The chief executive of the Australian Information Industry Association has warned that laws designed to help police and national security agencies intercept encrypted communications are likely to affect the nation’s “ICT innovation and export activities”.
“The act is likely to negatively impact the competitiveness of Australian software and hardware manufacturers in international markets,” AIIA CEO Ron Gauci said. “We believe this could result in declining employment and export revenue, and consequently a significant reduction in local R&D and manufacturing.”
Parliament last year passed the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018, with the legislation receiving bipartisan support.
In order to ensure passage of the bill before parliament rose for the year, Labor withdrew a range of amendments it had argued were necessary to bring the legislation into line with the recommendations of a parliamentary inquiry and reduce the risk of unintended consequences to Australians’ cyber security and the tech sector.
The Senate is currently considering the Telecommunications and Other Legislation Amendment (Miscellaneous Amendments) Bill 2019, which will allow anti-corruption agencies to access the powers introduced last year. As part of that process, Labor has introduced a number of amendments addressing the opposition’s criticisms of the legislation.
“We are disappointed that the amendments proposed [last year] were not passed by parliament,” Gauci said. “However, we are heartened to see that some members of parliament are starting to focus on the economic impact of the legislation on Australia’s ICT innovation and export activities.”
The AIIA is pushing for amendments in two key areas. One is ensuring there is judicial oversight of the issuance of Technical Assistance Notices (TANs) and Technical Capability Notices (TCNs). A TAN is a formal instruction from an interception agency for a service provider to cooperate in some manner using its existing capabilities. A TCN is a direction from the government that a company create an entirely new capability to facilitate the work of an interception agency.
There have been concerns that TCN could be used to introduce backdoors into services, though the government has argued, using a somewhat narrow definition of a backdoor, that the legislation prevents this.
The AIIA has indicated that it wants changes to the legislation to clarify the definitions of “systemic weakness”, “systemic vulnerability” and “target technology”. The legislation as passed prevents a company from being directed to build a new capability that would constitute a systemic weakness or create a systemic vulnerability — so, for example, the government cannot order WhatsApp to completely remove end-to-end encryption from its service.
The legislation currently says that a systemic vulnerability is a “a vulnerability that affects a whole class of technology, but does not include a vulnerability that is selectively introduced to one or more target technologies that are connected with a particular person. For this purpose, it is immaterial whether the person can be identified.” Systemic weakness has a similar definition.
The legislation is being reviewed by the Parliamentary Joint Committee on Intelligence and Security (PJCIS), and the AIIA has joined with other industry groups including Communications Alliance, the Australian Industry Group, the Information Technology Professionals Association and Digital Industry Group Inc. (DIGI), to make a submission to the inquiry. That submission argued that the definitions of systemic weakness, systemic vulnerability and “target technologies” are “very difficult to understand, ambiguous and appear significantly too narrow”.
“The limitations intended to be given to systemic vulnerability/weakness through the definition of target technology do not achieve the desired objective,” the submission states.
“Specifically, what constitutes a class of technology?” the submission adds “Assuming this term has a common-sense meaning (to the extent this exists), then the application to the whole class of technology is far too narrow.”
The submission gives the example of a hypothetical situation where ASIO directs that screen capture technology be introduced into Android smartphones manufactured by a particular company but not all Android handsets by all manufacturers.
“Arguably, this means that not the whole class of technology is affected and, therefore, the modification would not constitute a systemic weakness or vulnerability,” the submission states.
The AIIA has also made a separate submission to the PJCIS inquiry.
That submission calls for urgent analysis of the new law on the ICT sector. Among other recommendations it also calls on the government to rein in the extraterritorial reach of the legislation. “AIIA asserts that the impact of the legislation on Australia’s ICT export activities will be negative,” the AIIA submission states. “Products and services of Australian businesses captured by the Act risk being perceived as less secure than those in other jurisdictions.”