Australia’s controversial encryption busting laws remain a threat to cybersecurity, privacy, US trade and human rights, according to the world’s largest technology companies and civil rights groups. The cohort, represented by the Open Technology Institute, is urging the Australian government to amend or repeal the legislation which passed late last year.
According to the group — which includes Amazon, Apple, Facebook, Google, Human Rights Watch and Privacy International — without change, the laws will disqualify Australia from bilateral technology deals with America because of its US Cloud Act, which requires any foreign countries entering into bilateral agreements with America to have robust privacy protections in relation to data collection and activities.
Australia’s new laws will make it difficult to meet those requirements, according to the cohort, which is calling for a reduction in the scope of the laws and more oversight in their use and reporting.
In December last year the coalition government passed the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018, giving Australian security and intelligence agencies unprecedented power to access encrypted messages, including mandating companies build access into encrypted communication.
The tech community and civil rights groups were outraged by the new powers, which go further than any others in the western world. Local and global companies argued they had not been fully consulted and most of the recommendations they made had been disregarded.
The Act was passed with the support of Labor with the goal of combatting terrorism and other serious crimes. Labor’s compliance was given with an agreement the laws would be reviewed and amended after the Christmas break. The government reneged on that commitment, according to the opposition, and the laws remain largely unchanged. Labor had vowed to reform the laws if it won government.
Instead, the coalition government was reelected and its only commitment on the new laws has been to grant a short extension to the Parliamentary Joint Committee on Intelligence and Security (PJCIS) committee currently undertaking a mandatory review of the laws.
Among the new powers available to security and intelligence agencies under the Act is the ability to issue three types of technical notices and requests to companies and employees:
- Technical Assistance Notices compel a “designated communication provider” to use a pre-existing communication interception capability.
- Technical Capability Notices require the provider to build a new interception capability.
- Technical Assistance Requests are non-compulsory but have less limitations and less oversight, making them potentially the most susceptible to misuse, according to experts.
Critics argue the new powers have obvious threats to privacy and security. But the fact Australia is the only western nation with such powers means the local market is at a competitive disadvantage; because foreign companies may view the market as a risk, according to Australian technology companies.
Calls for change
The Open Technology Institute filed a new submission to the PJCIS last week, reiterating their concerns (the latest submission is the group’s fifth to the Australian Parliament on the laws) and providing comment on the seven aspects of the legislation the committee is focusing on. The latest PJCIS committee’s scope includes an examination of the Act’s interaction with foreign laws, including the Cloud Act, and its impact on competition.
“Hopefully, the committee’s new focus on the interaction with foreign laws and the competitiveness of Australian industry will lead Parliament to recognise the harms created by the Assistance and Access Act 2018,” said Sharon Bradford Franklin, director of surveillance & cybersecurity policy at New America’s Open Technology Institute.
“The Australian Parliament should ensure that this new review is a meaningful one, and should work to mitigate the many threats to digital security, economic competitiveness, and human rights posed by the new law. Otherwise, these harms will be faced first and foremost by Australians, but also by digital technology users well beyond the country’s borders.”
The Open Technology Institute’s requests are:
- The Parliament should narrow the scope of powers granted to the government under the Assistance and Access Act 2018;
- The Parliament should amend the law to provide clear authorisation procedures and robust oversight mechanisms;
- Unless the Assistance and Access Act 2018 is repealed or significantly amended, it would substantially expand the authority of Australia’s intelligence agencies by granting them unprecedented powers without adequate oversight;
- Unless the Assistance and Access Act 2018 is repealed or significantly amended, it imperils Australia’s ability to qualify for a bilateral agreement under the US Cloud Act;
- The new law has a significant negative impact on Australian industry and competitiveness; and
- The Act be amended to provide for public oversight with additional reporting requirements, including mandatory annual reviews with a publicly-available summary.