Encryption laws a CLOUD deal risk

Denham Sadler
Senior Reporter

Australia’s recently passed encryption laws may undermine the federal government’s hopes of securing a data-sharing deal with the United States, a US House Committee has confirmed.

Home Affairs Minister Peter Dutton said earlier this week that he had entered into formal negotiations to secure a deal under the US Clarifying Lawful Overseas Use of Data (CLOUD) Act, which would facilitate faster access to data held by US-based tech companies, and vice versa.

If secured, the deal would allow Australian authorities to directly request data from a US tech company like Facebook using local laws as the basis, rather than having to go through US authorities.

But concerns have already been raised that the government’s controversial new encryption powers will prevent Australia from being able to secure such a deal, with a key crossbencher also calling for “rigorous parliamentary scrutiny” of the ongoing negotiations.

In a letter dated 4 October, US House of Representatives Judiciary Committee chair Jerrold Nadler wrote to Mr Dutton, raising concerns that the Assistance and Access Act may stand in the way of a CLOUD deal.

“I write to express my concern that Australia’s Assistance and Access Act may undermine your ability to qualify for an executive agreement under the CLOUD Act,” Mr Nadler wrote in the letter.

“A diverse coalition of technologists, Australian and US technology firms and civil society advocates has expressed concerns that the Access Act has profound impacts on privacy and security well beyond Australia’s borders,” the letter says.

“The Access Act allows your government to order private companies, regardless of where they are located, to build or implement specific surveillance capabilities. As currently drafted, the Access Act does not require independent judicial review before or after the government issues an order requesting content from private businesses.”

The House committee chair called on Mr Dutton to explain these concerns, particularly around the new powers weakening encryption in general.

“I hope you will clarify to the Judiciary Committee how you plan to address these concerns prior to negotiating any executive agreement under the Cloud Act.

“I would also appreciate any information you can provide about provisions of the Access Act that may weaken encryption or other security measures on certain consumer devices. This is an area of keen interest to the Committee,” he said.

“In fact, during the process of drafting the CLOUD Act, the committee specifically included a provision prohibiting an executive agreement from creating any requirement that providers be capable of decrypting data.”

“We have a common interest in resolving concerns like those raised by the Access Act well in advance – so that we can ensure that any proposed agreement comports with our common laws.”

These concerns were also raised by a number of legal and digital rights groups as part of a Parliamentary Joint Committee on Intelligence and Security inquiry into the encryption legislation.

In a submission to the inquiry, the Law Council of Australia said the law would be “insufficient” to allow Australia to qualify for a deal under the CLOUD Act, as the encryption legislation does not include adequate judicial oversight.

The CLOUD Act also requires foreign countries to not require decryption of data and for the requests from authorities to be very specific.

The encryption powers “imperil Australia’s ability to qualify for a bilateral agreement”, the International Civil Liberties and Technology Coalition said, while tech advocacy group DIGI also echoed these concerns.

With negotiations announced earlier this week, Centre Alliance senator Rex Patrick called for “rigorous Parliamentary scrutiny” of these discussions, and for the full deal to be made public and subject to a number of reviews.

“Given their track record, it is not easy to have confidence that a negotiation undertaken by Home Affairs minister Dutton and his departmental secretary Mike Pezzullo will properly protect the data rights and privacy of Australians, including protection of data generated by journalists and media organisations,” Senator Patrick said.

“Few Australians will have heard of the 2018 US CLOUD Act but that’s the law that the Morrison government will be working to effectively incorporate into Australia’s data privacy and protection framework.

Senator Patrick said the agreement would need to balance the need for law enforcement to quickly access data to investigate serious crime and the protection of the rights and privacy of Australians.

“No agreement relating to the CLOUD Act should be signed until after the full text has been made public, subjected to review by the Joint Standing Committee on Treaties and other relevant Parliamentary committees and the Parliament has examined and passed the necessary enabling legislation,” he said.

“They cannot be trusted to get the balance right. The Parliament, and especially the Senate, will need to keep a very close eye on them.”

Shadow home affairs minister Kristina Keneally said there are now “open and serious questions” about whether the “Australian law which was passed by the Parliament in a significant rush less than 12 months ago can conform to the CLOUD Act in the United States and allow this type of ability to access encrypted material to become possible”.

Do you know more? Contact James Riley via Email.

Leave a Comment

Related stories