Coalition's deal with Labor on cracking encrypted messages – what it means for you
A deal struck between Labor and the Coalition on Tuesday means the government’s encryption-cracking bill will pass this week, the final sitting week of the year.
But despite added safeguards, digital rights groups and tech companies are still concerned the bill goes too far. What is the encryption legislation? In August the Coalition released the telecommunications access and assistance bill, which gives law enforcement agencies new powers to deal with the rising use of encryption to keep electronic communications secret.
Applications like Signal, Whatsapp and Wickr, are effectively preventing law enforcement agencies from reading communications intercepted under warrant while investigating crimes.
What are the new powers for law enforcement agencies?
The bill introduces a new form of “computer access warrant” to allow law enforcement agencies to covertly obtain evidence directly from a device, if approved by a judge or member of the administrative appeals tribunal.
Where a warrant has been issued to intercept telecommunications, the director general of security or head of an intercepting agency can then issue a “technical assistance notice” for a company to assist in decryption.
The attorney general would also gain a power to issue a “technical capability notice” requiring a communications provider to build a new capability that would enable it to give assistance to Asio and interception agencies.
The original bill stipulated that a technical capability notice could not require companies to build “systemic weaknesses” in their products, but no definition was provided on this safeguard.
What were the concerns with the encryption bill?
The bill went to the parliamentary joint committee on intelligence and security, which has heard concerns from tech giants including Facebook, Google, Twitter, Amazon and device manufacturer Cisco that the bill would introduce back doors in their products. Tech companies noted the safeguard against “systemic weaknesses” was not defined.
The Australian Human Rights Commission warned the bill would harm the privilege against self-incrimination because criminal suspects could be forced or tricked into giving access to encrypted messages, for example, by a notification to upgrade software such as Facebook Messenger that in fact gives agencies access to the user’s phone.
The Communications Alliance argued it could harm Australians $3.2bn information technology export sector, because Australian products could no longer be trusted not to have back doors, and warned law enforcement agencies could use new powers to extend the reach of metadata retention laws.
The Senate president, Scott Ryan, warned it would undermine parliamentarians’ ability to keep their work secret from police, because extending covert surveillance powers to police agencies would prevent parliamentarians having an opportunity to claim parliamentary privilege over material seized under warrant.
What fixes are proposed in the Coalition-Labor deal?
Proposed amendments to the bill have not yet been released publicly but the attorney general, Christian Porter, and Labor have revealed:
The new encryption cracking powers will be limited to “serious crimes”, defined as terrorism and child sexual offences or other offences with a term of imprisonment of three years or more
The communications minister’s approval will be needed in addition to the attorney general to issue technical capability notices to build backdoors
The bill will contain a definition of “systemic weakness”
Companies will be able to dispute a technical capability notice, with a former judge and a person with technical expertise to judge whether a proposed back door was an impermissible “systemic weakness”
State anti-corruption bodies have been removed from the list of agencies that could access the new powers
The intelligence and security committee will continue to scrutinise the bill in 2019
Has the deal settled industry’s concerns?
In a word: no. The Communications Alliance and the Digital Industry Group Inc – which represents Facebook, Google, Twitter, and Amazon – have several concerns.
No ministerial sign-off is required for technical assistance notices, which are in many respects as far-reaching as technical capability notices. For example, they can also require companies to remove a form of electronic protection.
Unlike capability notices, assistance notices do not require any consultation period with the communications provider and can take immediate effect. Assistance notices can be issued, and subsequently varied by delegated officers within enforcement agencies, not just by the head of that agency.
On Tuesday Porter said the definition of systemic weakness was still being finalised but indicated it was one that “affects all applications on all devices at any given single point in time”.
The Communications Alliance chief executive, John Stanton, said the definition was “too narrow” and would still allow a weakness to be built – for example – in all devices in Victoria, or all users who select a push notification to install an upgrade in a particular language.
The Greens digital rights spokesman, Jordon Steele-John, said the bill “will have the unintended consequence of diminishing the online safety, security and privacy of every single Australian”.
“Furthermore, any individual – whether that be a politician or a journalist – who uses encrypted messaging services to ensure the privacy of their sources, or the privilege of their policy discussions, should feel threatened by this bill’s potential unintended consequences.”