Tortured path of encryption review

James Riley
Editorial Director

When it was put to a vote in the parliament last December, it took about 15 minutes to pass the encryption laws but will take nearly two years to complete a promised review of the controversial legislation.

And it’s the tech industry’s fault apparently, for not having produced an adequate number of submissions to the obscure authority known as the Independent National Security Legislation Monitor (INSLM).

Which does seem somewhat extraordinary, given the 70-odd submissions made to the last review of the laws’ impact by the powerful Parliamentary Joint Committee on Intelligence and Security (PJCIS) included detailed work from all of the major industry groups, as well as a broad cross-section of the sector’s most powerful and important voices.

And given the industry position on the legislation as it written is unchanged, it is a bit rich that the Independent National Security Legislation Monitor Dr James Renwick should then lay the blame for the delays on the fact that he’d only received 15 submissions from industry.

Which is exactly what Dr Renwick is doing. He has pushed back the deadline to make submissions until November 1. The knock-on impact of this is that the PJCIS has also pushed back its own deadline for delivering its review (now September next year).

If there were a lack of submissions to the INSLM, it was probably due to the fact that many companies thought they had already made a submission and didn’t immediately recognise the obscure technical difference between the PJCIS and the INSLM.

But even if the lower number of submissions illustrates some kind of fading interest in the review process, who could blame them? There is very little sense that the government is at all serious about doing anything serious here, and the process itself seems designed to squeeze the oxygen out of any discussion that seeks change.

Tech industry groups contacted by on Monday expressed understandable frustration. At best, one industry group CEO said, you might argue that given the importance of the review that it was important to spend the time to get it right. Another CEO was not quite so understanding.

The TOLA Assistance and Access legislation was introduced to parliament in September last year and was immediately referred to the PJCIS for review and received a large number of critical submissions from industry and others.

The government requested that the PJCIS review be expedited, meaning to the consultation process was both very short and very narrow. It was completed in December 2018 and the bill was passed the following day, the final sitting day of the parliament.

A condition of the passage of that legislation was that the PJCIS should continue its review and the legislation should also be independently reviewed – hence its referral to the Independent National Security Legislation Monitor.

Following an article that revealed the extension of the INSLM submissions deadline and the consequent delay to the PJCIS reporting deadline, Dr Renwick has written an article in the AFR outlining (as it needed reminding) why it is important for the tech industry to have its voice in his review.

He highlights four queries that will be very familiar to the tech industry CEOs and founders and developers who have previously been signatories to submissions.

“Large and important specific questions in my review (for which I seek help in finding answers) seem likely to include the following,” Dr Renwick writes.

“First, is the law in any respect too wide, too intrusive, or lacking in sufficient safeguards?

“Second, does the law have disproportionate or unintended adverse effects on Australian industry?

“Third, does the law in fact undermine lawful encryption, say in banking?

“Fourth, is the law expressed in terms likely to remain relevant as technology changes?

“I intend to use my statutory powers to see any classified or other official information that I need, but in seeking to reach my own conclusions about whether these laws achieve the right balance, I must also receive the views of civil society and, for the first time, industry.”

The tech sector is very familiar with these questions and are unlikely to have changed position on their strongly held views previously expressed through various reviews and forums that have looked at the legislation.

Do you know more? Contact James Riley via Email.

Leave a Comment