The organisations said rejecting the bill was recommended "as this is the most appropriate response to the exposure draft in the opinion of the authors of this submission".
The organisations represented in this submission, among the 10 which have been published by the Department of Home Affairs, are the Australian Privacy Foundation, Digital Rights Watch, Electronic Frontiers Australia, Future Wise, The Queensland Council for Civil Liberties, The New South Wales Council for Civil Liberties, Access Now, and Blueprint for Free Speech.
The Department of Home Affairs said the submitters were agreeable to having their submissions published, and that more would follow. The period for public comment on the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 ended on 10 September after the draft was released on 14 August.
The BSA, the software alliance, a group representing dozens of big software companies, apart from Google and Facebook, has urged judicial oversight and a challenge mechanism for the bill. And three big organisations representing the telecommunications industry, the mobile device makers and Australian IT organisations have warned that cyber security, at large, would be harmed by the bill.
The rights and privacy groups said they had many concerns with the draft bill, in particular that it:
- "Introduces a seemingly scopeless definition of 'designated communication providers';
- "Increases the obligations on communication providers to assist with law enforcement agencies;
- "Introduces covert computer access warrants enabling law enforcement to search computers and electronic devices without an individual’s knowledge; and
- "Increases the powers of law enforcement to use and apply the currently available search and seizure warrants."
They highlighted the lack of oversight of new powers granted to the director-general of security, the chief officer of an interception agency and the attorney-general to issue new types of orders which could, both directly and indirectly, force communications and technology companies to provide information about how networks are built and how information is stored, or to directly access encrypted data if they had a key.
"Taking this further, the Bill also grants the power to compel companies to engage in actively building new tools and mechanisms at the request of law enforcement agencies," the submission said.
While the right to challenge such orders in court was possible, the process had not been defined, the group said. And as far as the orders issued by the authorities cited earlier went, there was no restriction apart from the requirement that they be "reasonable and proportionate".
The draft bill contains language that is ambiguous, as iTWire has pointed out on the day it was issued, specifically the use of the word systemic.
It says: "A technical assistance notice or technical capability notice must not have the effect of:
"(a) requiring a designated communications provider to implement or build a systemic weakness, or a systemic vulnerability, into a form of electronic protection; or
"(b) preventing a designated communications provider from rectifying a systemic weakness, or a systemic vulnerability, in a form of electronic protection." (emphasis added)
But the word "systemic" is not defined at any place in the draft.
The rights and privacy bodies also pointed to this lack of specific definitions, saying the draft did not appear to be limited by what “assistance” organisations could be ordered to provide.
"The government claims the legislation specifically forbids activities that would provide a ‘systemic weakness or vulnerability’ into an encrypted system. However, the kind of operation that the government is planning doesn’t require an active creation of a weakness, instead opting for an end-point activation," the submission said.
"Most encrypted services allow you to have multiple devices such as a phone and a computer, which can be end-to-end encrypted between all endpoints. If the government could secretly add a new device to that conversation without your knowledge, it would be building a new door into that encrypted communication."
The scope of the draft bill was so wide, that even companies with little connection to Australia could face fines, the submission claimed. It pointed out that any organisation that did not toe the line on a notice, could be fined $10 million, while an individual could be out of pocket by $50,000 and also face up to 10 years in prison.
The submission contains 35 recommendations. Contributors to the submission included Dr Adam Molnar, Lizzie O’Shea, Dr Monique Mann, Angus Murray, Peter Tonoli, Bruno Watt and Dr Suelette Dreyfus.