A backroom deal between two of Australia's government and opposition parties should mean local law enforcement can force firms to backdoor their communications by Christmas.
The “Access and Assistance” bill allows designated law enforcement agencies to direct a wide range of technology providers – pretty much anybody who uses encryption – to help them obtain backdoor access to their products. It bears a remarkable similarity to the recently proposed "crocodile clips" idea floated by British intelligence agencies for wiretapping online chat.
The Aussie government was pressuring the opposition party to pass the bill, but that was initially resisted by shadow attorney-general Mark Dreyfus, who insisted that the Parliamentary Joint Committee on Intelligence and Security's inquiry into the technology should be published befroe the legislation was debated.
The bill has been rushed through the parliamentary process with indecent speed, apparently due to a possible terrorist threat this Christmas. The fact that the government has to call an election in May of next year may also play a factor in the haste.
Now the government has determined to debate the new law in the House of Representatives on December 5. The debate will have to be rushed, since it then has to get through a vote in the upper house - the Senate - the same day, before being returned to the lower house. Parliament goes home for the year the day after.
Yesterday, Dreyfus issued this statement saying the government concessions convinced him that an amended version of the bill should pass.
“The changes include limiting the application of the powers in this bill to allow eavesdropping only serious offences, properly defining key terms in the bill, and requiring a 'double-lock' authorisation process for Technical Capability Notices,” the statement said, and will “will ensure there is better oversight and limitation of the powers in this bill, and better safeguards against potential unintended consequences”.
Technical Capability Notices are the legal documents required to force a communications provider to cooperate with the police and backdoor their app. Revealing the existence of a TCN can get you up to five years in prison.
Dreyfus' statement continued: “This compromise will deliver security and enforcement agencies the powers they say they need over the Christmas period, and ensure adequate oversight and safeguards to prevent unintended consequences while ongoing work continues”.
The most important definition to be refined will be what constitutes a “systemic weakness.” The bill already barred agencies from requesting capabilities that would reach beyond a specific investigation, but so far, what constitutes a systemic weakness is badly defined.
The “double-lock authorisation” the ALP agreed to simply means the coercive Technical Capability Notices will need the sign-off of both the attorney-general and the communications minister.
There will also be a review process in which a retired judge and a “technical expert” can be asked to rule on whether an agency's request is feasible.
The government's Attorney-general Christian Porter told a doorstop press conference that a systemic weakness is “a weakness that would affect all applications on all devices at a given time.” Total access then.
Disputes are inevitable, which is the reason behind the judge-and-expert panel which would provide a report to the attorney-general on whether complying with a particular request would create a systemic weakness.
He declined to provide any examples of what might constitute a systemic weakness, on advice from intelligence agencies, he said.
Communications Alliance CEO John Stanton is far from satisfied with Porter's definition. He believes the “all applications, all devices” language the AG used would let agencies demand bespoke vulnerabilities affecting vast numbers of users.
The PJCIS inquiry will continue, with government and opposition both saying they expected its work will be used as the basis of amendments of the bill. There will also be another review of the bill's operation in 12 months.
Hostility to tech companies
Speaking to the Australian Broadcasting Corporation's AM current affairs program, government cyber-security advisor Alastair MacGibbon provided an insight into security agencies' hostility to the tech sector.
He accused “US-based tech companies” of “peddling” the view that they're “beyond the reach not just of the law, but our social expectations.” The law, he said, is about “helping agencies get access to and assistance from these tech companies”.
He later accused international tech of holding the view that “Australian law doesn't apply to them”. All police and intelligence agencies wanted, MacGibbon said, was “a tool to give them the ability to talk to tech companies in a reasonable and proportionate manner.”
“What they've [the tech companies] avoided over time is cooperating such that you can get the right information as necessary,” he said.
Apparently, agencies themselves aren't entirely sure of the operation of the bill: “Once the laws come into effect [agencies] will start exploring what this means”, MacGibbon said.
The government had warned that the law had to pass before Christmas, because of the elevated risk of terrorism at this time of year, but MacGibbon agreed with AM presenter Sabra Lane that someone receiving a request had 28 days to respond. Make of that what you will.
Reaction? As hostile as you'd expect
The Communications Alliance has issued a media release in which it says there are “dangerous loopholes” in the bill.
It centres on the two types of notices envisaged in the legislation: The Technical Capability Notice (TCN), under which a company can be ordered to construct technology to intercept communications; and the Technical Assistance Notice (TAN), under which the target must provide assistance if they are able.
First, CEO John Stanton said in the announcement, the bill lists the acts that can be ordered under a TCN in section 317E – but that section doesn't limit the scope of a TCN to only items on the list.
Then there are TANs, which don't require attorney-general approval, take immediate effect (they lack the 28-day consultation period with the service provider), and are available to various agency officers rather than the head of the agency.
“While the draft Explanatory Memorandum seeks to distinguish between what can be required under TCNs as opposed to TANs, this is not reflected in the proposed legislation”, Stanton said.
The social media reaction has been heated.
Bouncy Castle crypto developer Jon Eaves carved out a quick demonstration of how quickly someone can write a new encrypted chat app:
To show the stupidity of the Australian gov I've created a simple concept app which encrypts chat messages in about 4 hours. Your stupid legislation means anybody who wants to remain secret can do the same. And you've compromised everybody in doing it. https://t.co/Pb1xBfP49A— Jon Eaves (@joneaves) December 4, 2018
Proton Mail was blunt: Since they're not subject to Australian law (just as MacGibbon complained), they won't comply with requests to weaken encryption:
As a Swiss company, we are subject to Swiss law, and we do not have the ability to decrypt your messages.— ProtonMail (@ProtonMail) December 4, 2018
The ALP has received especially harsh criticism, partly because a few days ago, prominent backbencher Tim Watts critiqued the bill in a threat starting with this tweet:
I’ve refrained from commenting too much on the Government’s encryption proposals while the PJCIS did its work. But now that Scott Morrison and Peter Dutton have blown up the committee’s work on this Bill, it’s time for a 'thread'...— Tim Watts MP (@TimWattsMP) December 2, 2018
It's particularly poignant that at one point, Watts accused the government of being inept in managing the passage of the bill, since his party has since folded.
A pentester under the handle @attacus_au pointed out that their job – discovering vulnerabilities and reporting them to clients – becomes impossible if they aren't allowed to report their findings, because they might have uncovered an undocumented backdoor inserted at the behest of a security agency.
Digital Rights Watch said the powers law enforcement wants remain “ill-informed, badly drafted and a gross overreach”.
The “deeply flawed” bill “has the likely impact of weakening Australia’s overall cyber-security, lowering confidence in e-commerce, reducing standards of safety for data storage and reducing civil right protections.” ®