Despite the government’s Assistance and Access Act 2018 having already been passed through Parliament and made into law late last year, there is widespread consensus that the controversial legislation requires a thorough review.
Widely dubbed the ‘encryption laws’ – which the AFP has recently confirmed are now in use – came under the scrutiny of industry experts at a Communications Alliance forum in Sydney on Wednesday morning.
Speaking at the event was the executive director and founder of Blueprint for Free Speech, Dr Suelette Dreyfus, who has been an outspoken critic of the process thus far.
“The world is increasingly built around cyber security,” Dreyfus said.
“We are currently in the throes of a process that turns out to be legal gymnastics, designed to pretend not to break it [encryption], but really to break it.”
On what was the final day of Parliament for 2018, the Opposition dropped its proposed amendments for the legislation to allow the new powers to be used over the Christmas period.
And according to Dreyfus, this rushed process has left Australia with laws it should not have.
“The parliamentary process that went into passing this bill into law was, at best, deeply substandard,” she continued.
“At best you could say it was unnecessarily hasty and was full of political grandstanding.
“This actual law should in fact be rejected wholesale, it is just not a good law.
“It should be repealed in its entirety and we are all pretty deeply concerned with the powers that are contained in this Act.”
In its submission on the Assistance and Access Bill last year, ACS warned of the potential dangers of rushing the process.
“We believe there is no need to expedite this legislation and that more time and consideration should be put into both the wording and need for this bill,” it says.
Global impact
Dreyfus was also weary of the regional consequences that the changes could bring.
“Australia wants to be a leader in the Asia-Pacific region. There are other countries in this region who don’t have the same rule of law, who have fewer protections for individual rights,” she highlighted.
“This legislation that was passed not only impacts on Australians, but it sends a message to our neighbours in this region that it’s okay to take away basic civil rights – a right to privacy.”
As well as setting a poor example to neighbouring countries, there are also concerns for how the regulations will impact on Australia’s global competitiveness in the technology space.
Writing in The Australian last week (reproduced in Information Age), ACS President Yohan Ramasundara wrote: “A thorough review of the recent Assistance and Access Bill 2018 [is required], which has the potential to greatly limit opportunities for exporting digital services where security may be compromised."
CEO of the Australian Information Industry Association (AIIA) Ron Gauci echoed these concerns, particularly the effect the laws would have on SMEs.
“On the world stage, our SMEs have developed products, particularly in the security space, that have had a significant impact in global economies,” said Gauci.
“And yet, this legislation actually creates an undermining of that technology, an undermining of the products and solutions that are provided on a world stage.
"To put it more simply, to have organisations that are developing products that now have a compromising exposure to their technical solutions effectively renders them uncompetitive on a global scale.
“It underpins the strength of our economy.”
Legal confusion
And although the legislation is already in force, there is seemingly still a level of confusion regarding the bill from a legal standpoint.
This is largely in respects to certain definitions included, such as that of a “systemic weakness”.
Christine Gillespie-Jones, director program management at Communications Alliance, labelled the current definition – which classifies the term as a weakness that affects a whole class of technology – as “ambiguous to say the best”.
She also took issue with the consultation requirements to give a Technical Capability Notice (TCN) – the notice that compels a communications provider not just to comply with requests for access, but to potentially create new capabilities to do so.
Currently, if the matter at the hands of authorities is deemed to be “urgent”, the request can proceed without the usually required 28-day consultation notice.
“That’s a very low bar,” said Gillespie-Jones. “I predict that the vast majority of requests are urgent.”
“Without further guidance on what urgency is, I don’t think that is a useful consultation requirement.”
There was also discussion around the distinction between the different notices that exist under the bill, namely the Technical Capability Notice and the Technical Assistance Notice (TAN).
Originally, the TCN had a number of moderating factors, while the TAN was relatively unlimited, intended to be a way for government agencies to gauge an understanding of the systems in question.
However, on the day the bill was passed, the government added a new clause for a TAN that “the specified acts or things must not be directed towards ensuring that a designated communications provider is capable of giving help to ASIO or an interception agency.”
Patrick Fair, partner at Baker & McKenzie, pointed out the problem with this last-minute change.
“That’s a beautiful mirror of the TCN, but how limiting is that?” he said.
“I thought the whole purpose of a TAN was to go and get technical information, so you might understand some of these systems.
“It’s a brilliant example of how a rushed process seems to cause a strange outcome.”