Australia’s encryption-busting bill should “immediately pass” with 17 changes, a joint parliamentary committee says, but it will be left to the final sitting day of the year for the bill to clear both houses.
Though debate on the bill was listed to resume Wednesday, it never eventuated and those left in the House of Representatives at 7.59pm voted to finish on time.
However, in the five minutes prior to the House wrapping up for the day, the Parliamentary Joint Committee on Intelligence & Security (PJCIS) tabled an interim report [pdf], removing the committee from acting as a block to the bill’s passage.
In keeping with the rush to get the bill passed before Christmas, the PJCIS report comes in at barely 14 pages, and although it makes 17 recommendations, no evidentiary basis is provided for any of its decisions.
The only question now, however, is whether the government can muster the support of both houses on Thursday to rush the bill into law.
Through Wednesday afternoon, an eleventh-hour bid was launched via social media targeting Labor MPs ahead of the expected lower house vote.
Greens Senator Jordon Steele-John held out hope that enough Labor members would be swayed to vote against the bill.
"[There's] still time for @AustralianLabor to do the right thing," he tweeted.
Labor MP Andrew Byrne said his party was backing the bill purely on the basis of a "need" he said security agencies had demonstrated for the powers.
That evidence was heard by the PJCIS almost entirely in secret over a four-hour period.
"Labor members have moved to progress this bill despite our concerns because of the evidence from law enforcement and security agencies that there is a need for these powers over the Christmas period and because proposed amendments deliver adequate oversight and safeguards to prevent unintended consequences while ongoing work [by the committee continues," Byrne said.
The PJCIS wants to continue examining the bill despite recommending most of it be passed first. The rest of the inquiry would wrap up in April next year.
What's in the amended bill remains unclear
It’s unclear how many of the committee’s recommendations will actually appear in an amended version of the bill, since negotiations on the text remain between the two main political parties.
Some of the recommendations are vague and simply mimic Labor’s stated policy position.
This includes that systemic weakness be defined - while still not defining it.
iTnews understands that at the time of writing on Wednesday night, the PJCIS was still locked in deliberations over how to incorporate changes into the bill text.
Some of the committee's recommendations aim at substantially tightening ambiguous parts of the bill.
‘Exhaustive’ list of things or acts
In particular, the PJCIS says that “the definitions of ‘listed acts or things’ and ‘listed help’ [should] be exhaustive in the bill.”
So far, the relevant Section 317E [pdf] describes - inexhaustively according to explanatory notes - the kinds of assistance expected from providers that don't offer to help voluntarily.
Even up until Tuesday this week, the government was refusing to provide examples on how the bill might be used, though it may not be able to avoid this.
Technical Capability Notice disputes
In announcing its “compromise” with the Coalition on the bill this week, Labor said that it wanted an enhanced dispute mechanism for companies targeted with the most serious type of notice under the proposed regime.
The new mechanism would see a security-cleared technical expert and a retired judge jointly determine whether or not a capability notice would result in a systemic weakness or vulnerability being created.
The PJCIS said that the pair would have to determine if “the requirements imposed by the notice are reasonable and proportionate; compliance with the notice is practicable and technically feasible; and the notice is the least intrusive measure that would be effective in achieving the legitimate objective of the notice.”
“The report prepared by the technical expert and the retired judge must also be provided to the Inspector-General of Intelligence and Security (for oversight of ASIO) and the Commonwealth Ombudsman (for oversight of the AFP),” the committee said.
Secrecy provisions lifted?
In what could be a small victory for technology companies, the PJCIS says they should be allowed to disclose some information about a technical capability, albeit the wording is ambiguous and there are no explanatory notes.
“The committee recommends that the bill be amended to allow a provider to request that the Attorney-General approve disclosure of a technical capability,” the committee said.
“It would be expected that the Attorney-General would agree to such a request except to the extent that doing so would prejudice an investigation or compromise national security.
“This would complement existing provisions in the bill that enable a provider to disclose publicly the fact that they were issued a technical capability notice.”
“Voluntary” requests given attention
Some attention is paid by the committee to the “voluntary” assistance option provided to law enforcement by technical assistance requests.
Commentators have worried about these requests, owing to the enormous soft power that government could exert on targets to comply with them.
The PJCIS said it wants to see clause 317ZG of Schedule 1 amended “to explicitly prohibit an interception agency from asking a designated communications provider to voluntarily implement or build a systemic weakness or vulnerability under a technical assistance request”.
In addition, it said, it wants clause 317ZH to apply “‘general limits’ on technical assistance notices and technical capability notices ... equally to technical assistance requests”, the first-tier “voluntary” request option.
That would have the effect that providers would not have to take action for any type of request or notice issued under the scheme if it would put them in contravention of other laws.
Access by state agencies
Labor had initally pushed to pass an interim version of the bill that only applied to federal agencies, excluding their state-based counterparts.
This has, however, been watered down in the PJCIS report, after the government decried the limit.
Now, only corruption investigators will not be able to access the new powers.
"The committee recommends that State and Territory law enforcement agencies be retained within the scope of the bill, with the exception of State and Territory independent commissions against corruption which the Committee recommends should be excluded from the scope," PJCIS said.