You feeling safer now, punk?
Friday, December 7, 2018
Justinian

Decrypring the encryptions ... Christmas spree of paedophiles and terrorists thwarted (not quite) ... Requests and notices ... Anti-corruption commissions removed from the scheme ... New legislation back for further tweaking in the New Year ... Oversight missing in inaction ... International ramifications ... Janek Drevikovsky reports 

Cormann: legislation back in the New Year for more PJCIS approved amendments - promise Attorney General Christian Porter has had his big day, giving birth to counter-encryption laws - trumpeted as a way to tackle the increasingly sophisticated secret communications used by criminals. 

It's been a long and often comical journey for the Telecommunications and Other Legislation (Assistance and Access) Amendment Act, which was first mooted in early 2017. From there, it wound through two rushed rounds of public consultation, past a wailing bunch of reluctant tech companies, and into a final stretch of partisan parliamentary argy-bargy. 

Labor put forward a crop of 11th hour amendments, only to back down on some of them, understanding they would be considered when parliament reconvenes. 

This is what government upper house leader Mathias Cormann told the senate on the evening of Thursday (Dec 6): 

"I move the second reading amendment that has been circulated in my name which has the effect of referring the amendments to be made by this bill to the parliamentary joint committee on intelligence and security to conduct a review of the operation of the amendments made by this bill and report on that review by 3 April 2019. 

I also confirm that the government has agreed to facilitate consideration of these amendments in the new year in government business time, and I finally, also, confirm that the government supports in principle all amendments that are consistent with the recommendations of the parliamentary joint committee on intelligence and security recommendations in relation to this bill."  

Back to basics 

The new Act is a tortured beast, involving amendments to 11 existing Acts, running to 174 pages of eye-glazing lingo, with an equally dense 145-page explanatory memorandum. 

By the time the it was passed, the Act had attracted 173 amendments of its own.

Under the new law, federal and state authorities can ask or, failing that, force telcos to help them access electronic communications. The powers are expansive, but warrants are still needed before the most invasive steps can be taken. 

Other provisions have largely escaped notice. These include new covert search powers for police and the introduction of covert search warrants under a string of Commonwealth Acts. 

Who's in on the action? 

The big-ticket decryption notification measures, such as "industry assistance powers", only benefit some government agencies, including ASIO, state and federal police and, in some cases, the Australian signals directorate.

In the original draft Act, state and territory corruption watchdogs could also use the new powers. But they were cut out at the last minute, in a series of amendments made late on Wednesday night. 

The motivation for excising anti-corruption bodies is unclear. As it stands, the law gives the agencies access to encrypted communications of criminals, terrorists and so on, but not corrupt politicians, business people or officials. 

The supplementary explanatory memorandum isn't very helpful on this point, stating the obvious: that the relevant agencies are now limited to "Commonwealth, State and Territory police", as well as ASIO. 

Throughout discussions, Labor was adamant that the Act should apply exclusively to federal authorities. It's possible, in the process, state corruption and integrity commissions were vanquished.

How do the decryption measures work? 

Security agencies are empowered to issue three types of notices to telcos: technical assistance requests, technical assistance notices, and technical capability notices

An assistance request seeks voluntary help; an assistance notice seeks the same type of help, but must be complied with. A capability notice will require the telco in question to make itself capable of helping in future, in some specified way. 

Broadly, requests and notices can only be issued if they are necessary for the enforcement of laws dealing with serious Australian or foreign offences, or to uphold national security. 

Failure to comply will attract civil liability. If the delinquent telco is a body corporate, the maximum fine will run to 47,619 penalty units, or $9,999,990. For a non-corporate telco, the sum is a paltry 238 penalty units, or $49,980. 

Exactly what a telco can be compelled to do is still unclear (the government refuses to give examples of how the provisions will work in practice). 

However, the Act mentions things like removing or installing software, modifying carriage services and giving access to physical facilities. It's likely telcos will be asked to upload malware onto suspected criminals' devices, or hack into their own networks. 

Telecommunications companies are not the only ones complaining about this, the Human Rights Commissioner also issued a muted call for stronger oversight. 

 

The new Australian encryption law needs further amendment to safeguard human rights. Independent judicial oversight & other protections against misuse could be introduced without jeopardising national security. @AusHumanRights statement: https://t.co/vAVzfAqZSd.

— Edward Santow (@esantow) December 6, 2018

  

 

Significant threats to human rights remain despite the final version of this Bill containing some improvements. Our police & security agencies need robust powers to protect national security. However, these powers need stronger independent oversight, to protect human rights. https://t.co/EScZPc1wqg

— Edward Santow (@esantow) December 6, 2018

 

There are some limitations: first, neither government agencies nor telcos can do anything that would need a warrant - unless, of course, they have a warrant; secondly, telcos cannot be forced to introduce "systemic weaknesses" into their networks. 

Nonetheless, protests following the passage of the Bill have been intense. Digital Rights Watch warns that Australia will no longer have a functioning security software industry, or faith in the safety of our telecommunications systems. 

