There will be no fixes to the government’s highly controversial encryption powers this year with a committee report on the legislation now more than two months delayed.
It has been two years since the Assistance and Access Act was passed by Parliament with bipartisan support. The new law hands powers to law enforcement and agencies to compel tech companies to provide access to encrypted data.
The new powers have been widely criticised as undermining encryption in general and damaging for the local tech sector specifically.
There have been plans for a series of amendments to the legislation for more than a year, but it appears this will not happen until February next year at the earliest.
The Parliamentary Joint Committee on Intelligence and Security (PJCIS), which has already delivered two reports on the encryption bill, has been conducting an inquiry into the Assistance and Access Act since April 2019 and had been due to report back in mid-2020.
This was delayed, with the PJCIS given a new deadline of 30 September. But two months later, the committee is still yet to hand its report to government, which is waiting on its recommendations to move any potential amendments to the encryption legislation.
With Parliament rising for the last time of the year at the end of next week, there now won’t be any changes made to the encryption powers this year.
“The timing of PJCIS reports is a matter for the committee. The government will consider the PJCIS recommendations when they are released, and respond in due course,” a spokesperson for the Department of Home Affairs told InnovationAus.
This is despite the Independent National Security Legislation Monitor (INSLM) having made a series of recommendations for amendments to the encryption bill at the end of June. The INSLM is meant to inform the PJCIS report to be handed to government.
The INSLM opted to not call for repeal of the act entirely, instead recommending that the power to issue and authorise anti-encryption notices be taken away from agency heads and the government and handed to a new judicial oversight body.
The INSLM report also called for a new definition of “systemic weakness” and for “systemic vulnerability” to be removed from the bill entirely.
The recommendations have received wide support, with the likes of tech giant Atlassian and the Law Council of Australia calling on the government to adopt them.
Under the Telecommunications (Interception and Access) Act 1979, the PJCIS must have completed its review by 30 September 2020. InnovationAus understands the PJCIS has finished the review component of the inquiry and is currently still working on its final report.
Deakin University senior lecturer Dr Monique Mann said the delay in improving the Assistance and Access act is troubling, especially when coupled with a delay to another PJCIS inquiry into a potential data-sharing deal with the US.
“In combination with the delay on [that] front, it’s concerning because recommendations have been made by the INSLM that won’t be actioned this year, and we’re not sure of the timeline. All these concerns have mirrored recommendations that have been raised for a number of years,” Dr Mann told InnovationAus.
“These ongoing delays to actually ensuring there are some protections in place, such as judicial authorisation, is just an ongoing farcical situation, particularly given the ongoing exercise of these powers by government and law enforcement.”
The PJCIS is currently inquiring into the International Production Orders legislation, which would allow Australia to enter into a CLOUD Act data-sharing deal with the US. That inquiry was launched in March, with plans to report back by midway through the year and for the legislation to be passed during the Winter sitting of Parliament.
But the committee is still yet to report back on that legislation too, with no deadline listed on the inquiry homepage.
In a submission to the PJCIS encryption inquiry, the Australian Federal Police revealed that law enforcement is still yet to use the coercive powers in the bill which require tech companies to provide access to encrypted data and build new means to do so, instead relying on notices merely asking for assistance.
This led the federal Opposition to question why these powers are needed at all, and why it agreed to pass them in a rush in late 2018.
Labor earlier this year attempted to move a number of amendments to “repair” the Assistance and Access act, including through the introduction of judicial oversight. These were rejected by the government, with the Coalition saying it would wait for the delayed PJCIS report, and that Labor was attempting to “circumvent” this inquiry.
Atlassian also told the PJCIS that the powers had damaged the growth of the Australian tech sector and could hamer its recovery from the COVID-19 pandemic.
“The continued viability and growth of technology, innovation and manufacturing in Australia will in large part be based on the actual and perceived security of the technologies that underpin the digital economy and its ecosystem,” the company told the PJCIS.
“Atlassian is concerned that the effect of the Act has been to erode trust in Australian technology providers and therefore limit the ability of Australian technology providers to compete internationally, through both their actual and perceived ability to protect their customers, data and systems from being compromised through weakened security”.