being finalised.
A succession of Labor MPs rose to outline their concerns about the legislation, before voting for it – amendments, they claimed, would be made in the Senate.
The best was saved for last, however: Opposition leader Bill Shorten and Dreyfus held a press conference this evening to declare that Labor would wave the legislation through the Senate without the amendments it considered vital, after the government adjourned the lower house to prevent legislative defeat in the form of an effort to facilitate medical transfers for refugees stuck on Nauru and Manus Island.
As part of the deal struck by the government and the opposition the PJCIS is set to continue to consider the legislation and its potential consequences in the new year. But it is unclear whether there will be any real political will to address to the concerns of civil society organisations, the local infosec sector and tech giants, all of which have expressed grave fears about the potential impact on online safety and technology businesses.
The PJCIS-inspired amendments unveiled today by the government may improve the bill somewhat, but they fall short of the kind of changes sought by the legislation’s critics. And with the government’s mad rush to push the legislation through before Christmas, there was little time for any thoughtful consideration of them even without today’s absurd parliamentary manoeuvrings.
The data retention legislation offers a cautionary tale when it comes to national security legislation. It, too, was accompanied by dire warnings from the government about terrorism. (In fact, in the majority of cases the data retention regime has been used in drug-related investigations.)
One of the arguments presented by the government in relation to that legislation was that it would actually cut down on the number of organisations accessing so-called metadata without a warrant. As telco group Communications Alliance revealed last month, that, in fact, is simply not the case: Its members have told it that a vast array of government organisations are using separate legal provisions to access the data.
There has been an ongoing contradiction between the government’s frequent assertions that they don’t want to undermine encryption while citing the increased use of end-to-end encryption services by criminals and terrorists as the driving force for the introduction of this legislation.
Here’s what Prime Minister Scott Morrison said at a November press conference: The bill “deals with the authority to deal with encrypted communications... We know from the matters that are currently under investigation, the ability for our authorities to have these powers, to engage and intercepting these communications is incredibly important.”
Dutton at the same press conference: “... we do want to arm the police with the ability to look at these encrypted messages. At the moment many of these people are using encrypted messaging apps and police are dark to those messages and the exchange of that planning. That is unacceptable in the current threat environment.”
The government has not felt the need to address this apparent contradiction.
A key amendment to the encryption bill unveiled by the government, based on the PJCIS report, defines “systemic vulnerability” and “systemic weakness”. The legislation allows the government to order a communications provider to build a new capability to facilitate an investigation but it includes a prohibition on requiring a company to implement a feature that would create a “systemic weakness” or a “systemic vulnerability” — but what that means has been unclear.
A “systemic vulnerability” is defined as a “vulnerability that affects a whole class of technology, but does not include a vulnerability that is selectively introduced to one or more target technologies that are connected with a particular person”. “For this purpose, it is immaterial whether the person can be identified,” the definition added.
A “systemic weakness” means “a weakness that affects a whole class of technology, but does not include a weakness that is selectively introduced to one or more target technologies that are connected with a particular person.” Again, it doesn’t matter whether that particular person can be identified.
Even given those definitions, the legislation seems to leave the door open for a range of measures that could have grave impacts on user security.
For example, consider a supplementary submission to the PJCIS inquiry by the Department of Home Affairs. In it, the department responded to a scenario outlined by Victoria’s information commissioner, Sven Bluemmel.
Bluemmel wrote in his submission to the inquiry that he was glad the legislation included a prohibition on forcing the introduction of a systemic weakness, but noted there are “well-documented risks that malicious actors may take advantage of any weaknesses created.”
He argued that a weakness created for a single use case may become a systemic weakness. For example, a company creating custom firmware in order to allow access to data on a particular smartphone may not be captured by the systemic weakness ban.
However, “in the development of this non-systemic weakness, code will be developed that might be used to facilitate future requests for other cases involving a similar smartphone with minimum disruption and expense”. That may effectively create a systemic weakness.
“The ability to configure the capability initially developed, the Office of the Victorian Information Commissioner claims, to furnish later requests represents a systemic weakness,” Home Affairs argued in response.
“Further, the Office of the Victorian Information Commissioner claims that such a capability cannot be adequately secured to prevent it being used by malicious actors.
“The Department disagrees with these claims by the Office of the Victorian Information Commissioner. Custom firmware built to address one notice or request is not a systemic weakness unless it is deployed to users other than the targeted user So long as the capability is held in reserve it does not jeopardise the security of other users and is not a systemic weakness.”
Essentially, this was the argument at the heart of the FBI and Apple conflict in the wake of the San Bernardino terror attack. Apple argued that creating software to break into the iPhone of one of the shooters would jeopardise the security of its customers.
University of Melbourne security researcher Dr Vanessa Teague — someone who actually knows a thing or two about vulnerabilities — appeared before the PJCIS in November and discussed whether a similar request in Australia would be barred by the ‘no systemic weakness’ provisions in the bill. Her conclusion was that it was unclear, particularly given different government agencies have offered different definitions.
As to whether it would run afoul of the definition chosen by the government — who knows, quite frankly, because there has been no time for any public scrutiny of it at all. It seems likely that it would not.
While it is not an identical scenario an important data point to consider is the Shadow Brokers’ 2017 release of hacking tools developed by the US National Security Agency. Among the data dumped was the EternalBlue exploit — later employed by the creators of the WannaCry and NotPetya ransomware strains.
If nothing else, the WannaCry infestation of UK NHS systems should make clear just how high the stakes are — weakening cyber security has potentially deadly consequences.
Of course, the government should know that — it launched Australia’s first national cyber security strategy.
Beyond potentially undermining of the security of services used by millions of Australians, it is clear that the local cyber security sector will take a hit.
The government-backed organisation tasked with growing the infosec industry, AustCyber, has implicitly acknowledged there will be an economic impact.
Australian network encryption vendor Senetas has indicated it expects at the very least to face significant reputational damage from the legislation.
Labor has promised they will pursue changes to the legislation next year. Until then however, we can presumably all relax: The Australian parliament has managed to defeat maths.
Clarification: The government's 173 amendments were incorporated into the final bill, but Labor's were not.