UPDATE 9/13/2018: The UN Special Rapporteur on freedom of expression has submitted comments outlining his serious concerns with the bill, available here.
DRAD joined a coalition of 31 international civil society organizations, companies, and trade associations on a letter sent to the Australian government to raise concerns that, if enacted, a draft surveillance bill would threaten digital security and privacy by undermining encryption. The recently released draft of the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 includes provisions that mirror those in the United Kingdom’s Investigatory Powers Act and would authorize the Australian government to issue orders to companies called Technical Assistance Notices (TAN) and Technical Capability Notices (TCN), which the coalition fears could be used to demand that companies build surveillance backdoors into their encrypted products and services.
“The drafters of this bill sprinkled-in some pro-encryption language, but that doesn’t mask the fact that, if enacted, it would seriously threaten everyone’s digital security by allowing the Australian government to demand that companies redesign their secure products to facilitate surveillance. The recent anti-encryption communique from the Five Eyes intelligence alliance, of which Australia is a member, highlights how this threat is not limited to Australia but could impact the safety and security of people all over the world. A policy loss on encryption in Australia could be the first step toward a security loss for internet and smartphone users everywhere.”
— Kevin Bankston, Director, New America’s Open Technology Institute
The draft bill states that companies “must not be required to implement or build a systemic weakness or systemic vulnerability” and that the government may not prevent providers “from rectifying a systemic weakness, or a systemic vulnerability.” However, the coalition warns in its comments that “other sections of the bill undermine the safeguards provided by this language, thereby threatening encryption and cybersecurity more generally, as well as fundamental human rights, including the right to privacy.”
Specifically, the coalition raises concerns that “the new technical assistance notices and technical capability notices are overly broad authorities that would undermine cybersecurity and human rights, including the right to privacy; the bill fails to provide adequate oversight over these new authorities; the bill creates undue secrecy for the use of these new tools; and the bill includes an overly broad definition of ‘designated communications providers.’”
Following the release of this draft bill, the Five Eyes – a security community comprised of intelligence agencies from the United States, Canada, the United Kingdom, New Zealand, and Australia – issued a communique threatening that “[s]hould governments continue to encounter impediments to lawful access to information necessary to aid the protection of the citizens of our countries, we may pursue technological, enforcement, legislative or other measures to achieve lawful access solutions.” This is one of the clearest statements yet from the Five Eyes that these governments intend on pursuing policies that would mandate encryption backdoors. The communique reinforces the coalition’s concerns about Australia’s draft bill as articulated in its comments.
The comments submitted to the Australian government are available here.