The power to issue and authorise encryption-busting notices needs to be taken away from agency heads and the government and vested in a new judicial oversight body, the government’s independent security monitor has concluded after a year-long inquiry.
Independent National Security Legislation Monitor (INSLM) Dr James Renwick’s long-awaited 300-plus-page report on the Assistance and Access Act was tabled by the government on Wednesday afternoon after the most complex inquiry in his tenure.
The Assistance and Access Act, passed at the end of 2018, gives controversial powers allowing law enforcement and authorities to compel tech companies to provide access to encrypted data, through the issuing of technical assistance notices (TAN), technical capability notices (TCN) and technical assistance requests (TAR).
For the Assistance and Access Act to be proportionate and fair, the power to approve notices requiring tech companies to provide access to encrypted data must be handed to the Administrative Appeals Tribunal and a retired judge, Dr Renwick said.
In the report, Dr Renwick accepted the argument from law enforcement that new powers are needed to deal with the use of encryption and declined to recommend the legislation be scrapped entirely.
Instead, he pushed primarily for independent judicial oversight of the issuing and approving of the notices, along with a new definition of “systemic weakness”, and the extension of the powers to integrity and anti-corruption bodies.
The INSLM has been investigating the controversial powers since March last year, when the powerful Parliamentary Joint Committee on Intelligence and Security referred the laws to the monitor, the first time it had done so.
Dr Renwick said the most important change to the legislation is for the power to issue TANs and to approve TCNs to be stripped from agency heads and the Attorney-General respectively, and handed to the AAT, with a new statutory office to be created within the Tribunal to handle all matters related to the Assistance and Access Act.
This amendment will “preserve and protect both classified and commercial-in-confidence material and allow independent rulings on technical questions such as ‘systemic weakness’” and will “guarantee consideration of human rights, privacy and technical implications by the issuing authority”.
Under the current legislation, notices can be issued by agency heads and approved by the Attorney-General, with no independent judicial oversight.
The INSLM has called for a new statutory office to be established within the AAT, called the Investigatory Powers Commissioner. This Commissioner would be a retired judge from the Federal Court or a state or territory Supreme Court, appointed by the Governor-General on the advice of the Attorney-General.
The Commissioner would have a “dual-hatted” role, serving as a part-time president within the AAT and the designated head of the Investigatory Powers Department. A number of “eminent, independent technical experts” would also be appointed as part-time members to assist with the authorisation process.
The new Commissioner would approve the issuing of encryption-busting notices after hearing submissions and receiving evidence from the agency and tech company involved.
This would mean the question of whether an encryption notice is proportionate and reasonable would be considered by an independent judicial authority with technical advice and assistance, Dr Renwick said.
“The independence engenders the necessary trust in the minds of the members of the public that the powers are being exercised in a manner that is no more than is necessary,” Dr Renwick said in his report.
“It was almost unanimously agreed in non-government submissions that these notices should be authorised by either an independent tribunal member or a judicial officer and subject to meaningful judicial review once issued.”
The national security legislation monitor also said that the power to issue these anti-encryption notices must be extended to integrity and anti-corruption agencies, while a new definition of “systemic weakness” is needed.
The current definitions in the Act of “systemic weakness” and “systemic vulnerability” are “overlapping, create confusion and are not fit for purpose”, Dr Renwick found, and reference to “systemic vulnerability” should be scrapped entirely as it is “redundant”.
The legislation should also be amended to ensure that the “serious Australian offence” that allows for the use of the encryption powers should not include an offence carrying with it a jail time of three years’ or less.
The recommendations in the INSLM fall largely in line with those called for by the Opposition in amendments moved in the Senate earlier this year. They will also likely be supported by members of the digital and civil rights community, although the first preference for many was for the legislation to be scrapped entirely.
Dr Renwick made it clear early on in his investigation that he wouldn’t be calling for the legislation to be rescinded, and in the report said he accepted the need for authorities and agencies to gain new powers to counter the difficulties of “going dark”, with criminals using encryption to avoid detection online.
“I am satisfied from the evidence I have received from intelligence, police and integrity agencies that encryption of content and, to a lesser extent, metadata, has made their essential tasks significantly more difficult, and in some instances impossible. I accept the necessity of a legislative response to ‘going dark’,” Dr Renwick said.
“I reject the notion that there is a binary choice that must be made between the effectiveness of agencies’ surveillance powers in the digital age on the one hand and the security of the internet on the other. Rather, I conclude that what is necessary is a law which allows agencies to meet technological challenges, such as those caused by encryption, but in a proportionate way and with proper rights protection.
“Essentially, this can be done by updating traditional safeguards to meet those same technological challenges – notably, those who are trusted to authorise intrusive search and surveillance powers must be able to understand the technological context in which those powers operate and their consequences.”
The INSLM report will now inform the PJCIS’ own investigation into the encryption laws, which is due to report by 30 September. It’s unlikely the federal government will respond to the INSLM report or look at any amendments to the Act until the PJCIS has tabled its own report on the matter.