… and no one is happy

Earlier this month, members of the Five Eyes, the unwavering intelligence alliance of the Anglosphere, met on Australia’s Gold Coast to discuss the future of the internet.

There, over a two-day summit, the concerned parties, which include Australia, Canada, New Zealand, Britain and the US, agreed on one thing: encrypted data posed a significant challenge to the global fight against cybercrime and terrorism.

“Should governments continue to encounter impediments to lawful access to information necessary to aid the protection of the citizens of our countries, we may pursue technological, enforcement, legislative or other measures to achieve lawful access solutions,” reads a statement issued by the government of Australia on behalf of the intelligence sharing partnership.

Now, wasting no time since the conclusion of the August meeting, the Australian government has pushed forward new legislation that would require “designated service providers” to assist law enforcement with accessing encrypted data.

“It’s crafted on the basis that national security agencies and police forces always do the right thing,” Patrick Fair, a partner at Baker McKenzie law firm in Australia, told The Daily Swig, “and that we shouldn’t be concerned if we provide them [the security services] with extraordinary power and discretion.”

Encryption, a key component to robust internet security, remains an important tool in combating illicit activity in digital spaces, and the Australian government, along with the Five Eyes, has stated that weakening these systems in order to aid police and counter-terror investigations is by no means its intention.

But the broad language and considerable scope put forward in the 2018 Assistance and Access Bill, currently before the Parliamentary Joint Committee on Intelligence and Security, has left industry stakeholders and privacy advocates unconvinced by the government’s stated aims.

“The idea of [the Assistance and Access Bill] is that the government will level the playing field between the ability to intercept messages that travel across telecommunications systems,” Fair said.

“They [the Australian Government] think that there must be a way to get access to system devices in a way that preserves the security of the infrastructure.”

Others are not so sure.

In a letter jointly signed by civil rights groups and tech giants such as Apple, Cloudflare, Google, and Microsoft, the legislation is positioned as a wide-ranging threat to cybersecurity – one where trust in the internet will be eroded through the various acts that communication providers can be asked, or forced, to administer.

These acts are meant to offer various ways for law enforcement to gain access to electronic information, from a mildly invasive provision of technical specs, to the more intrusive creation of software, and would likely have “systematic effects” despite the legislation’s denial of wanting a backdoor solution, the letter states.

“Moreover, users may perceive the surreptitious introduction of any new code into a complex technology environment as the government requiring the installation of malware,” it adds, citing how building an “exceptional access” system across numerous types of devices would require a tremendous amount of resources, equally making software updates obsolete.

15,000 comments like this one were submitted to the Australian government as feedback on the Assistance and Access Bill – most, if not all, were ignored.

“There is simply no way the government has had time to consider all those responses in their decision to endorse the bill this morning,” said Australian Senator Jordan Steel-John, following the legislation’s short consultation period of just over a week.

In its current draft, the bill allows any police force or security service operating in Australia to request communications without any judicial oversight.

The information providers – anyone from a telecommunications company to a software developer – must respond to the request based on the type of notice, or warrant, that the government issues – a Technical Assistant Request, a Technical Assistance Notice, or a Technical Capability Notice.

“The Technical Assistance Notice can be issued by a police force or security agency without consultation and can require the subject to do almost anything,“ said Fair. “The Technical Capability Notice may only be issued by the Attorney General, after consultation between the security service and the subject and for a (slightly) limited set of requirements.“

The bill has been modelled on the UK’s controversial Investigatory Powers Act but differs in its lack of data rights protections. Unlike the UK, Australia has no all-encompassing Bill of Rights.

“The criteria for issuing a notice under the UK [Investigatory Powers] Act has to be proportionate to the intention and the purpose of the notice,” said Fair. “We don't have that. Our test is ’reasonable, proportionate, practical, and technically feasible’ but, unlike the UK, it is an open test where the agency can ’have regard’ to a wide set of factors – there is no clear way of deciding what the notice must be ’proportionate’ to.“

He added: “They [security services] don’t even need to have a case where they’re trying to stop terrorists or bust a crime gang. They can do it just on the prospect that it could be useful.”

The bill has global impact too, as international companies may find themselves in breach of civil law if a notice is refused. Penalties can reach A$10 million (US$7.2 million), but compensation for compliance is also offered.

Fair suspects the bill is being driven forward ahead of Australia’s General Election, expected early next year. Public hearings on the Assistance and Access Bill are set to take place on October 19.

RELATED Australia data breach scheme proves a tentative success