Australia’s proposed decryption laws would make it the “weakest link” in the Five Eyes alliance and therefore a “funnel” for international requests for data, the Law Council of Australia has warned.
In a submission [pdf] on Australia's Assistance and Access Bill 2018, the Council - which acts on behalf of 60,000-plus lawyers in Australia - raised concerns at the extent of vague and “intrusive powers” being canvassed with limited if any judicial oversight.
The Council wants the proposed laws significantly tightened, cutting out broad catch-all clauses that could open a range of organisations up to costly - even illegal - demands from Australian authorities.
In introducing the bill to parliament last week, the government cut out revenue protection as a reason that the proposed decryption laws could be used.
However, it left in “assisting the enforcement of the criminal laws in force in a foreign country” as an acceptable reason to invoke the proposed laws - and the council is concerned at the effect that alone could have.
“The enforcement of criminal laws in other countries may mean international requests for data will be funneled through Australia as the ‘weakest-link’ of our Five eyes allies,” the council said.
“This is because Australia has no enforceable human rights protections at the federal level.”
The Law Council said that “if ‘assistance to foreign law enforcement’ is to remain as a basis” for voluntary requests or compulsory technical notices to be issued, then extra safeguards should be put in place.
In particular,”the relevant decision-maker ought be required to give consideration to the mandatory and discretionary grounds for refusing a mutual assistance request” under existing laws.
In addition, the Law Council argued that compliance costs should also be considered.
“The mandatory aspects mean that Australian intelligence services may compel Australian service providers to undertake extensive and potentially resource-draining activities in response to assistance requests from foreign law enforcement agencies,” it said.
Costs and “significance”
The Law Council placed particular emphasis on the likelihood that the bill would cause significant costs for parties that were targeted, while allowing law enforcement to defray its own costs.
The entire decryption bill centres on whether what law enforcement asks for - or demands - is “practicable” or “technically feasible”.
Neither term is defined in the legislation, and pursuing a ruling on the meaning through judicial review would be an expensive and time-consuming process that could be out of reach of smaller, targeted organisations.
In addition to being “practicable” and “technically feasible”, the Law Council argued the “significance” of any decryption request should also be taken into account, as well as compliance costs.
Neither is specifically called out as a factor needed to be taken into account in the proposed law.
But both could become critical issues if Australia becomes a funnel for all manner of international data requests.
“A minor issue with significant compliance cost to the recipient that is a small business might not justify the granting of the warrant, whereas a more important issue might,” the council argued.
The council argued the case for limits in the legislation “on the extent to which the bodies seeking the warrant or authorisation can transfer data filtering or data organisation tasks onto the recipient.”
That argument stemmed from concerns that the proposed law is vague enough that targets might not just have to decrypt data, but also prepare it in formats deemed acceptable by law enforcement.
In addition, as it stands, the laws would apply to all organisations in the end-to-end communications value chain, regardless of whether they can decrypt communications.
The council was largely unimpressed with this, arguing the scope “should be limited to entities which have control over encrypted information and are able to access and decrypt it.”
The Law Council also echoed Telstra’s concerns that the proposed laws could be used to gain access to the content of communications.
“The legislation should expressly state that the power to request or require decryption (or an individual to facilitate opening up a password protected device) does not displace the need for an agency to obtain lawful authority to view the content of a communication or electronic record,” the council said.
Lack of judicial oversight
The Council also expressed concern at the level of power the bill would confer without judicial oversight.
Mandatory technical notices could be issued “based on the subjective view of individuals, without requiring an independent evaluation and authorisation by a judicial officer.”
For the most serious type of notice, the bill before parliament added provisions allowing the Attorney-General and target company to jointly appoint an independent overseer to vet some aspects of the notice. However, there is no mention of judicial oversight.
“Given that the power to issue a [notice] is significantly intrusive, and likely to require much more active assistance of the recipient than compliance with a requirement to protected access to content of an unprotected communication, issuance of a [notice] should require authorisation by a judicial officer (judge or full-time member of the Administrative Appeals Tribunal (AAT),” the Law Council argued.
The council also noted there were “limited options to seek judicial relief for notices that have already been issued. This is particularly inappropriate where the decision-maker is not a judicial officer.”
Targets could be left having to comply with a notice that a court could later deem illegal.
The Law Council wants time to be afforded to targets that challenge notices in court.
“Once a notice is complied with, potential exposures have already occurred and the consequences may not be rectifiable, even if a court then finds the notice to have been illegal,” the council said.
“The Law Council submits that it is inappropriate to limit the scope of judicial review in respect of such intrusive powers, and that they should be subject to a judicial process that explicitly provides for [notices] to be challenged before a judicial authority and set aside before compliance is required.”