Published on the 24/08/2018 | Written by Jonathan Cotton
New Aussie draft legislation proposes sweeping powers to intercept communication linked to illegal activity – ramifications be damned…
It’s been a long time coming, but last Tuesday the government released the Assistance and Access Bill 2018, a document proposing new laws which would see tech companies doing business with Australia compelled to supply the government with access to private encrypted data if requested.
The bill, produced by Australian Department of Home Affairs, takes a three pronged approach to improving the ability of agencies to access communications content and data.
“The broad powers outlined in the bill are neither necessary nor proportionate.”
Firstly, it seeks to increase the legal obligations of domestic and offshore providers to give “reasonable assistance” to law enforcement and security agencies. Secondly, it seeks to introduce new computer access warrants for law enforcement that will enable government agencies to covertly obtained evidence directly from devices. Finally, it looks to strengthen the ability of law enforcement and security authorities to overtly access data through search and seizure warrants.
Note: The Department of Home Affairs and ASIO can already access encrypted data using decryption techniques or at points where data are not encrypted – but it’s difficult. These new provisions would streamline that process.
So, armed with a warrant the police would like to be able to force Apple, Google, Microsoft et al. to hand over data that they say is linked to illegal activities – terrorisim, pedophillia, drugs – stand by while the government takes it regardless, or even to create systems whereby it can be easily accessed by the police.
So does that mean built-in security flaws for the exclusive use of the Australian Government? That’s not the spirit of the bill says the Explainer Document.
“A technical assistance notice or technical capability notice has no effect to the extent it requires a designated communications provider to implement or build a systemic weakness, or a systemic vulnerability, into a form of electronic protection,” says the paper. “Electronic protection includes forms of encryption or passcode authentication, such as rate limits on a device. This limitation ensures that providers cannot be asked to implement or build so-called ‘backdoors’ into their products or services.”
But critics say the powers being sought amount to exactly that. At the very least the proposals make for uneasy reading. According to the document, the type of assistance that may be demanded includes:
- Removing electronic protection applied by the provider
- Installing, maintaining, testing or using software or equipment given to a provider
- by an agency
- Formatting information obtained under a warrant
- Helping agencies test or develop their own systems and capabilities
- Modifying or substituting a target service
- Concealing the fact that agencies have undertaken a covert operation
And those demands apply to foreign interests as well as domestic – meaning that compliance to the rules would be mandatory for doing business with Australia. Failure to comply could lead to fines of up to AU$10m for organisations, and jail time or AU$50,000 fines for individuals.
Unsurprisingly, the bill has its critics.
“The bill puts few limits or constraints on the assistance that telecommunication providers may be ordered to offer,” says Monique Mann, Vice Chancellor’s Research Fellow in Regulation of Technology, Queensland University of Technology.
“There are limited oversight and accountability structures and processes in place. The Director-General of Security, the chief officer of an interception agency and the Attorney-General can issue notices without judicial oversight. This differs from how it works in the UK, where a specific judicial oversight regime was established, in addition to the introduction of an Investigatory Powers Commissioner.”
Mann says the vague and unclear limits on these exceptional powers is particularly worrying.
“The broad powers outlined in the bill are neither necessary nor proportionate. Police already have existing broad powers, which are further strengthened by this bill, such as their ability to covertly hack devices at the endpoints when information is not encrypted.”
The Australian government isn’t the only one grappling with the issue. In fact, Microsoft recently produced a report -– Cybersecurity Policy Framework – to offer guidance to policy makers facing just this problem, including the development and updating of cybercrime laws at a national level.
And of course the government does have some obligation to protect society from legitimate terror threats, child exploitation and all the rest. If the laws around the interception of telecommunications are no longer fit for purpose, the government is obligated to change that. Whether it can do that without compelling companies to comply with laws that go against basic principles of security –- and even common sense – is very much the question of the moment.