Telcos, tech industry call for major changes to encryption legislation
- 23 January, 2019 10:42
Industry groups representing the telco sector and major tech businesses have called for major changes to controversial surveillance legislation pushed through parliament on the final sitting day of 2018.
The Telecommunications and Other Legislation Amendment (Assistance and Access) Act was intended to be the government’s answer to the increased use of encryption technology by criminal groups.
The most significant part of the legislation creates a system of Technical Assistance Requests (TARs), Technical Assistance Notices (TANs) and Technical Capability Notices (TCNs) that can be issued to communications providers.
TARs are a request for voluntary assistance from a provider, while TANs are a legally binding direction for a communications provider to use some existing capability or capabilities to assist a law enforcement or national security agency. A TCN is a direction from the government to create an entirely new capability.
Must of the controversy around the legislation related to the potential to undermine of the security of popular online services.
Although the government said the legislation was a response to increased use of encryption, it also argued that it would not undermine encrypted services.
One of the limits imposed by the legislation is that the government or an enforcement agency cannot require encryption to be removed from a service, and cannot require a communications provider to introduce some other form of “systemic weakness” or “systemic vulnerability” into a service.
However, the definition of “systemic weakness” was itself a subject of controversy. For example, the government argued that the development of custom firmware for a device — the iPhone, for example — is not creating a systemic weakness. Apple, for one, has disagreed with such a position and the company is not alone.
The passage of the encryption legislation on 6 December was made possible by Labor backing away from a range of amendments that it had argued were necessary.
The Parliamentary Joint Committee on Intelligence and Security (PJCIS) is currently examining the legislation, including the 173 amendments introduced by the government on the day it was passed.
The PCJIS inquiry is part of a deal struck between Labor and the government, which saw the opposition withdraw its proposed amendments (which Labor had argued were consistent with the PJCIS’s original inquiry into the bill).
Telco industry group Communications Alliance, the Australian Industry Group, the Australian Information Industry Association (AIIA), the Australian Mobile Telecommunications Association (AMTA), the Information Technology Professionals Association (ITPA) and Digital Industry Group Inc. (DIGI), whose members include major tech companies such as Google and Facebook, have made a joint submission to the new PJCIS inquiry calling for a range of additional changes to the encryption legislation.
“As was manifestly clear in the lead-up to the relevant sittings of the House of Representatives and the Senate, the Government amendments were drafted in haste in an overnight session and were distributed only in the early hours of 6 December,” the submission reads.
“Almost inevitably, there remain, in our view, significant problems with the amendments and other elements of the legislation. Many of the amendments are difficult to understand or interpret, appear unlikely to remedy the problems identified by Industry and/or exhibit omissions which need to be addressed.”
Major changes outlined by the submission include the creation of a warrant-based system for TANs and TCNs.
The groups also argue that the definitions of “systemic weakness” and “systemic vulnerability” in the legislation are “difficult to understand, ambiguous and are significantly too narrow” (before the government’s amendments on 6 December, there were no definitions of these terms included at all).
Currently a “systemic vulnerability” is defined in the legislation as a “vulnerability that affects a whole class of technology, but does not include a vulnerability that is selectively introduced to one or more target technologies that are connected with a particular person.
For this purpose, it is immaterial whether the person can be identified.” (Systemic weakness has a similar definition.)
However, the submission argues that it is unclear whether, for example a “class” would be “all mobile handsets, or Android phones, but not iPhones, or the mobile handsets offered by one service provider but not another or some other combination of factors”.
A further change recommended is that the threshold for using the powers granted by the legislation be raised. Currently, it can be used when preventing or investigating offences with a possible prison sentence of three years.
The threshold should be raised to at least seven years’ prison, to be consistent with the definition of “serious offence” in the Telecommunications (Interception and Access) Act 1979, the submission states.
Other proposed changes relate to the approval process of TCNs, and to the consultation requirements for TCNs and TANs.
“This bill was rushed through parliament in flawed condition and we look forward to the Government honouring its public commitment to have further amendments considered, in the interests of the cybersecurity of all Australians,” Communications Alliance CEO John Stanton said in a statement.
“The proposed powers are unprecedented, their remit unnecessarily broad, and whilst the consequences of their use are completely unknown, what is known is that the legislation is likely to cause greater issues than it purports to solve,” said the general manager of policy for AIIA, Kishwar Rahman.
The full submission is available online (PDF).