A coalition of digital rights groups has called for the government’s draft surveillance bill to be scrapped wholesale, saying that it “effectively enacts insecurity by design” and will create “extremely broad powers with almost no oversight without any substantive justification”.
The government has argued that its proposal to increase the ability of police and national security organisations to access online services will not weaken the security of services relied on by millions of Australians.
The exposure draft of the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 would create new powers for law enforcement agencies to demand tech companies cooperate with requests for assistance and in some circumstances even build new tools that would allow for user security to be bypassed during investigations.
The government has repeatedly argued that it doesn’t want to undermine encryption and, notes an explanatory memorandum accompanying the draft, the bill includes a prohibition on “requiring a provider to build or implement a systemic weakness or systemic vulnerability into a form of electronic protection”.
“This includes systemic weaknesses that would render methods of authentication or encryption less effective,” the document adds.
However, the term “systemic weakness” is not defined, notes an analysis of the draft bill authored by a range of digital rights organisations and individual activists.
“While we note there are potential difficulties in defining such a term, the absence of a definition renders the section virtually meaningless,” states the submission to the government’s consultation.
“Consultation with appropriately qualified experts in cryptography may be a useful addition into the regime as a safeguard. Further, the limit does not impose any requirement on any agency to disclose systemic vulnerabilities to designated communications providers.”
The submission also notes the potential danger of agencies hoarding systemic vulnerabilities they unearth for use in collecting intelligence: The WannaCry ransomware, for example, used a vulnerability in Windows dubbed Eternalblue that was exploited by the US National Security Agency.
Among the 35 recommendations of the submission — which is backed by the Australian Privacy Foundation, Digital Rights Watch, Electronic Frontiers Australia, Future Wise, the Queensland Council for Civil Liberties, the NSW Council for Civil Liberties, Access Now and Blueprint for Free Speech — was that systemic weakness should be defined in the legislation.
Concern with the proposed legislation extends well beyond that, however.
“It is clear that the government’s entire approach to this legislation is untenable,” said Tim Singleton Norton, the chair of Digital Rights Watch.
“Their attempt to legislate powers that are broad, lack sufficient accountability and transparency, and put our digital society at risk has been rejected by experts in the field, and the government should take note.”
“Any attempt to break encryption would be devastating to our rights, our economy and the internet as a whole,” Singleton Norton said. “This bill should be withdrawn and its proponents sent back to the drawing board.”
The bill would cover any entity that uses the Internet to communicate material or facilitate the communication of material.
“The list of possible entities is endless, and may include banks, media companies, specific journalists, insurers, civil society organisations, law firms, universities and most small and large businesses,” the submission states, recommending that the scope of the legislation be reduced significantly.
The current draft includes an extensive list of acts or things that can be requested by an agency in a technical assistance notice or technical capability notice.
A non-exhaustive list includes removing one or more forms of electronic protection; providing technical information; installing, maintaining, testing or using software or equipment; facilitating access to a facility, customer equipment, data processing device, a carriage service, an electronic service, or software used in conjunction with a carriage service or electronic service; substituting, or facilitating the substitution of, a service provided by the designated communications provider; and concealing that an act or thing has been done.
The digital rights groups argued that “the list of acts or things should be reduced in scope, and be targeted to avoid creating a general capacity to undermine encryption” and that the statutory list of acts or things “should be exhaustive for the purposes of technical assistance notices and technical capability notices”.
Technical assistance requests, technical assistance notices and technical capability notices should be subject to judicial oversight, the submission recommends.
However, the most appropriate response to the exposure draft is that the bill be rejected wholesale, the submission says.
“Despite the ridiculously short timeframe that the government allowed for this consultation, the volume of criticism has been overwhelming — from privacy experts, technology companies, civil liberties advocates and telecommunications providers,” Singleton Norton said.
“We’ve also seen a staggering response from the Australian public, with over 14,000 people writing directly to the government in defence of their right to use encryption,” he said.
“It is easy to assume the public is too disengaged or uninterested to have a view on these kinds of issues, but the strong and sophisticated response makes it clear the opposite is true. The government would do well to heed this warning.”
The full submission is available online.
Read more: NZTech calls for IT industry's own CTO
Major tech companies including Amazon, Facebook, Google, Oath, and Twitter have indicated they are also concerned about the proposed legislation.