The tech industry has responded to the government’s proposed surveillance bill with a giant thumbs down.
The Telecommunications & Other Legislation Amendment (Assistance & Access) Bill 2018 requires companies that provide communications hardware, software, and systems to secretly assist the government in decrypting communications sent over their platforms.
The responses to the bill have been largely negative.
Digital Industry Group Inc (DIGI), which includes representatives from Amazon, Google and Twitter, submitted a response that said “while DIGI appreciates the challenges facing law enforcement, we have concerns with the Bill, which, contrary to its stated objective, may serve to actually undermine public safety by making it easier for bad actors to commit crimes against individuals, organisations or communities.”
“These requirements have potential to erode consumer trust and introduce weaknesses that malicious actors could exploit.”
It also noted the bill can cause extrajudicial issues.
“Notices can require service providers to take actions that violate the laws of other countries in which they operate, or which apply to their services because they support customers from other countries,” it said.
Think tank Australian Strategic Policy Institute (ASPI) has also raised questions about the bill.
“In the wake of the Snowden affair, when brand reputation depends on keeping an arm’s-length relationship with government, many of the tech companies will be loath to appear too close to any government and concerned about any precedents that might be set in a broader international context,” wrote ASPI’s Fergus Hanson in a post.
“Handing over source code, for example, might be one area where some companies draw a line, concerned about the implications in other more authoritarian jurisdictions where that information could be used to cause harm or intellectual property theft.”
The bill has also received the thumbs down from privacy groups Digital Rights Watch and Electronic Frontiers Australia.
“There is no warrant or oversight process here other than that these orders must be ‘reasonable and proportionate’” said Digital Rights Watch on its site.
“While the government has pointed to the potential for people challenge in the courts, there is no outline of what this process will be or how the courts will be equipped to handle them.”
“These laws will weaken security for all Australians by undermining the very technologies we use to keep us safe,” said Electronic Frontiers Australia.
“These laws will affect how Australia is viewed internationally, and we have already seen people sharing online warnings for those travelling to Australia for business.”
ACS response
ACS has also made a submission to the review, with members of the ACS Technical Advisory Board raising questions about the feasibility and need for the bill.
“While our members share a strong respect for the need for properly authorised law enforcement and security agencies to have access to communications services, in our view the legislation appears to have insufficient oversight and protections,” the response said.
ACS’ response raised concerns about the practical impacts on Australian companies, including the compliance burden this will place on them, as well as the impact on their competitive position.
“This legislation acts as a powerful disincentive for foreign companies to set up in Australia as it exposes them to onerous compliance obligations, and does not provide sufficient protections for customer data,” said the response.
“It further acts as a disincentive to Australian organisations providing services overseas.
“We believe this legislation will disadvantage Australian cyber and communications companies on the global stage.”
The response noted that the Federal Government recently banned 5G products from companies linked to the Chinese government, and that this legislation may result in overseas bans on companies linked to the Australian Government.
The ACS response has argued that “further analysis needs to be undertaken to understand the burden this Bill will create for local Australian businesses and their ability to be able to compete effectively in the international market.”
It also argued for more stringent governance and oversight, requiring that government agencies exhaust all other means before making an assistance request, while oversight systems should be implemented to avoid abuse.
“The underlying issue is that in the absence of a Bill of Rights or any constitutional protections is that, unlike all other Anglo-nations, such measures are wide open to abuse without contestability,” it said.
Bill background
The bill was initially revealed in mid-August, with a four-week consultation period in which third parties were invited to provide input.
Submissions closed on 10 September.
The government is proposing three levels of co-operation it can attain.
The first is a “technical assistance request” where the company is simply asked to voluntarily give advice to government, detailing protocols and technical systems.
The second level is a “technical assistance notice” where the company is required to provide information and aid that it is already capable of providing, including the contents of communications if the company is possessed of such.
The final level of assistance is called a “technical capability notice” and requires that the company develop new capabilities to assist law enforcement, which may involve creating new software and systems on behalf of the government.
The bill was proposed by former Federal Minister for Law Enforcement and Cyber Security Angus Taylor and is now under the auspices of the Department of Home Affairs.
"These reforms will allow law enforcement and interception agencies to access specific communications without compromising the security of a network,” said Taylor at the announcement of the bill.
“The measures expressly prevent the weakening of encryption or the introduction of so-called backdoors.”
Labor has been largely silent on the bill, as yet giving no indication whether it supports it.
The Greens, however, have come out strongly against it.
“Contrary to the stated objective of the bill, Australian cyber security will be significantly diminished by undermining the fundamental principles of end-to-end encryption – which is exactly what this legislation proposes,” said Australian Greens Digital Rights Senator Jordon Steele-John.
“Creating technology vulnerabilities to expand the surveillance overreach of the five eyes network will ultimately leave all of us more vulnerable to criminal activity.”