Encryption bill’s three-week rush
Off and racing: Committee has three weeks to assess the complex encryption bill
The federal government’s controversial encryption legislation has been referred to a joint committee for an inquiry, with only a three-week window for submissions.
It follows the bill being introduced to Parliament last week, just five days after submissions were closed on the draft legislation, much to the anger of civil and digital rights advocates, and the Opposition.
The government has also released some of the submissions made on the draft legislation, with a number of representative groups and tech companies lining up to raise concerns with the new powers it grants.
Home Affairs minister Peter Dutton introduced the Assistance and Access Bill 2018 to Parliament on Thursday last week. The bill grants new powers to law enforcement and agencies to compel tech companies to assist with accessing encrypted communications.
On the same day it was introduced to Parliament, the bill was sent to the Parliamentary Joint Committee on Intelligence and Security (PJCIS) for review.
The committee will be accepting public submissions on the legislation for the next three weeks until 12 October, with a hearing to be held the following week.
“In its inquiry, the Committee will consider and review the provisions of the bill. In addition the Committee will examine safeguards and limitations in the bill that are intended to ensure that communications providers cannot be compelled to build systemic weaknesses or vulnerabilities into their products that undermine the security of communications,” Committee chair Andrew Hastie said.
The short timeframe for the further review is unlikely to please the many critics of the bill, with civil and digital rights advocates branding the government’s move to introduce it to Parliament just five days after submissions on the draft legislation closed as “simply outrageous”.
The Opposition has also criticised the pace of the government’s dealing with the bill, but is yet to state whether it will be supporting the legislation or not.
Labor digital economy spokesman Ed Husic warned the government to “tread carefully”, and said that it is “rushing it and not being upfront about the concerns raised through the consultation process”.
“It’s not good enough. The Opposition has always worked in a bipartisan and constructive way on national security. But we’re deeply concerned about the way the government is rushing the process on something so complex – and disrespecting the need for transparency along the way,” Mr Husic told Fairfax Media.
The federal government did make some slight changes from the draft legislation, with the “public revenue” justification removed, and law enforcement required to consider a range of factors before requiring a company to break or weaken its encryption.
It would also need to decide whether the request met the “legitimate expectations of the Australian community relating to privacy and cybersecurity”.
Mr Dutton said these changes were made following the feedback, despite consultations closing only five working days before the bill was entered into Parliament.
“The government has undertaken extensive industry and public consultation on the bill and has made amendments to account for the constructive feedback received,” Mr Dutton said.
The government received about 15,000 submissions on the draft legislation, but about 14,300 of these were from a Digital Rights Watch campaign letter. Only ten of the submissions have been made publicly available, and were only released after the legislation was introduced to Parliament.
In its submission, the Australian Human Rights Commission said the new powers the bill gives to law enforcement and agencies could impact on a number of individual human rights, including privacy and freedom of expression.
“Any improved ability of the government to conduct digital surveillance, intercept digital communications and collect personal data in a manner that is disproportionate or unnecessary to a legitimate objective risks a ‘chilling effect’ on the enjoyment of human rights, in particular the rights to freedom of expression and privacy,” the AHRC said.
In a joint submission, the Communications Alliance and Australian Mobile Telecommunications Association said the draft bill “bears the very real risk of severely damaging Australia’s cybersecurity”.
The groups also criticised the bill’s “ambiguous” wording and extraterritorial reach, which it said it “unprecedented”.
“Not only does it have the potential to generate anti-competitive outcomes and to create disincentives for providers to offer products and services to Australians, it also creates significant risks for Australian providers to breach laws in foreign jurisdictions when they are taking action as a result of the requirements of the bill,” the submission said.
The Office of the Australian Information Commissioner recommended that “systemic weakness” and “systemic vulnerability” by defined in the bill, for the objectives of the notices to be limited to just serious criminal and national security offences and for additional oversight of the issuing of these notices.
The Office of the Victorian Information Commissioner was more critical of the legislation, raising concerns of its impact on security and privacy of communications.
“There is great utility in the maintenance of secure communications services that employ protections such as end-to-end encryption, which are noted in the explanatory document on the bill," OVIC said.
"Encryption can also be essential in the protection of individual’s fundamental rights of privacy, freedom of association and freedom of expression, amongst others,” it said.
Mr Dutton defended the bill when he introduced it to Parliament late last week, saying the new powers are needed by law enforcement agencies in the digital age.
“New communications technology, including encryption, is eroding the capacity of Australia’s law enforcement and security agencies to investigate serious criminal conduct and protect Australians,” Mr Dutton said in Parliament.
“The lack of access to encrypted communications presents an increasingly significant barrier for national security and law enforcement agencies in investigating serious crimes and national security threats,” he saod.
“No responsible government can sit by while those who protect our community lose access to the tools they need to do their job. In the current threat environment, we cannot let this problem get worse.
“The bill represents a package of reasonable and proportionate measures which will enhance our approach,” Mr Dutton said.
Despite the series of concerns raised in the submissions, Mr Dutton said the new powers would not undermine encryption as a whole.
“The legislation will not weaken encryption or mandate backdoors into encryption. The bill specifically provides that companies cannot be required to create systemic weaknesses in their encrypted products, or be required to build a decryption capability,” he said.
“This is also not a new vehicle to collect personal information. Surveillance and interception must be authorised by existing warrants and authorisations, which are subject to their own safeguards, including judicial oversight.”