Privacy concerns about encryption laws
Australia’s key independent national security legislation watchdog is concerned about a law that gives police and spy agencies access to encrypted communications because government ministers and the agencies have the power to authorise its use, without needing any approval from a judge.
The independent national security legislation monitor (INSLM), Dr James Renwick, is also concerned that provisions designed to protect tech companies from being forced to build “systemic vulnerabilities or weaknesses” into their products to give security agencies access are still too vague.
Renwick is finalising a report due in June on the encryption laws, operating since late 2018 when parliament passed the Telecommunications (Assistance and Access) Act.
But he has started to indicate publicly where he believes problems lie.
In a speech to the Lowy Institute last week, and in public hearings late last month, Renwick expressed concern that notices compelling companies to provide access to encrypted data – and in some cases, create access if it doesn’t already exist – are issued by the heads of the requesting agencies or by ministers, and not by an independent judicial officer.
He called this “a significant departure from the normal course”.
Under the new law, issuing a technical assistance notice (TAN) – compelling a company to provide access using a capability it already has – requires only the head of the requesting agency to authorise it.
The agencies allowed to issue the notices include the Australian Security Intelligence Organisation (ASIO), the Australian Signals Directorate (ASD), the Australian Federal Police (AFP) and state and territory police.
Where the encrypted data on smartphones, computers or other devices is not already unlockable, the agencies can seek to issue a technical capability notice (TCN), ordering a capability be developed.
TCN applications must be approved by the attorney-general and require secondary approval from the Communications minister.
At a recent public hearing, officials from the Home Affairs Department said the existing system provided adequate protection because both ministers are accountable to parliament. But James Renwick noted that, “personalities aside”, both were “members of the same cabinet” and therefore “they might both be bound by a cabinet decision”, limiting contestability.
He indicated he may recommend that the applications be made before a judge or a judicial officer in the security division of the Administrative Appeals Tribunal (AAT) instead.
He is proposing that a technical adviser familiar with the technologies involved be appointed to assist the decision-makers.
Renwick indicated he may also recommend that the lowest-level technical assistance request – to which a tech company can agree voluntarily, and which currently requires no ministerial authorisation – should also need to be signed off by the AAT. That would ensure legitimate privacy concerns are considered and the public interest represented.
The parliamentary joint committee on intelligence and security requested the INSLM review. It is also conducting its own inquiry to be completed in September – its third since the laws were first drafted.
The scrutiny is indicative of the level of controversy surrounding them and the strong tech-sector opposition to what many see as a weakening of security overall.
Some companies argue references to a “systemic vulnerability or weakness” fail to grasp the nature of digital technology.
The Washington-based Cybersecurity Coalition, which represents 16 global security tech companies, echoed Renwick’s concerns about the vague and undefined description of what the law is supposed to rule out. The coalition’s submission to Renwick’s inquiry suggested a systemic vulnerability was the insertion of any computer code that could be used – even just theoretically – to affect more than one user.
“As it stands, industry is unable to narrow down the extent to which this act impacts their products and businesses,” its submission said. “… Specifically, the coalition believes that the act fails to provide clear assurances that the government will not attempt to weaken encryption in ways that could create substantial ongoing vulnerabilities via other means aside from what might be traditionally viewed as a backdoor.”
Renwick is considering recommending that the act spell out more clearly what is prohibited. The coalition also urged him to recommend that companies be allowed to disclose the existence of any feature that has been included in a product to help law enforcement.
ASIO’s director-general, Mike Burgess, is happy with the laws as they stand. He told Renwick his agency used them within 10 days of their passage in 2018.
ASIO and ASD are not required to disclose publicly how many such requests they make each year. The AFP made five technical assistance requests between December 2018 and June 30, 2019, and New South Wales Police Force made two. Neither issued any compulsory notices.
Renwick has suggested the AFP should be required also to publish the number of search warrants they execute each year under the Crimes Act.
This article was first published in the print edition of The Saturday Paper on Mar 14, 2020 as "Security blanks".
A free press is one you pay for. In the short term, the economic fallout from coronavirus has taken about a third of our revenue. We will survive this crisis, but we need the support of readers. Now is the time to subscribe.