The Federal government has set out a new third-party assurance process it hopes will show its decryption legislation can operate without introducing "systemic weaknesses or vulnerabilities".
The process is one of 12 changes made to the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018, which has become known as the decryption bill.
The bill is an attempt by government and law enforcement to access encrypted communications and will require organisations ranging from technology companies and service providers to website operators to do whatever it takes to bypass security protections on a "one-off"basis.
Three types of actions can be utilised by government agencies and law enforcement under the bill:
- A “technical assistance request” that seeks voluntary assistance from the service provider to "do a thing currently within their capacity or ... build a new capability to assist agencies."
- Where the provider has “existing means to decrypt” communications, however, they are likely to receive a “technical assistance notice”.
- A third type of notice, called a “technical capability notice”, would compel the provider “to build a new capability that will enable them to give assistance” to law enforcement or the government. This power can only be exercised by the Attorney-General.
The bill was rushed into the lower house of federal parliament yesterday, just ten days after the conclusion of a public consultation conducted by the Department of Home Affairs - which netted some 14,000 submissions - ended.
Barely any of those submissions have been made public, except by a handful of prominent cryptographers and privacy advocates.
The government has not explained how it changed the bill in response to the consultation or whether it responded to public feedback.
However, iTnews has conducted a side-by-side analysis of 'Schedule 1' of the exposure draft and the bill text introduced to parliament.
Schedule 1 is perhaps the most contentious part of the bill since it covers the requests and notices that can be used to bypass encryption.
We can now reveal that 12 changes have been made, including what appears to be an attempt to gain third-party proof that a request or notice won't cause "systemic" issues for the majority of internet, service, device or software users. This is dealt with at point six below.
1. Public revenue reasoning axed
Within section 317A Simplified Outline, the government has axed one of the more contentious interests contained in the exposure draft that it could use the proposed decryption measures to protect.
"Protecting the public revenue" is no longer a valid reason for government or law enforcement to either request or demand the help of technology companies.
(Left: the bill as it was introduced to parliament, compared to the exposure draft on the right)
2. Requests are "voluntary"
The bill introduces a brand new section 317HAA under 'technical assistance requests', which - according to the government - is designed "to clarify that compliance with a technical assistance request is voluntary".
This appears to be designed to quell criticism that the requests would be seen as anything but voluntary by those that received them, given the power imbalance at play.
"Requests may not be legally enforceable. However, the government wields enormous soft power—to suggest that a “request” from the Australian Government can be ignored is ridiculous," University of Melbourne researchers Dr Vanessa Teague and Dr Chris Culnane said in one of the few submissions to be made public.
"As it stands the requests are probably the most powerful aspect of the legislation."
It is unclear to what extent 317HAA would solve this problem.
3. Technical assistance advice
Similar to 317HAA, the new section 317MAA is designed so that law enforcement clearly state the obligations for complying with a technical assistance notice, which is not voluntary.
4. A cybersecurity 'pub test'?
Another brand new section requires law enforcement to consider and counterbalance a range of factors before asking a company to break or weaken its security.
An interesting test is whether what is being sought meets "the legitimate expectations of the Australian community relating to privacy and cybersecurity".
However, it appears from 317RA that the weight each matter is afforded is completely arbitrary.
5. More of the same
Just as 317HAA is for technical assistance requests and 317MAA is for technical assistance notices, similarly a provision has been inserted for technical capability notices.
Again, this is simply a new step that requires law enforcement to make clear what kind of obligations the target technology company is under to comply with demands being placed on it.
6. Systemic impact to be jointly vetted
There are a raft of changes to 317W, which describes the kind of "consultation" process that law enforcement has to go through to serve a technical capability notice, the most serious under the decryption laws.
A minor change to the wording of 317W sees references to "person" replaced with "designated communications provider".
More substantive, though, is an entire new section added to 317W that aims to try to safeguard the government's repeated assertions that cooperation with authorities can't and won't create "systemic weaknesses or ... vulnerabilities" in internet infrastructure.
The whole new section aims to protect 'Section 317ZG'. Simply, this is the section that says a "designated communications provider must not be required to implement or build a systemic weakness or systemic vulnerability etc" into its products or services.
Under the changes, the Attorney-General and the impacted provider can jointly appoint auditors to check whether or not systemic issues are about to be created.
Though the provider is meant to foot the bill entirely for this exercise, there is leeway for the government to consider part or fully-funding it.
It is arguable whether or not this safeguard goes far enough. Cryptographic experts say that providers will be forced to come up with systemic solutions to meet the number of "one-off" requests to bypass encryption likely to be filed by law enforcement if the bill is passed.
7. The 'pub test' returns
This is a mirror of section 317RA, which we dealt with above in point four.
8. Foreign laws rule
The decryption bill includes a series of civil penalties that can be sought against providers that don't comply with encryption bypass demands.
Newly inserted, however, is a section that would allow the provider to avoid a civil penalty if meeting the requirements of the Australian government would contravene laws elsewhere.
9. Auditors can be penalised
The new auditors that can vet whether a notice would put a provider in breach of systemic weaknesses rules are not immune from being penalised in the event they disclose information in an unauthorised fashion.
This small change to section 317ZF ensures that the auditors - discussed above in point six - can be fined if they do the wrong thing.
10. Powers of a court
This new section enshrines power for courts to decide what to do with notices or requests issued by Australian authorities, should the matter end up in court.
11. Law limits on notices
A catch-all insertion into section 317ZH means that a technical assistance notice or technical capability notice "has no effect to the extent (if any) to which it would require a designated communications provider to do an act or thing for which a warrant or authorisation" under any law was required. Previously, the section specified the laws that this applied to.
12. Request numbers must be reported
This is a win for common sense: in the exposure draft, the government was exempted from having to report on the number of voluntary technical assistance requests it made each year.
Drs Teague and Culnane noted in their submission that the requests were "inexplicably excluded from the annual reporting requirements".
"It is inexplicable that what limited public oversight is provided for in the legislation excludes one of the most powerful components of that legislation," they said.
But an about-turn has been made: these numbers will now be publicly reported, though little other detail is enshrined in law - and therefore the overall amount of information published may provide little insight into how the laws, if passed, are used.
(Left: The bill text as it was introduced to parliament, compared to the exposure draft text on the right. The new addition is circled).