Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018
The Department of Home Affairs received public submissions in response to the exposure draft Assistance and Access Bill from individuals and organisations (1). My originally confidential submission, can be seen below.
For context, on 6 December 2018 the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 (the Bill) passed both houses of Parliament. On 9 December 2018 it received Royal Assent and became law.
Submission
Dear Minister
I write to express my concerns over the draft legislation titled 'The Assistance and Access Bill 2018', and I have outlined these concerns below.
1.????I refer to the 29th regular session of the United Nation’s Human Rights Council (15 June to 3 July 2015), Agenda item 3, ‘Promotion and protection of all human rights, civil, political, economic, social and cultural rights, including the right to development’:
a.????If the ‘communications industry’ has been instructed to ‘give help’ to Australian law enforcement agencies, will the individual be given notice for disclosure of user data?
??????????????????????????????????????????????i.????“Individuals and civil society are subjected to interference and attack by State and non-State actors, against which encryption and anonymity may provide protection. In article?17 (2) of the International Covenant on Civil and Political Rights, States are obliged to protect privacy against unlawful and arbitrary interference and attacks. Under such an affirmative obligation, States should ensure the existence of domestic legislation that prohibits unlawful and arbitrary interference and attacks on privacy, whether committed by government or non-governmental actors. Such protection must include the right to a remedy for a violation. In order for the right to a remedy to be meaningful, individuals must be given notice of any compromise of their privacy through, for instance, weakened encryption or compelled disclosure of user data.”
b.????As noted in the preamble to explain this bill, ‘These powers?cannot?be used to introduce so-called ‘backdoors’’; which could open a potential weakening of encryption, the draft bill does not specifically state that it will not do this. Could you please update the bill to include that a ‘back-door’ will not be used and include a definition of a ‘back-door’ in section 317B.
??????????????????????????????????????????????i.????“Some States have implemented or proposed implementing so-called back-door access in commercially available products, forcing developers to install weaknesses that allow government authorities access to encrypted communications. Some Governments have developed or purchased tools to allow such access for domestic surveillance purposes. Senior officials in the United Kingdom and the United States appear to advocate requiring back-door access. States supporting such measures often claim that a legal framework for back-door access is necessary to intercept the content of encrypted communications. Governments proposing back-door access, however, have not demonstrated that criminal or terrorist use of encryption serves as an insuperable barrier to law enforcement objectives. Moreover, based on existing technology, intentional flaws invariably undermine the security of all users online, since a backdoor, even if intended solely for government access, can be accessed by unauthorized entities, including other States or non-State actors. Given its widespread and indiscriminate impact, back-door access would affect, disproportionately, all online users.”
?
2.????With respect to Section 317B Definitions, the draft legislation fails to define the following terms or phrases definitively, or have them referred to in current legislation (if applicable):
a.????‘giving listed help’
b.????‘giving help’
??????????????????????????????????????????????i.????In the draft bill, this term only outlines the government agency officials to give help to, not outlining the extent of the help given and how.
c.????‘giving certain types of help’
d.????‘electronic protection’ (I.e. referenced in Section 317E)
??????????????????????????????????????????????i.????Protection of privacy against state and non-state actors?
e.????‘reasonable and proportionate’
领英推荐
f.?????‘terrorist act’
?
3.????Why does the Australian Federal Government Require ‘assisting the enforcement of the criminal laws in force in a foreign country’? This has not been outlined nor has it been referenced to in the draft legislation.
?
4.????If the Australian Federal Government is required to ‘assisting the enforcement of the criminal laws in force in a foreign country’, before doing so, does it take into consideration foreign laws when ‘assisting’?
a.????For example, in the United States of America (US), will it consider their rulings with respect to encryption as being ‘expressive’ speech?
b.????Will US Companies being issued technical assistance notices follow US encryption rulings or Australian?
c.????For example, please see BERNSTEIN v. UNITED STATES DEPARTMENT OF JUSTICE https://caselaw.findlaw.com/us-9th-circuit/1317290.html
??????????????????????????????????????????????i.????“In light of these considerations, we conclude that encryption software, in its source code form?and as employed by those in the field of cryptography, must be viewed as expressive for First Amendment purposes, and thus is entitled to the protections of the prior restraint doctrine.”
????????????????????????????????????????????ii.????“First, we note that insofar as the EAR regulations on encryption software were intended to slow the spread of secure encryption methods to foreign nations, the government is intentionally retarding the progress of the flourishing science of cryptography.”
?
5.????I have concerns relating to Decision making criteria in Section 317P. The current draft of the bill lists that only two positions, if they hold the title the Director-General of Security OR the chief officer of an inception agency, who have the power to assign a technical assistance notice. My concern is that one individual may not have the required breadth or reach interdisciplinary consensus regarding technical, legal and judicial knowledge on each matter and therefore, may not be able to establish if the notice is ‘reasonable and proportionate’. Should quantifiable processes be referenced, created or linked to in this bill, rather than subjective method of approval?
?
6.????Once this legal power is installed, in a different political or economic climate, how will the laws be interpreted or utilised by enforcement agencies? If decision-making powers are centralisation, it allows for increased risk in varied interpretations as human beings are corruptible. Should quantifiable processes be referenced, created or linked to in this bill, rather than subjective method of approval?
?
7.????It has been shown that some foreign governments do not have the technical ability to carry out its work with respect to encryption. Where in this draft legislation does it state each agency has the capciaty to carry out these additional duties and how they plan to do so?
a.????“For example, the NSA is currently required to report numbers called “unique identifiers” in a?transparency report?compiled annually by the agency’s Office of the Inspector General (OIG). These numbers could help the public understand just how many Americans are burdened by?NSA surveillance.?But the NSA didn’t report the numbers this year, or the two years prior, because, according to the report, “the government does not have the technical ability.” https://www.dni.gov/files/documents/icotr/2018-ASTR----CY2017----FINAL-for-Release-5.4.18.pdf
?
Thank you