Encryption deal done, but more work needed
5 Dec 2018|

Yesterday the government and opposition came to an agreement to pass the Assistance and Access Bill 2018 just before parliament rises. The bill rocketed towards the top of the political agenda when the government demanded that the opposition allow it to pass this week—the final parliamentary sitting week of the year. Labor reportedly secured assurances from the government that the committee reviewing the bill (the Parliamentary Joint Committee on Intelligence and Security) will continue to do so into next year, that the bill’s powers will be limited to serious offences and given more oversight, and that the term ‘systemic weakness’ will be defined in the final legislation.

Before the deal was reached, industry input had spurred even Aunty to generate tabloid-esque headlines like this: ‘Encryption bill could have “catastrophic” outcomes for Australian business, industry leaders warn’.

In this potion of perspectives, there’s been a lot of misperception and exaggeration. The bill’s unofficial title—‘the encryption bill’—is itself a misnomer. The draft legislation explicitly rules out trying to stop end-to-end encryption. But beneath the fire and fury there is a balance we need to rediscover.

Intelligence chiefs have lined up to explain the problems caused by going dark (the inability to access suspected criminals’ communications because of the growing ubiquity of encryption on everyday devices). ASIO Director-General Duncan Lewis told the committee, ‘I anticipate ASIO would immediately use this legislation if it were available.’ And the head of the Australian Criminal Intelligence Commission, Mike Phelan, has argued that a ‘holistic package’ is the only way forward and that there’s no option of picking and choosing. These are serious people with a strong commitment to serving the national interest.

Balanced against the need to address these concerns is the need to get this bill right. It is not a simple piece of legislation. Several questions require further consideration—like the appropriate authorisations for the different types of requests that can be made, definitional clarity, implications for Australian exporters and the oversight regime. Considerable effort is needed to sharply distinguish (and communicate) the reach of this law and the protections it provides from the practices of states whose overreach we reject.

In the UK, a somewhat similar law (the Investigatory Powers Act 2016—an admittedly much broader piece of legislation) took a year to navigate its way through parliament. The Assistance and Access Bill was introduced into parliament just two and half months ago, or a period of 16 sitting days for the House of Representatives. Hardly an inordinate period of review.

The urgency of passing these laws does need some context. Other similar countries (with the exception of the UK) don’t have similar powers, so the Australian legislation is attracting a lot of attention from multinational companies which are anticipating that other countries will follow Australia’s lead. There are also considerable wait times before the bill’s most far-reaching provisions can be exercised. Before a technical capability notice—which could include compelling a communications provider to develop a way for authorities to access a person’s data—can be issued, the government must first engage in a minimum 28-day consultation period (section 317W), although this can be waived in limited circumstances. The notice can then be appealed, and there’s the time required to actually build the capability. Elements of the bill like this are not quick fixes to the ‘going dark’ problem.

Australia has a strong history of bipartisanship on national security issues and is much stronger for it. It is good that this tradition has been able to hold, if only just, during this debate and a pathway has been found for ongoing review. Given the many issues that still require addressing, further scrutiny will be a good thing.