Australian Government Reviews Its Encryption-Breaking Law, Says It's Cool And Good
from the it's-a-good-power-grab-bront dept
The Australian government gave itself encryption-breaking powers at the end of 2018. The law went into effect January 2019. The beneficiaries of the law immediately swept in to reap the rewards. Demands for “exceptional access” required tech companies to break encryption upon request to hand over communications and data sought by law enforcement and security agencies.
These efforts began well ahead of any determination as to whether demands for access were lawful or even feasible. In some sense, the requests were lawful simply because a new law had been hurried through to make them lawful. But there were concerns being belatedly raised that some government activity fell outside the broad scope of TOLA, a law whose own name (Telecommunications and Other Legislations Amendment) suggests the government that passed it has no idea what it might encompass.
The Australian Federal Police utilized the new powers to partner with the FBI to run a backdoored encrypted chat service marketed exclusively to suspected criminals. Somehow, customers failed to sniff out the ruse, leading to thousands of arrests stemming from millions of intercepted messages. Whether or not this was entirely lawful (even under TOLA) remains to be seen. The thousands of prosecutions should lead to dozens, if not hundreds, of evidence suppression attempts, which will put TOLA’s assumed powers to the legal test.
Three years after implementation, the Parliamentary Joint Committee on Intelligence and Security (PJCIS) has completed its review of the law. Perhaps unsurprisingly, the Committee has found that the law is lawful. However, it may be a little under-supervised.
In the PJCIS’ review [PDF] of the legislation, it supported the powers enacted in the laws but recommended additional safeguards and oversight mechanisms aimed at providing the public with confidence the legislation would be used proportionally and for its intended purpose.
The PJCIS also notes that because critics’ fears have yet to materialize, it must be a good law.
“Agencies have made the case that these powers remain necessary to combat serious national security threats, and some of the worst fears held by industry at the time of passage have not been realised,” committee chair and Liberal Senator James Paterson said.
The report [PDF] also says super weird stuff about the necessity of undermining encryption, like this:
The AFP Commissioner said that end-to-end encryption will impact the ability to investigate and prosecute child sex exploitation:
Between July 2019 to May 2020 – just 10 months – the AFP has laid 1078 Commonwealth Child Exploitation charges against 144 people.
It compares to 74 summons and arrests; and 372 charges laid in the previous financial year.
So… the head of the Federal Police says encryption will make it tougher to prosecute child sex crimes, while quoting stats that show the AFP has doubled the number of arrests and tripled the number of charges it has brought in a shorter amount of time than the previous reporting period. If encryption was really getting in the way of the AFP doing its job, the numbers should be decreasing, rather than doubling or tripling.
It also includes other statements from government officials who have concluded the ends justify the means, even if there aren’t a whole lot of ends to speak of outside of the AFP’s collaboration with the FBI. It also has dour things to say about partnering with the United States government, which has clearly stated it will not be forcing companies to break encryption and any investigation engaged in by the Australian government that reaches US shores will have to play by the US’s rules.
Some submitters to the inquiry raised concerns about the compatibility of Australian law with the provisions of the CLOUD Act. The Law Council of Australia said that Australia’s laws will be insufficient to allow for an executive agreement to be made under the CLOUD Act:
The Law Council considers that the current law in Australia as it relates to storing and accessing telecommunications data will be insufficient to allow Australia to qualify for entry into an ‘executive agreement’ with the US. This means that law enforcement agencies in Australia will be restricted to seeking access to data held by a service provider in the US through the existing and time consuming MLAT (Mutual Legal Assistance Treaty) process.
On to the better news. The Committee says the government needs to take steps to assess the impact compelled assistance demands have on local tech companies, which now may find themselves with fewer foreign customers willing to purchase compromised goods and services.
The Committee recommends that the Government implement a periodic survey, starting in three years from the presentation of this report, to ascertain ongoing economic impacts of the TOLA Act legislation on Australia’s ICT industry and the results should be made publicly available.
Of course, this means three years of leaking customers before the government is even willing to start assessing the damage it has done. It’s better than nothing, but a three-year delay may be fatal when applied to the much faster moving tech world.
This is a slightly better recommendation:
The Committee recommends that s317C of the Telecommunications Act 1997 be amended to clarify that a designated communications provider does not include a natural person, where that natural person is an employee of a designated communications provider, but will only apply to natural persons insofar as required to include sole traders.
This means employees of tech companies won’t be held directly responsible (financially or criminally) for the actions of their companies. The only actions that bother the Australian government (in terms of this report) are refusals to backdoor or break encryption when ordered to. Given that imbalance of power, it makes little sense for the full weight of the government to come crashing down on the person tasked with fulfilling a government request for data or communications.
But overall, the Committee seems happy with the law and expresses few concerns about the complications it causes for local tech providers or the impact weakened encryption will have on the security of the nation’s people, much less the nation itself. The usual suspects — child exploitation and terrorism — are hat-tipped as needed to stress the importance of destroying personal security in the name of national security. And the Committee recommends TOLA continue unaltered, save for a few reviews of economic impact and definitions of “serious offenses” covered by the expansive new investigative powers.