Ten public submissions have been posted on the website of the Department of Home Affairs, with a statement that the submitters were agreeable to having these published, and more would follow. The period for public comment on the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 ended on 10 September after the draft was released on 14 August.
Home Affairs Minister Peter Dutton introduced the bill into Parliament on Thursday last week. The Labor Party has advised caution on proceeding with the bill, while the Greens have said that Australian cyber security "will be significantly diminished by undermining the fundamental principles of end-to-end encryption". The BSA, the software alliance, a group representing dozens of big software companies, apart from Google and Facebook, has urged judicial oversight and a challenge mechanism for the bill.
The three industry bodies said the bill "not only creates a schism between security and safety on the one hand and privacy rights on the other, it also — and potentially even more importantly — creates friction between security/safety for the purpose of law enforcement and crime prevention, and security/safety of electronic products and services and, consequently, for our everyday digital lives".
"The lack of clarity and detail raises significant concerns around intent, actual implementation and, ultimately, legislative overreach. The extraordinarily broad application to almost any person or organisation that has dealings with electronic products and services, irrespective of their location, and the extremely wide scope of acts and things that can be requested of those actors further increase concerns of legislative overreach," CA, AIIA and AMTA said.
In addition, the three organisations said, the extra-territorial reach of the bill was "unprecedented".
"Not only does it have the potential to generate anti-competitive outcomes and to create disincentives for providers to offer products and services to Australians, it also creates significant risks for Australian providers to breach laws in foreign jurisdictions when they are taking action as a result of the requirements of the Bill," they said.
Under the draft bill, companies will be initially requested to co-operate with law enforcement; if they do not, the pressure will be stepped up to force them to help.
First, there will be a “technical assistance request” that allows voluntary help by a company. The staff of the company will be given civil immunity from prosecution.
Next, an interception agency can issue a “technical assistance notice” to make a communications provider offer assistance.
Finally, a “technical capability notice” can be issued by the Attorney-General at the request of an interception agency. This will force a company to help law enforcement, by building functionality.
CA, AIIA and AMTA said these notice processes were "prone to the exercise of bias" and lacked a mechanism for independent assessment.
"Equally concerning is the lack of strong judicial oversight of a piece of legislation that has the potential to significantly impact on society’s overall security and the privacy of individuals," the trio added.
They said given that the bill sought to traverse new ground and to set international precedents, it was imperative that there was a clearly stated reason as to why it was needed, adding that once consensus was reached, the law should be done right keeping in mind Australia's international obligations and the norms of peer nations.
"It is imperative that the legislation does not weaken existing cyber security structures, carefully balances security and privacy considerations, minimises unintended consequences, and it should be developed within a more holistic framework around cyber security, data retention, network security, interception and privacy."
The submission, made on 7 September, urged "further consultation (and work on the development of practical measures and their implementation" before the bill was introduced into Parliament.