Neither privacy nor security are absolute but finding an acceptable balance requires “deep and meaningful consultation” that has been absent through the 18-month life of the controversial ‘Encryption Act’, critics have told the Parliamentary committee evaluating its operation and structure.

Government authorities had “put the cart before the horse” by passing the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 without properly clarifying many definitions and consulting industry stakeholders, Electronic Frontiers Australia Policy Committee chair Angus Murray told the latest Parliamentary Joint Committee on Intelligence and Security (PJCIS) hearing into the legislation.

Arguing that “privacy is absolute” is “absurd”, Murray said, but “the flip side of that is that security is also not absolute and security shouldn’t do away with privacy.”

Digital Rights Watch chair Elizabeth O’Shea agreed, saying the organisation is “deeply concerned by the powers contained in the Act and the serious implications for human rights and democratic governance”.

“We’re very concerned about the rushed process and serious implications of this law,” she explained, noting that the PJCIS review “represents an opportunity to fix these errors”.

Technology giant Atlassian also fronted the committee, with Patrick Zhang, head of intellectual property, policy and government affairs, saying the company is “encouraged” by the recent report by Independent National Security Legislation Monitor (INSLM) Dr James Renwick, who recommended increased independent oversight of the Act’s operation.

The review’s sensible recommendations had, Zhang said, encouraged the company to “strongly believe there is a path forward that will meet the requirements of all stakeholders.”

Failing to meet the standard

Renwick’s review was commissioned by the PJCIS in early 2019 after widespread complaints that the ‘encryption act’ legislation – which was rammed through Parliament with little consultation after an infamous backdown by a previously-resistant Labor – was overbroad and granted too many arbitrary powers to law enforcement and government bodies.

Intrusive powers to intercept private communications “must be granted sparingly and with strong oversight,” Zhang said as he clarified the position of a company that, he said, has “profound concern for the safety and security of Australians”.

Interception powers “must be granted in a clear, proportionate way and with safeguards that retain the public’s trust in the government’s exercise of power,” Zhang said, adding that the act as currently implemented “fails the standard on numerous fronts”.

The ‘AA Act’ has long been contentious for its ability to make technology providers provide back doors so authorities can intercept messages sent across secure messaging systems.

Although the government had repeatedly tried to assuage critics by clarifying its intentions, Zhang said, its granting of significant interventionist powers to ministers and authorities was poorly balanced by safeguards that are “ambiguously defined, open to broad interpretation and fail to provide the necessary protections against overreach”.

Citing anecdotal concerns from Atlassian customers around the world, he said, the act’s passage has “significantly degraded the global reputation of the Australian tech sector, as local companies and multinationals alike question whether actions compelled under the Act will degrade industry’s ability to secure customer data and place their employees at individual peril.”

Consensus on the horizon

Renwick’s push to restructure the oversight of the AA Act’s powers encouraged Atlassian to support an alternative approach that would, Zhang said, provide more clarity around “troublesome languages” such as the phrase “whole class of technology”.

Newer definitions encapsulated in the Telecommunications Amendment (Repairing Assistance and Access) Bill 2019 – sponsored by Senator Kristina Keneally in an effort to productively amend the AA Act – were “a starting point” because they clarified what is prohibited under AA Act orders, and eliminate “troublesome language” such as the definition of a “whole class of technology” – a term used within the government’s definition of a ‘systemic vulnerability’.

“Without independent oversight, it appears to me that it would be difficult to really understand the authority who is authorising the notice, what definition they’re using and what definition they’re applying,” Atlassian’s Zhang said, warning of “ambiguity” in the way the current regime exercises enforcement powers.

Murray similarly condemned the “form and substance of this legislation, and the manner by which it was introduced”, calling them “ripe for criticism”.

“If the consultative process had been undertaken prior to the passing of this legislation,” he continued, “it is likely that we would have clearer, more articular and more fit-for-purpose legislation than what we presently are dealing with.... Compromise is achieved through deep and meaningful consultation”.

Ultimately, Zhang said, Renwick-styled oversight would remove the uncertainty around the AA Act and its application – and move both government and industry towards a common understanding that the decisions of an independent overseer were final.

“If there is a framework and mechanism that is put in place where industry is able to express its opposition to a proposed notice and take part in an adversarial process,” he explained, “then we’ll have to live with the outcomes of that process.”