Industry figures and privacy advocates are up in arms after the Federal Government glossed over nearly 15,000 submissions to push through controversial encryption laws.
Just weeks after the 14 August release of an exposure draft, the government introduced a slightly amended Telecommunication and Other Legislation Amendment (Assistance and Access) Bill 2018 to Parliament.
Almost 15,000 submissions were received during the public consultation – including 14,372 copies of a Digital Rights Watch campaign letter – but on Friday the Department of Home Affairs published just 10 of these with a promise of revealing the remainder “shortly”.
The Australian Human Rights Commission, for one, warned the bill’s “ambiguous” ‘systemic weakness’ provision “authorises certain exceptional access measures” that would have a “‘chilling effect’ on the enjoyment of human rights.”
Human Rights Watch said the bill “poses considerable threats to cybersecurity and human rights” and would set a “dangerous, though unintended, precedent” worldwide.
The Australian Information Industry Association (AIIA), Optus and Telstra have all expressed concerns over the bill.
As-yet unpublished submissions from ACS, Information Technology Professionals Association, Law Council of Australia, Office of the Victorian Information Commissioner, Access Now, Stanford Law School’s Centre for Internet and Society, and countless academics and individuals reflect the breadth of opinions about the legislation.
Public consultation on the revised bill, which has been referred to the Parliamentary Joint Committee on Intelligence and Security, will close on 12 October.
Encryption everywhere
The government’s crackdown comes amidst ongoing industry efforts to make encrypted communications the default online: security testing firm NSS Labs, for one, has predicted that 75 percent of Web traffic will be encrypted using the HTTPS protocol by next year.
Certificate authority Let’s Encrypt, for one, offers free HTTPS certificates that allow the trusted encryption of traffic to and from web sites. And Google has been steadily changing the way its Chrome web browser handles unencrypted sites so that, among other things, they are now marked as being obviously ‘insecure’.
Google has reported surging adoption of HTTPS, and increasing encryption use has long worried law-enforcement bodies that say the technology is regularly impeding their ability to investigate criminal activity.
Encryption affects 9 out of 10 ASIO priority cases, the department has claimed, with more than 90 percent of lawfully-collected data already encrypted and forecasts that all communications amongst terrorists and organised crime groups will be encrypted by 2020.
This trend famously led to a standoff between Apple and the US Federal Bureau of Investigation, which in 2016 reached a stalemate in trying to force Apple to write software to unlock an iPhone 5C owned by the perpetrators.
With encryption now widely used not only Web sites but to protect all manner of mobile chat applications, the challenges of accessing secure conversations have only increased further.
The government “remains committed to the security of communications services and devices and the privacy of Australians,” Home Affairs has argued despite outlining a raft of initiatives including a framework for industry assistance; a strengthened framework for Computer Access Warrants; stronger search warrants “to account for the growing complexity of communications devices and the evidential value of data”; and the ability for ASIO to compel assistance from public and private members of the community.
Riding out the storm
While industry groups agree for the need to better fight criminal activity, the government’s proposal has attracted global condemnation despite claims by ministers that it is not intended to force tech companies to compromise their security with back doors that could be exploited by malicious cybercriminals.
Industry group Communications Alliance held a stakeholder forum that united civil-liberties groups, legal experts, and industry groups in an action that CEO John Stanton said “is sending a strong message to the Australian Parliament – that players in all political parties need to act now to protect the interests, security and privacy of all Australians.”
Writing in The Australian, Stanton said the government’s move to fast-track the legislation was “a breathtaking expansion of Australian security powers” that threatened Australia’s global political and economic standing.
Global standards body the Internet Architecture Board warned that the bill “might have a serious and undesirable impact upon the Internet”, noting that the IETF long ago closed the book on facilitating interception of Internet traffic in its May 2000 RFC 2804 document.
A joint statement by Labor ministers Michelle Rowland and Ed Husic, backed by Mark Dreyfus QC, warned against rushing the consultation process and alleged that the government’s haste “makes a mockery of the exposure draft process, and suggests the ‘consultation’ run by the government was nothing more than a sham…. The government appears to have taken a tick and flick approach to an incredibly complicated bill.”
The government’s accelerated handling of the bill comes just weeks after the August Five Country Ministerial meeting of ‘Five Eyes’ powers hinted at a growing expectation that tech companies will facilitate access to users’ communications.
“Privacy laws must prevent arbitrary or unlawful interference,” the agencies noted in an official statement about encryption policy that confirms all five countries are moving in a similar direction, “but privacy is not absolute…. [lack of access to encrypted communications] requires urgent, sustained attention and informed discussion.