With the dust still settling from parliament’s historic decision to pass the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 last week, it is seemingly unclear what the decision means for the average Australian.
Immediate criticism of the Bill has focused on the powers of law enforcement agencies to intercept encrypted communications.
But with the Bill explicitly stating that a “designated communications provider must not be requested or required to implement or build a systemic weakness or systemic vulnerability” – the question now becomes, how will this all work?
“The Assistance and Access Bill, passed with bipartisan support through Parliament last week, was ostensibly designed to give law enforcement the power to gain access to encrypted communications,” said Chair of Digital Rights Watch, Tim Singleton Norton.
“Despite assurances this doesn’t involve intentionally compromising these systems, that’s exactly what will eventuate.”
It is most likely that any potential such compromise would occur as a result of one of the three different notices government agencies can now issue.
The first these, the Technical Assistance Notice (TAN) is a mandatory notice that compels communications providers to give authorities access through a pre-existing capability.
The latest amendments also specify that the TAN must be issued in regard to a specific case, not for open-ended investigations.
A TAN also requires providers to be consulted beforehand, however, if the matter is deemed “urgent” the request can proceed without consultation.
Next, a Technical Assistance Request (TAR) asks organisations to voluntarily assist in cases law enforcement deems appropriate.
It may be the case that these non-mandatory requests will be issued more frequently than others, as there is no punishment for not complying.
Finally, a Technical Capability Notice (TCN) compels a company to not only to comply with requests, but to potentially develop new capabilities to do so.
For a TCN to be issued the Attorney-General must give notice to the Home Affairs Minister, who must then tell the Inspector-General of Intelligence and Security
The new capability that companies are made to create must not constitute a “systemic weakness or systemic vulnerability”, as per section 317ZG in the legislation.
The definition of a “systemic weakness” – which was only added to the legislation last week – is “a weakness that affects a whole class of technology, but does not include a weakness that is selectively introduced to one or more target technologies that are connected with a particular person”.
Can there be one without the other?
The assumption in the legislation is that capabilities can be created to allow law enforcement to read encrypted messages without creating a systemic weakness.
Many industry experts believe this to be an unrealistic expectation.
In its review of the legislation, encryption provider SENETAS warned of long-term consequences.
“This Bill almost guarantees that capabilities created as a consequence of a TCN will come to be misused - given that they are necessarily known by several parties and staff within the commercial entity(s) involved,” it says.
“In the absence of any clearance process for these personnel, the threat of prosecution is unlikely to always be sufficient as to outweigh the financial opportunity presented.”
It also highlighted the challenges of implementing such changes in practice.
“In the context of the provisions of this Bill, a Provider implementing changes under a TCN (for example) seriously compromises normal practices,” it states.
“The short timeframes and limited ability to consult other participants in the network ecosystem may make the ability to conduct such integration and testing procedures challenging if not impossible.
“Changes that are then made unilaterally to hardware and/or software without integration and regression testing across these types of multivendor systems creates a real risk of degrading network performance or causing the network and/or individual components to fail entirely.”
Can your messages be read?
Requests or notices can be issued in relation to a “serious Australian offence”, which the Bill defines as a crime punishable by a maximum term of three years prison.
This covers a very broad range of offences, including copyright infringement or a variety of white collar crimes.
“Safeguarding national security” is also listed in the legislation as a potential reason to issue a request or notice, as is “assisting the enforcement of the criminal laws in force in a foreign country”.
While the Bill is not an exercise in mass surveillance, the provisions will technically allow law enforcement to access a wide range of communication.
As for the everyday, run-of-the-mill, crime-free Australian? It seems unlikely that your messages will ever be accessed.