MPs excluded from encryption laws
Big Problem: The AA legislation should be a concern to anyone working in the tech industry
The only people in Australia specifically excluded from the controversial encryption laws are the very people who rushed the legislation through on the final sitting day of 2018, our members of Parliament.
Giving law enforcement and intelligence agencies the ability to coerce our elected representatives via secretive new powers does not seem like a good idea. It does not square with our democratic ideals or societal norms.
And so MPs are expressly excluded from everything in the legislation.
But what about the rest of Australia?
And what about the impact of this legislation on Australian technology companies, particularly those trying to sell into offshore markets.
I recently came across an excellent blog post by Matt Shearing from the law firm Teddington that neatly summarised in a couple of thousand words the 220 pages or so of the legislation. I would highly recommend this as the perfect primer for anyone who thinks they may be potentially affected by this legislation.
Which really means almost everyone. The scope of the legislation is so broad, and the definitions within it are so loose that the laws can be applied to almost any individual or company involved with technology.
If you have an interest in the debate about the Assistance and Access legislation and want to find out more, you can join industry leaders at a special Safe Encryption Australia forum being hosted by the University of Technology Sydney at Fishburners within the Sydney Startup Hub on Wednesday March 27.
The Safe Encryption Australia forum is being coordinated by InnovationAus.com and StartupAUS, with the support of a wide range of industry associations, organisations and individuals, for the purpose of seeking key amendments to the Act.
Speakers at the forum include Atlassian co-CEO Scott Farquhar, Senetas founder Francis Galbally, NUIX co-founder Eddie Sheehy, AustCyber CEO Michelle Price, Girl Geek Academy CEO Sarah Moran, and UTS pro-vice-chancellor Glenn Wightwick.
Matt Shearing stakes out the case that the AA legislation not only represents a major setback for both the digital rights of individuals and the damages security for everyone, but it also has enormous downside issues for businesses.
The first question that arises is who the legislation applies to. And it is surprising in its breadth.
“Under the current terms, anyone considered a designated communications provider can be served with notices. You can be a designated communications provider if you ‘provide an electronic service that has one or more end-users in Australia’,” Mr Shearing writes.
An electronic service is classified as, “a service which allows end-users to access material using a carriage service (the internet)”, and includes websites. This means anyone who runs a website, develops software or provides any kind of service to users could be captured by the definition.
It also states that a designated communications provider is anyone who manufactures, supplies or installs equipment, components, data processing devices, or software.
Effectively this means if you’re an employee, contractor or administrator of any company which has a computer, a piece of electronic equipment or a data collection device, you’re also a designated communications provider for the purposes of the legislation.
“Basically, if you’re involved in any way with technology, this legislation applies to you.”
There are large number of differentials between Technical Assistance Requests (TAR), Technical Assistance Notices and Technical Capability Notices, depending on whether they are derived from the policy or from an intelligence agency.
None of them are good news, but the TCN issued by an intelligence agency is by far the most invasive of the three. The legislation prohibits anyone indicating that they have been the subject of a notice, or to disclose what changes they might have made to software as a result of having been issued the notice – risking extremely heavy fines and up to ten years in jail.
The TCN should give tech companies plenty of pause for thought, particularly where a potential vulnerability is introduced to a product that eventually has a downstream impact on customers. Liability has the potential to be become problematic indeed.
“When things go wrong and an incident occurs which affects your clients or customers, they’ll likely assume you didn’t implement sufficient security measures to protect their data and commence legal proceedings,” Mr Shearing said.
“Tucked away in the [legislation] is an ‘immunity’ provision which states that a provider (and their employees or agents) can’t be held liable by a third party for anything done to comply with a TAN or TCN.
There are obvious difficulties with this defence, most notably because if a breach or theft occurs you can’t go public and blame the notice – because that would breach the secrecy provisions of the legislation.
You can further details about the Safe Encryption Australia forum by clicking here.