Thursday, 06 December 2018 11:12

Despite PJCIS' recommendations, CA chief says bill still flawed Featured

John Stanton: "[Encryption bill] a threat to the cyber security of all Australians and a major risk for the future of Australia's IT industry." John Stanton: "[Encryption bill] a threat to the cyber security of all Australians and a major risk for the future of Australia's IT industry." Supplied

The Federal Government's encryption bill, which is up for debate and passage in Parliament at the time of writing (11am AEDT), still represents a threat to the cyber security of all Australians and a major risk for the future of Australia's IT industry and the livelihoods of Australians who work in that industry, Communications Alliance chief John Stanton has said.

After viewing the recommendations handed down by the Parliamentary Joint Committee on Intelligence and Security, Stanton told iTWire they appeared to address a number — but not all — of the issues that had been raised by CA when it testified before the committee.

Labor and the government struck a deal on Wednesday to pass the bill, officially known as the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018, on Thursday, the last sitting day of Parliament for the year. Some 50 pages of amendments were handed to the various parties early this morning before debate on the bill began.

Stanton said a final opinion depended on how the government responded to the PJCIS' recommendations. "We need, of course, to see how the government responds, whether they accept all recommendations and how they translate that acceptance, or otherwise, into the language of amendments," he said.

But he did not appear to be optimistic. "As experts from the Internet Policy Research Initiative at the Massachusetts Institute of Technology told the Committee, we are still some years away from even knowing whether it is possible to build a secure exceptional access framework – something that this Bill purports to be able to do," he added.

There are three ways listed in the bill by which law enforcement can get industry to aid in breaking encryption. A technical assistance request or TAR allows for voluntary help by a company; its staff will be given civil immunity from prosecution.

Or an interception agency can issue a technical assistance notice or TAN to make a communications provider offer assistance based on existing functionality.

Finally, a technical capability notice or TCN can be issued by the attorney-general at the request of an interception agency. This will force a company to help law enforcement, by building functionality.

On Wednesday, Stanton had pointed to some issues around the TANs. Today he said these issues were still not resolved, adding that the best thing would be to remove TANs from the bill altogether.

He also said there needed to be a warrant framework for both TANs and TCNs – "some form of judicial oversight is imperative, given the risks involved". Plus, he added, one also needed to see what kind of definition emerged for the term systemic weakness.

Commenting on some of the recommendations, Stanton said the extension of the systemic weakness prohibition to TARs was a positive. "We welcome any improvement in notification and reporting requirements around notices, but we need to see the detail, particularly regarding extensions or variations of notices (the latter of which have no real controls around them in the current bill."

Regarding the TANs having a tiered approval system when they come from the states, with the AFP commissioner approving them, he said this sounded like an improvement. "But [there] is no substitute for explicit approval by the attorney-general and the need to obtain a warrant, which is what is needed," he added.

Stanton saw the added oversight of the communications minister for a TCN as a positive change.

As to the defining of what a systemic weakness is, he said leaning towards the definition offered by ASD chief Mike Burgess was less ludicrous as a starting point than the definition put forward by Attorney-General Christian Porter, who said on Tuesday: " is a weakness that would affect all applications on all devices at any given single point in time".

On the systemic weakness limitation being extended to cover all listed acts or things in the bill, Stanton said it was better than the original draft, which handed a blank cheque to enforcement agencies to order communications providers to do anything the agencies wanted.

Another recommendation was that two people investigate whether a TCN is workable, these being a technically qualified person approved by ASIO and a judge. Stanton said he would prefer that industry play a some kind of role in selecting the tech expert.

But the bigger issue with this was that it did not apply to TANs and this was one of the key remaining problems.

"So, on balance, there are still major problems with this bill, which must be addressed," Stanton said.

"But I have to pay credit to the PJCIS, which has understood and tried to address some of the flaws. The sad part is that the government behaved so poorly in putting pressure on the committee. The PJCIS should have been given time to complete its work."


Australia is a cyber espionage hot spot.

As we automate, script and move to the cloud, more and more businesses are reliant on infrastructure that has high potential to be exposed to risk.

It only takes one awry email to expose an accounts payable process, and for cyber attackers to cost a business thousands of dollars.

In the free white paper ‘6 steps to improve your Business Cyber Security’ you will learn some simple steps you should be taking to prevent devastating malicious cyber attacks from destroying your business.

Cyber security can no longer be ignored, in this white paper you will learn:

· How does business security get breached?
· What can it cost to get it wrong?
· 6 actionable tips



iTWire can help you promote your company, services, and products.


Advertise on the iTWire News Site / Website

Advertise in the iTWire UPDATE / Newsletter

Promote your message via iTWire Sponsored Content/News

Guest Opinion for Home Page exposure

Contact Andrew on 0412 390 000 or email [email protected]


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments