What the Assistance and Access Bill is
It allows law enforcement and intelligence agencies in Australia to force organisations and individual technologists to provide access to encrypted data and communications, and punish them with fines or imprisonment if they won’t do it, or if they talk about it.
The bill has been talked about since last year, mainly in the context of politicians trying to redefine “backdoor”. It’s now available and open for consultation.
Here’s what it is in video satire form.
What we are going to do about it
There is a public consultation, which is open for submissions till 10th September.
We are encouraging Hack for Privacy followers to make individual submissions from technologists’ perspectives. As we stated when we began organising Hack for Privacy, there is a key voice missing in the privacy debate – technologists – so please join us in making personal submissions to the consultation. We’ve come a long way since the metadata retention “debate” and we want this one to be a lot more robust!
Some of what the bill does
The proposed legislation will establish three levels of assistance that law enforcement and intelligence agencies can seek from communications providers.
The first level is voluntary assistance in response to a “technical assistance request” issued by an agency. The second level is a “technical assistance notice”, which requires a provider to give assistance to an agency that they are already capable of providing. That could include decryption of data in circumstances where the provider has access to the key.
The third and most extreme level is a “technical capability notice”: A requirement for a company to build new capabilities to assist police. Technical capability notices must be issued by the attorney-general.
What can we (technologists) be required to do?
Section 317E of the bill creates an expansive [but non-exhaustive] “list of acts of things” covering the range of assistance that law enforcement agencies may be able to request from communications providers. It includes removing “electronic protection”, providing technical information, installing software, facilitating access to devices or facilities, assisting with testing or development of a technology of capability, notifying agencies of changes to a service, “modifying, or facilitating the modification of, any of the characteristics of a service provided by the designated communications provider” or “substituting, or facilitating the substitution of, a service provided by the designated communications provider”.
“We know that more than 90 per cent of data lawfully intercepted by the Australian Federal Police now uses some form of encryption. This has directly impacted around 200 serious criminal and terrorism-related investigations in the last 12 months alone,” [former] law enforcement and cyber security minister Angus Taylor said.
“We must ensure our laws reflect the rapid take-up of secure online communications by those who seek to do us harm.
“These reforms will allow law enforcement and interception agencies to access specific communications without compromising the security of a network. The measures expressly prevent the weakening of encryption or the introduction of so-called backdoors.”
Quote CW2 (and Hack for Privacy organiser, Robin):
Draft government legislation intended to increase law enforcement organisations’ ability to monitor the use of online communication services pays “some lip service to not creating backdoors”, according to [Robin].
“When they talk about a backdoor, they’re taking a very specific definition of it and they’re saying that they won’t ask any tech company to create a systemic weakness,”
“That’s interesting because I think that’s going to be difficult to achieve,”
“Obviously they want to get access to certain people’s encrypted communications, but by requiring tech companies to build something that allows law enforcement agencies to get access to an individual’s encrypted data they put at risk everyone else’s encrypted data as well.” … The bill states a technical capability notice cannot include a requirement to “implement or build a new decryption capability in relation to a form of electronic protection” or to take actions that would “render systemic methods of authentication or encryption less effective”.
“What they’re trying to avoid is creating a backdoor in encryption itself or in encryption algorithms, and I think that’s definitely a good thing to avoid,”
“But if you look at the definition of a ‘backdoor’ it’s not just about encryption algorithms – it’s about bypassing authentication or encryption in a computer system, which can be done in the system itself or it can be done in the algorithms the system uses.”
“I think what they’re ultimately asking for is a weakness in a computer system – not encryption itself — and to my mind that’s as bad if not worse,” he added.
Exactly how a technical capability notice would play out in practice is not clear — and the chances of the public knowing seem minimal given the bill includes provisions banning the disclosure of information relating to technical capability notices (the ban applies to people connected to the relevant service provider and members of police forces or intelligence agencies and state, federal and territory employees).
There are “probably multiple ways” new capabilities could be implemented to satisfy such a notice, Doherty said.
“The most obvious would be deploying some extra software to the targeted individual’s device,” he said. “Of course if you have the ability to deploy that extra software to one device, it becomes a very attractive target for people who would like to deploy it to others.”
The bill has also caused alarm elsewhere in the tech sector. … “The reality is that creating security vulnerabilities, even if they are built to combat crime, leaves us all open to attack from criminals,” Buskiewicz said.
“This could have devastating implications for individuals, businesses, public safety and the broader economy. We are extremely concerned at the lack of judicial oversight and checks and balances with this legislation.”
NB: we (technologists) will have to implement surveillance mechanisms and not tell anyone about them, lest we face years in prison and a $50K fine ($10M for organisations)
The range of people who would have to secretly comply with these orders is vast. The orders can be served on any “designated communications provider”, which includes telcos and ISPs, but is also defined to include a “person [who] develops, supplies or updates software used, for use, or likely to be used, in connection with: (a) a listed carriage service; or (b) an electronic service that has one or more end users in Australia”; or a “person [who] manufactures or supplies customer equipment for use, or likely to be used, in Australia”. … You may not have to make false statements, but if you “disclose information”, the penalty is five years’ imprisonment (S.317ZF). What is a “systemic weakness” is determined entirely by the government. There is no independent judicial oversight. Even counselling an ISP or telco to not comply with an assistance or capability order is a civil offence. … Australia, like Britain, wants the luxury of broad, and secret powers. There will be — and can be no true oversight — and the kind of malpractice we have seen in the surveillance programs of the U.S. and U.K. intelligence services will spread to Australia’s law enforcement. Trust and security in the Australian corner of the Internet will diminish — and other countries will follow the lead of the anglophone nations in demanding full and secret control over the technology, the personal data, and the individual innovators of the Internet.
- CW1: New law to force tech companies to build features for police
- CW2: Surveillance legislation: Government’s ‘lip service’ on backdoors
- EFF: Trust Us, We’re Secretly Working for a Foreign Government: How Australia’s Proposed Surveillance Laws Will Break The Trust Tech Depends On
- More on the potential impacts of the bill: What (we think) you should know about Australia’s new encryption bill (AccessNow)
- The bill itself and some useful explanatory sheets: Assistance and Access Bill (Home Affairs)
Last year, Hack for Privacy participated in Attacks on Encryption in Brisbane – a series of talks in anticipation of this bill. You can see the full list of videos with abstracts and bios on the website. Here are some direct links (there are more talks on the website):