Australia's anti-encryption laws need judicial oversight: INSLM

A review of encryption-busting laws rushed through parliament at the end of 2018 says unilateral powers given to authorities to approve notices should be stripped and handed to a judicial authority instead.

The Independent National Security Legislation Monitor (INSLM) report into the Assistance and Access Act comes in at 316 pages [pdf], and backs a long-running demand from industry for judicial oversight.

INSLM’s recommendations concern powers to grant a technical assistance notice (TAN) or technical capability notice (TCN) - essentially compulsory orders - against a designated communications provider or DCP.

A TAN is used when the provider already has technical means to provide access to law enforcement, whereas a TCP is used where the means does not exist and has to be custom-built.

The INSLM report finds the law “is or is likely to be necessary”, but requires changes in order to be considered proportionate and protective of people’s (and companies’) rights.

It recommends to “remove the power from agency heads to issue TANs and from the Attorney-General to approve TCNs”, and to “vest those issuing and approval powers in the Administrative Appeals Tribunal (AAT) in a way which will preserve and protect both classified and commercial in-confidence material and allow independent rulings on technical questions.”

It also recommends setting up a “new statutory office – the Investigatory Powers Commissioner (IPC)”, to be overseen by a retired judge who “will assist in approving the issue of TANs and TCNs.”

Based on the most recent set of usage figures, TANs and TCNs are little-used; instead, authorities rely on technical assistance requests (TARs), which seek “voluntary” assistance.

Critics of TARs see them as coercive instruments, pushing for cooperation under the threat of more intrusive, compulsory orders.

However, the INSLM review has recommended no changes to the operation of TARs, barring the use of a “prescribed form” of request.

The review accepted the premise that increased encryption posed problems to enforcement agencies tasked with protecting Australia’s national security interests.

“To counter what is called ‘going dark’ by reason of encryption, agencies must adapt their techniques, and laws must be updated,” the review states.

“I am satisfied from the evidence I have received from intelligence, police and integrity agencies that encryption of content and, to a lesser extent, metadata has made their essential tasks significantly more difficult, and in some instances impossible. 

“I accept the necessity of a legislative response to ‘going dark’.”

However, the review notes that “any legislative response to threats must be adapted, and proportionate, to the risk of them occurring.”

In particular, it “rejects the notion that there is a binary choice that must be made between the effectiveness of agencies’ surveillance powers in the digital age on the one hand and the security of the internet on the other.” 

“Rather, I conclude that what is necessary is a law which allows agencies to meet technological challenges, such as those caused by encryption, but in a proportionate way and with proper rights protection,” the review states.

For this reason, the INSLM proposes additional safeguards be added, including judicial review and the clarification of vague language in the laws that could lead to an overreach occurring.

This would mean proper definitions for what constituted a systemic weakness or vulnerability - long-disputed terminology that impacts the extent to which a security feature could be compromised or broken.

The review said the lack of judicial oversight raised "real question(s) ... of independence and the appearance of it."

"A proper appreciation of the impact of an intrusive TOLA power depends upon the issuer being independent of the agency concerned and, importantly, having technical knowledge," the review said.

"The powers under TOLA cannot be exercised, let alone their impact understood, in the absence of independent technical expertise."

The INSLM review was done at the request of the Parliamentary Joint Committee on Intelligence and Security, and will be used by the committee as a key input into its own review of the laws.

More to come