Encryption bill faces uphill battle
14 Aug 2018|

After a few false starts, the government has released its promised legislation to address the ‘going dark’ problem caused by encryption—something that affects more than 90% of the data lawfully intercepted by the Australian Federal Police.

Despite much speculation that it might attempt to destroy end-to-end-encryption, the Telecommunications and Other Legislation Amendment (Assistance and Access Bill) 2018 goes out of its way to make clear that it will do no such thing. The draft bill explicitly states that no measure can be taken that requires a designated communications provider to build ‘a systemic weakness, or a systemic vulnerability’ (section 317ZG). The key word here is ‘systemic’: instead of aiming to create systemic vulnerabilities, the bill seeks to facilitate tailored access and the creation of ‘alternative-collection capabilities’.

Reading the draft bill, you get the impression that it has benefited from a long consultation process with industry. But, as discussions that ASPI’s International Cyber Policy Centre has held with the major tech firms, the government, and privacy and encryption experts have revealed, there are a lot of varying views on this issue and the bill will still meet with resistance.

The bill is long and detailed, but here are a few of the key changes it ushers in.

Section 317C brings into the Telecommunications Act’s remit a broad array of companies and individuals under the banner of ‘designated communications providers’. This includes ‘the full range of participants in the global communications supply chain, from carriers to over-the-top messaging service providers’. The category also includes providers of an ‘electronic service’, which is broadly defined to capture ‘a range of existing and future technologies, including hardware and software’ (section 317D).

Part 15 creates three tools for requesting and compelling assistance from designated communications providers. One is voluntary (a technical assistance request) and two are compulsory (a technical assistance notice and a technical capability notice). Both compulsory requests must meet a test of being reasonable, proportionate, practicable and technically feasible.

A technical assistance notice compels a provider to cooperate if it has the capability to do so—for example, to decrypt messages if it already has that capability.

A technical capability notice, by contrast, compels a provider that doesn’t yet have a capability to enable it to assist, to develop one. As the accompanying explanatory document notes: ‘The things specified in technical capability notices may require significant investment.’ This is likely to be the most controversial provision of the bill for many of the big tech firms.

The terrain that the three types of notices can cover is broad (section 317E). One provision that’s likely to be especially controversial is the potential for companies to be asked or compelled to hand over source code (section 317E(1)(b)), subject to a test of whether it’s reasonable and proportionate.

The legislation anticipates that companies, in most cases, will cooperate; however, penalties have been added as an inducement. Companies that don’t comply face fines of up to $10 million and individuals can be fined up to $50,000 for each case of non-compliance. It also increases the penalties in the Crimes Act for those who refuse a lawful request to provide access to a device (for example, their password or fingerprint). The penalty increases from a maximum of six months’ or  two years’ imprisonment to a maximum of five years’  or 10 years’ imprisonment, depending on the seriousness of the crime being investigated.

Many would regard the government’s starting premise as reasonable—that provided a compelling public need exists (as demonstrated by a warrant) governments should be able to compel access to otherwise private information. In this new technological age, a broad range of organisations should help provide that access in the same way traditional telcos have been for a long time. The trick, of course, is in the execution.

The tech companies have been rightly concerned about any attempt to create systemic vulnerabilities or remove encryption. In the wake of the Snowden affair, when brand reputation depends on keeping an arm’s-length relationship with government, many of the tech companies will be loath to appear too close to any government and concerned about any precedents that might be set in a broader international context. Handing over source code, for example, might be one area where some companies draw a line, concerned about the implications in other more authoritarian jurisdictions where that information could be used to cause harm or intellectual property theft.

Some companies might also try to game the law. As drafted, the safeguards that require requests to be reasonable, proportionate, practicable and technically feasible could encourage some companies to secure data in a way that makes it impracticable for them to assist, even if they’re compelled to do so. Companies like Apple already encrypt communications in such a way that they claim they themselves can’t decrypt. Over time, areas where opportunities for assistance exist could be gradually closed off in a similar manner.

This bill is a long way from the one outlined in early reporting last year that claimed encryption would be broken. While it contains provisions that will no doubt receive pushback over the coming weeks, it’s a more nuanced response than reports suggested.