"Our elected representatives in Canberra have passed into law an obscene Bill that will have long-lasting impacts on the infrastructure of the digital economy, and they don't even seem to care." 

A large collection of people from the tech industry published an open letter to Bill Shorten and the Labor Party, under the heading You Bunch of Idiots!, accusing them of being "spineless weasels" for letting this legislation pass. 

Labor pains 

Under a deal between Labor and the government, struck on Wednesday night (Dec. 5), the Parliamentary Joint Committee on Security and Intelligence recommended a bevy of amendments to the Act. These passed into law with the rest of the beast on Thursday night. 

The amendments narrowed the scope of the Act, to the extent that notices can only be issued if the offence (whether Australian or foreign) is punishable by at least three years' imprisonment. 

Further, there is now a definition of "systemic weakness", which had been missing from the original Bill. It is now defined as "a weakness that affects a whole class of technology".

There are also slightly stricter oversight provisions, including a mechanism for the Ombudsman to investigate how the Act is being used; requiring the Attorney General and Minister for Communications to countersign all technical capability notices; and providing for two reviews of the Act within its first 18 months of operation. 

Labor tried to force further amendments when the Act arrived in the Senate late on Thursday, but they stood down when the government adjourned the House before the Senate could conclude debate. 

Had the additional amendments passed, the Act would have been returned to the House in February at the earliest, and would have remained in limbo until then. That would have given the government a comfortable two-and-a-half months to paint Labor soft on security, paedophiles and anything else that comes to mind. 

Search me

There's more to the Act than just decryption. There are new powers for Federal, State and Territory police - so long as they're investigating a federal offence punishable by more than three years' prison. 

Now, the police can obtain "covert computer access" warrants under the Surveillance Devices Act 2004, which will empower remote searches of electronic devices. 

Police are not obliged to serve these warrants on the subject, and can take steps to conceal their attempts at accessing the device in question. 

Similar changes have been made to warrants issued under the Commonwealth Crimes Act 1914. Police will be able to covertly search devices, cover the traces of their investigation and remove them from their owner's possession for searching. 

International dimensions

Rosenstein: US courts have said he can't have decryption lawsThe debate around the Act has been wide-ranging, particularly when it comes to the industry assistance provisions - the so called decryption measures. Even the big international players, like Apple and Facebook, have waded in. That should come as no surprise: this law and the surrounding debate are decidedly international - in origin and in their ramifications. 

For at least four years, governments worldwide have turned into wholesale fear-mongers on the perils of encryption. Data is now so well protected, they say, that law enforcement cannot do its job: criminals have "gone dark", their messages and phone calls protected by the sophisticated encryption available to every user of services like WhatsApp, Signal, Telegram or Wickr. 

In the United States, officials former FBI chief James Comey (in happier days) and Deputy Attorney General Rod Rosenstein have sprouted this kind of apocalyptic rhetoric. 

Yet the Americans have been resistant to laws such as the one just introduced in Australia. That might have to do with their strong attachment to personal liberty and privacy. In fact, some US federal courts have upheld an absolute right to publishing encryption software, saying (here and here) that encryption codes are a form of speech protected by the first amendment. 

Presumably, that right extends to publishing unbreakable encryption as well; if so, the FBI and the Justice Department would have a hard time legislating against the practice. 

Australia is part of the Five Eyes tag team of spy agencies, and it has been a vocal agitator for encryption-breaking powers. 

In August this year, the group issued a joint statement, committing its five governments to finding a way through the "darkness" of the encrypted criminal world: 

"We may pursue technological, enforcement, legislative or other measures to achieve lawful access solutions." 

We are yet to see how the rest of the world will receive the Australian provisions; but it's unlikely our Five Eyes partners will be complaining. 

On a practical level, that's because modern communications are global. You don't have to be in Australia to access Australian communications; likewise, you can be in Australia and hack encrypted messages from abroad, as they pass through Australian internet nodes. 

Removing encryption from a suspected criminal's phone here means the FBI or MI6 can hack that phone just as well as ASIO can. Similarly, the Act potentially empowers Australian authorities to remove encryption on foreign devices. 

It also makes enforcing a foreign country's criminal laws one of the grounds for compelling a telco's assistance. So it is possible that the devices of Australians and non-Australians alike will be decrypted at the behest of foreign states. 

It's worth remembering the Act does nothing to waive the requirement for warrants. So foreign states will only get help with decryption if the proposed intervention can be justified to an Australian warrant-issuer.  

That said, there is a clear framework for foreign governments to apply for warrants. Under the Mutual Assistance in Criminal Matters Act 1987, the attorney general can arrange for a surveillance warrant upon the request of a foreign country; the application must be heard by a federal judge or AAT member, but if granted, the warrant will function as normal and can be executed by Australian authorities. 

In that case, an Australian security agency can force telcos to act under the new provisions. 

See Justinian on decryption and privacy: Encryption legislation is "fatally flawed" 

Article originally appeared on Justinian: Australian legal magazine. News on lawyers and the law (https://justinian.com.au/).
See website for complete article licensing information.