The Parliamentary Joint Committee on Intelligence and Security has released an initial report on its scrutiny of the so-called encryption bill revealing details of the deal between the government and Labor that will see the controversial legislation pushed through the House of Representatives and Senate before parliament rises for the year.
The report recommends the bill be immediately passed following the incorporation of a range of changes. One of the more consequential ones is that the bill should be amended “to clarify the meaning of the term ‘systemic weakness’, and to further clarify that Technical Capability Notices (TCNs) cannot be used to create a systemic weakness.”
Technical Capability Notices are a legally binding direction to a company to build a new capability to help facilitate the interception of communications. A recipient of a TCN cannot be required to create a capability that would introduce a systemic weakness into a service.
The committee didn’t offer any suggested language for the bill but noted evidence given by Australian Signals Directorate head Mike Burgess that he considered a systemic weakness to be one that “might actually jeopardise the information of other people as a result of that action being taken” — his was not the only definition that a government agency has offered, however.
The bill also establishes a system of Technical Assistance Notices (directions for a company to provide assistance using existing capabilities) and Technical Assistance Requests (requests for voluntary assistance).
The report also calls for the bill’s list of “acts or things” that can be sought from communications providers be exhaustive.
An amendment foreshadowed by the report will allow a communications provider to seek a binding assessment of whether a TCN would create a systemic weakness, as well as whether the requirements of the notice are reasonable and proportionate, compliance is practicable and technically feasible and “the notice is the least intrusive measure that would be effective in achieving the legitimate objective of the notice.”
The assessment would be conducted by a former judge and someone with a security clearance who has “knowledge that would enable them to assess whether proposed TCN would contravene section 317ZG of the Bill” — Section 317ZG being the part of the legislation that sets out the bar on requiring the introduction of a systemic weakness.
In addition to the attorney-general issuing a TCN, the committee recommended that the communications minister must sign off on the notice.
The committee said the bill should also be amended to “explicitly prohibit an interception agency from asking a designated communications provider to voluntarily implement or build a systemic weakness or vulnerability under a technical assistance request” and impose similar limits on TARs to those that it includes on TCNs and TANs.
An additional measure is limiting the system of TARs, TCNs and TANs to offences with a with a penalty of a maximum period of three year’s imprisonment or more.
The report indicates that the PJCIS intends to continue examining the legislation with an eye to completing its scrutiny by 3 April.
Assuming parliament adopts the PJCIS recommendations, the number of interception agencies authorised to issue notices will remain much the same with the exception of state-based anti-corruption agencies, which for now won’t have access to the new powers.
The Commonwealth Ombudsman will also be given clear authority to “inspect and gather information on the exercise of the industry assistance measures by the Australian Federal Police (AFP), the Australian Criminal Intelligence Commission, and State and Territory interception agencies”.
Attorney-general Christian Porter earlier this week revealed that the government and Labor had come to an agreement to pass an amended version of the bill.