Australia's intelligence overseer frets decryption abuse

Australia's Inspector-General of Intelligence and Security (IGIS) has expressed its worries that the nation's proposed decryption bill contains overly powerful immunities which will be open to abuse.

The IGIS inspects the operational activities of six agencies including ASIO, ASIS and ASD, and handles complaints about them.

In a submission [pdf] to the earlier consultation on the decryption bill run by Home Affairs - that is, before the bill was slightly amended - IGIS put forward a 50-page list of concerns at the bill.

One of its key concerns is overseeing how intelligence agencies used the proposed new powers and “significant extensions of existing powers”.

It would also potentially become a recipient of complaints from communications providers about the behaviour of intelligence agencies.

However, it is the substance of IGIS’ concerns with the bill that are likely to be the most alarming.

IGIS repeatedly raises concerns the bill contains too much power for intelligence agencies to confer immunity on providers, regardless of how damaging the weakness they are being asked - or compelled - to introduce is.

“Intelligence agencies will potentially have multiple grounds of statutory immunity from civil and criminal liability that they could apply to communications providers who perform functions for them, which apply different thresholds and are subject to different conditions and limitations,” IGIS said.

“It is conceivable that, in some circumstances, agencies will have a choice about which type or types of statutory immunity they will engage in a particular operation.”

IGIS said there appeared to be no limit on grants of immunity to intelligence agencies.

“The immunity from civil liability for acts done in accordance with a technical assistance request or a technical assistance or capability notice is not subject to any express limitations or exclusions,” it said.

“For example, there are no exclusions for conduct that constitutes an offense; causes serious loss of, or damage to, property; or causes significant financial loss to another person.”

IGIS noted that the bill did not require ASIO, ASD or ASIS to keep any records of, or notify IGIS or their ministers about, what civil immunities it offered providers.

Assistance barrage

It was unclear how frequently - if at all - an intelligence agency could compel a communications provider or other party to repeat an activity that was “requested or compelled” through a single request or notice.

IGIS was also concerned at the possibility of “multiple coercive powers” being exercised on an individual provider at once, effectively amounting to “oppression”.

This, IGIS argued, could occur if ASIO issued “multiple technical assistance notices to a particular provider” at once, or the provider faced requests or notices from “several different agencies” simultaneously.

IGIS called for specific requirements for intelligence agencies to take the potential for oppression into account when considering new assistance requests or notices. This would require “the sharing of relevant information about the exercise or proposed exercise of coercive powers” between agencies.

Backdoors negotiable

IGIS is also worried that a loophole exists that would make backdoors permissible, despite assurances from the government that this would be banned.

While technical assistance and technical capability notices can’t be used to make a provider create a backdoor - a systemic weakness or vulnerability - in their systems, IGIS said that “no such prohibitions apply to technical assistance requests” - which are “voluntary” in nature and negotiable.

“This raises the legal possibility that ASIO, ASIS or ASD could negotiate an agreement with a provider to voluntarily create or fail to remediate a backdoor,” IGIS said.

“That provider would have civil immunity for doing so.

“While it is foreseeable that many providers would decline any such request because it is incompatible with their commercial and reputational interests, the possibility appears to exist that an individual provider could be persuaded to do so, and if so, compensated in accordance with a contract, agreement or other arrangement.”

IGIS said that if this is an unintentional loophole that it should be closed.