Proposed changes to Australia’s 'encryption' laws win telco backing

More amendments still necessary, argue Comms Alliance, rights groups

security lock
Thinkstock

A group representing the telecommunications industry and a number of prominent human rights advocates have welcomed a Labor-backed bill to amend Australia’s ‘encryption’ laws but called for more thoroughgoing changes to the controversial legislation.

Labor Senator Kristina Keneally today introduced the Telecommunications Amendment (Repairing Assistance and Access) Bill 2019, which makes a range of significant changes to the legislation, which was only passed in 2018 thanks to the support of the ALP. The bill is not expected to be debated until 2020.

The Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (‘TOLA Act’) created a new framework for authorised government agencies to request or order a range of assistance from online service providers. It also introduced a new system that allows the government, subject to certain restrictions, to direct a business to introduce new capabilities into its services in order to facilitate the work of police or intelligence agencies.

Labor said that its bill — the text of which is available from Parliament’s website — would make changes to bring the TOLA Act regime into line with the bipartisan recommendations of the Parliamentary Joint Committee on Intelligence and Security (PJCIS). The party in 2018 ditched planned amendments to give effect to those recommendations, in order to ensure that the legislation was passed before parliament rose for the year.

Among the amendments are measures to alter the definitions of ‘systemic weakness’ and ‘systemic vulnerability’. The TOLA Act includes a prohibition on requiring a service provider to introduce a systemic weakness or vulnerability into its systems.

Currently a systemic vulnerability is defined as “a vulnerability that affects a whole class of technology, but does not include a vulnerability that is selectively introduced to one or more target technologies that are connected with a particular person”. That definition has been a source of controversy.

Keneally’s bill appears to significantly broaden what would be considered a systemic vulnerability or weakness, including in its definition “any act or thing that would or may create a material risk that otherwise secure information would or may in the future be accessed, used, manipulated, disclosed or otherwise compromised by an unauthorised third party”.

The legislation would also introduce a system of judicial authorisation for Technical Assistance Notices (TANs; directions to a service provider to give certain forms of cooperation) or Technical Capability Notices (TCNs; directions to implement new capabilities).

Other measures include removing the ability for the Home Affairs minister to remove or alter information in relevant Commonwealth Ombudsman reports, and strengthening the criteria for the Australian Federal Police commissioner to approve TANs.

Telco industry group Communications Alliance welcomed the new bill.

“Installing improved oversight provisions into the legislation will not fix all its problems, but hopefully will begin to instil greater confidence, at home and abroad, in the security of Australian networks and systems – a step that can only help the domestic IT industry and its export prospects,” said the group’s CEO, John Stanton.

Stanton said that Comms Alliance was hopeful the review of the legislation currently being conducted by the Independent National Security Legislation Monitor (INSLM) “will generate further improvements”.

“It’s welcome to see the introduction today of Labor’s proposed amendments to these deeply flawed laws - a long-overdue edit to this fundamentally bad legislation,” said Digital Rights Watch’s Lizzie O’Shea in a statement.

“These amendments outlined in this Bill are a good starting point, but far from a full solution. Tinkering at the edges of badly designed legislation is not going to solve the underlying problem that the powers being handed out to law enforcement are poorly designed and infringe on individuals’ privacy and the security of the Australian digital economy and society.”

“The amendments were promised over a year ago, so even though they deliver several key improvements, the public is owed an explanation as to the delay,” said Lucie Krahulcova, a policy analyst at Access Now.

“It seems an odd timing that they are only introduced now, after the US Congress demanded that the act be amended as a prerequisite to negotiating a data sharing agreement between the US and Australia.”

Labor has said the amendments are necessary in part in order to comply with the criteria of the US CLOUD Act, which includes a mechanism to streamline cross-border investigations by law enforcement.

Related:

Copyright © 2019 IDG Communications, Inc.

How to supercharge Slack with ‘action’ apps
  
Shop Tech Products at Amazon