The Joint Parliamentary Committee on Intelligence and Security is expected to commence a review of the bill on Monday. The committee was due to meet in early March but this was postponed due to the disruption caused by COVID-19.
Since the legislation's release, the Independent National Security Legislation Monitor has published its report recommending significant changes to the law to keep Government powers in check and prevent increased damage to Australian industry.
The INSLM report draws upon submissions to the Government from Internet Australia. “We raised concerns about secrecy, safeguards, the risks of backdoors, and the impact on Australian industry, and they listened. We must be vigilant to ensure well-intentioned measures to assist law-enforcement investigations do not reduce security or privacy for the vast majority of legitimate and law-abiding uses, or retard the ongoing development of future secure and trusted methods of communication," said Dr. Paul Brooks, Chair of Internet Australia.
Internet Australia is "keen to amplify and support the recommendations in the INSLM report and recommend to the JPCIS they adopt these recommendations and change the legislation, greatly improving the legislation and safeguards that are supposed to be in it," Dr. Brooks said.
To provide background, the Assistance and Access Bill provides for Government agencies to require service providers, websites, phone manufacturers, broadband modem and related device manufacturers, data centres and other relevant entities to make changes to their systems that implement backdoors for such agencies to gain access to information contained on the device or site or whatever it may be.
The trigger is the widely-publicised locked San Bernardino terrorist Apple iPhone, where Apple refused to comply with FBI demands it provide access to the phone's data. "Under this legislation it would be unlawful to refuse," Brooks said.
Consequently, while the Bill is commonly dubbed "the encryption legislation" it is not about enforcing encryption but the opposite; the legislation notes encryption is good and hard to break so it compels companies to provide a mechanism which divulges unencrypted data.
Yet, this ultimately compromises the Internet. For example, "if Samsung was required to create a special golden key to unlock any Samsung smartphone and it was leaked this means nobody's Samsung phone would be secure anymore," Brooks said.
If we extrapolate this to consider backdoors, weaknesses and golden keys in all our smartphones, modems, routers and similar devices and websites, it is clear the bill reduces the security of the Internet and every Internet user. It also makes those methods of access a prized target for the criminal community, the very community the agencies are trying to catch.
In fact, we have the precedent of the DVD encryption key which was leaked on the Internet and immediately provided DVD ripper software developers the full means to rip any DVD at all.
Of course, the legislation did not set out to weaken the Internet. Agencies point to the real and serious issue of terrorists and pedophiles using encrypted messaging like WhatsApp and Apple iMessage to hide their criminal communications. The agencies intent is to use this legislation to get access to criminal's phones to see clear-text versions of messages.
As good as the intent may be, the law is ambiguous and its protections are largely illusions, Brooks said. The INSLM report thus seeks to tighten and enhance the legislation, not tear it down.
One of the illusions addressed by the INSLM report is that of the warrant required to make a request of a service provider. While the legislation requires the warrant request address if it is the least intrusive method to get an outcome, and whether it exposes data of innocent people, the approval is the agency heads themselves and ILSM sees this as having implicit bias. It is reasonable those approving the warrant request have a vested interest in seeing the notice issued because, after all, they want to catch the bad guys.
In response, the INSLM report recommends setting up an independent judicial body in the Administrative Appeals Tribunal consisting of retired judges with security clearance and backed by technical assistance. The recommendation is agencies submit notices to this approval body to independently determine if the intrusion and privacy requirements are met, resulting in protections which are much stronger.
Legislation threshold uniformity
Another recommendation of the INSLM report is to standardise the thresholds to invoke the legislation's powers with other existing legislation. To be clear, the Bill's powers may be enacted when dealing with offences whose seriousness is measured as three years or mail of jail time. At the same time, the Telecommunications Interception Act for phone tapping requires judicial approval for a warrant and a seriousness of seven years of jail time.
The INSLM recommendation here is for these requirements and approvals to be standardised and for the new legislation to reference the threshold society has already accepted and approved so the laws can only be used on serious and heinous offences such as terrorism, pedophilia, rape, murder and the like.
Companies not individuals
Another concern is currently the legislation permits agencies to approach employees and direct them to make changes to software systems and compel them to secrecy, that is, they cannot tell their manager about it, and allowing products to be subverted without a company being aware.
While agencies say they have no intention of using the legislation this way the problem is the wording does not prohibit it. Hence, INSLM's recommendation is to tighten this wording so any notice served is served on an organisation itself and not an employee deep within its bowels.
Limiting to specific makes and models
Additionally, the INSLM recommendations are the legislation only have its powers used on the specific make and model of a device and software in a criminal's pocket. This means instead of implementing a backdoor or weakness into every handset rolling out of the Samsung or Apple - or even Tesla - production lines, changes are restricted only to the very device and software combination that needs to be accessed for a lawful purpose. It is not acceptable, the recommendations say, to install a weakness in every smartphone or device of all makes and models simply in case it is useful to an agency in some later event.
The thin edge of the wedge
As well as supporting the INSLM recommendations, Internet Australia makes the point the legislation opens a Pandora's Box of potential damage to society. The intrusion and impact of these laws can be vast and wide-reaching if misused.
Further, Australis is sending a precedent to the world. The USA with their recent legislation - Lawful Access to Encrypted Data Act of 2020 (LAED) - is watching with interest, and among the Five Eyes nations Australia is the first to pass its legislation. What we do will have influence on how other nations approach their similar bills.
In fact, Dr. Brooks says, "The USA with its free speech requirements and civil liberties focus said they would never get these laws passed, but by getting them passed in Australia they could ship the San Bernandino terrorist phone to Australia and get Apple to circumvent it because it is lawful here. So each nation can circumvent protections its citizens believe it has by sending devices to another jurisdiction."
The reality is this may or may not happen in practice, but without a precise and unambiguous legislation these notions are not out of the question. The changes and abilities the legislation calls for can be dangerous if not described properly to the organisations that need to make the change. One Government might state it wants a backdoor in Apple iPhones to catch criminals, and every other Government - including those with less-robust civil protections than ours - will also have the right to say to the same device manufacturer they want access to that capability because they know it exists.
This has the capability to compromise the safety and security of Australian business and trade, diminishing or eliminating the confidentiality of their communications in countries like South America, Russia or China. If the capabilities of introducing a backdoor exist then Australians are exposed to countries who do not have the same protections we have for misuse of these capabilities.
This is why, Brooks says, there is such scrutiny on Australia’s introduction of these laws. It has the potential to reduce our security and spread across the globe introducing security weaknesses everywhere. Agencies could introduce a security weakness in MyHealthRecord, for instance.
"If these methods of access became known to every minor hacker on the street, script kiddy, foreign Government it is absolutely frightening," he said.