Published on the 19/09/2018 | Written by Pat Pilcher

An assault on personal freedoms or a necessary step for counter terrorism?…

The Australian government has finally released a draft of the Assistance and Access Bill, aimed at providing law enforcement agencies with powers to counter challenges posed by encryption.

Law enforcement agencies say that there is a real need for the changes proposed in the bill. In a submission made to the Joint Committee on Law Enforcement’s inquiry into the impact of new and emerging information and communications technology, Home Affairs stated that 65 percent of lawfully intercepted data is encrypted and that encryption impacts nine out of 10 priority cases for the Australian Security Intelligence Organisation (ASIO).

Meanwhile, the Australian criminal intelligence commission’s Organised Crime in Australia 2017 report says growing levels of encryption are a critical enabler that allows organised crime groups to evade identification and capture.

“The draft bill arrived at an awkward time for the government and many of the companies likely to be regulated.”

The Department of Home Affairs and ASIO already use advanced decryption techniques. However, decryption is a time-consuming undertaking and time is one thing most investigations don’t have to spare. The new bill aims to accelerate the process but has attracted the ire of some who say the powers proposed in the bill could get misused.

The arrival of the draft bill has happened at a particularly awkward time for both the Australian government and many of the companies likely to be regulated.

Digital issues including electoral interference, the Cambridge Analytica scandal and mounting levels of fake news, have made the public increasingly cynical. Adding to existing tensions are governmental data mishaps including the 2016 Census fail and Centrelink’s Robo-debt recovery program, so it is not surprising that many Australians are suspicious when it comes to digital privacy and the safety of their personal information.

The Department of Home Affairs is keen to de-escalate tensions around the bill and says that while the law will require software companies and network vendors to provide details that could help agencies exploit unpatched weaknesses, telcos and ISPs will not be compelled to set up backdoors for law enforcement agencies. Detractors say doing so would introduce exploitable vulnerabilities.

So what is being proposed in the draft Assistance and Access Bill? At a high level, the bill contains three components. It increases the responsibilities of both domestic and offshore organisations to assist law enforcement and security agencies to access encrypted information. It also proposes that there be new computer access warrants enabling law enforcement agencies to covertly obtain evidence in the form of data directly from a device. And it seeks to increase existing powers for law enforcement agencies to access data using search and seizure warrants.

The bill appears to be very similar to the UK government’s Investigatory Powers Act, in which mandatory decryption obligations became law. Under that Act, the UK government can order telcos to remove electronic protections applied by, or on behalf of, an operator. How possible this is in practice has yet to be seen.

Like its UK counterpart, the Australian bill places much of the responsibility on telcos/ISPs to provide law enforcement agencies access to decrypted data. In practice, this means providing access to information at points where it might not be encrypted, but how this can be made to work under real-world conditions has yet to be disclosed.

With the powers proposed in the bill, the Attorney-General can issue a ‘technical capability notice’ which would ensure a telco assists the ASIO or an interception agency. In practice, this will mean telcos/ISPs will be required to develop methods for law enforcement agencies to gather information. It is not entirely clear how telcos/ISPs offering end-to-end encryption (e.g. VPNs) will be able to meet these requirements, but those that don’t comply could face fines of up to $10 million.

The big question is whether concerns and hype surrounding the bill are warranted?

While many digital rights activists fear the powers proposed in the bill could get misused, they are missing the fact that Australia has long had national security legislation that covers telecommunication interception and surveillance. These acts include:

• The Telecommunications (Interception) Act 1979, which permits ASIO to intercept telecommunications under a warrant for intelligence gathering and is primarily intended for threats of terrorism.
• The Telecommunications Act 1997 outlines the obligations of telcos on their information interception compliance.
• The Surveillance Devices Act 2004, which allows law enforcement agencies to obtain warrants and get emergency authorisations to install and use surveillance devices.

The proposed legislation merely extends the obligations of service providers to help law enforcement agencies counter encrypted data.

What is probably more concerning is the lack of detail on how the powers proposed in the bill will get implemented on a practical level and how the legislation would work in interstate or international jurisdictions.