Oz government rushes its anti-crypto legislation into parliament
With an election due in May, clock is ticking
The Australian government has rushed forward its proposed anti-encryption legislation, a mere week after a public consultation into the rules closed.
A Federal Coalition party meeting yesterday cleared the bill to be introduced into parliament, giving the strong impression the government hopes to push the draft law onto the statute books as soon as possible. (This is the same draft law that was floated earlier this year, before a change in prime minister gummed up the works. Now it's back in the mix with no changes in spite the public consultation.)
One of the most contentious aspects of the bill, as it currently stands, is that it allows law enforcement to ask communication service providers to give investigators access to unencrypted messages under an escalating set of notices, from voluntary compliance all the way up to a court order.
This will be somewhat tricky to pull off for strong and truly end-to-end encrypted systems. In effect, weaknesses will have to be baked in to accommodate Oz cops and government agents' on-demand requests for decrypted data. Weaknesses that criminals could find and exploit, or would reduce the overall security of a system.
And the bill allows practically any activity to be defined as a “communication service” – operating a website, for example, falls under the rules.
Senator Jordon Steele-John (Greens) noted that in spite of the brief consultation period, the legislation attracted 15,000 submissions from the public. “There is simply no way the government has had time to consider all of those responses in their decision to endorse the bill this morning,” he said yesterday.
While the legislation is likely to pass the House of Representatives, Australia's upper house, the Senate, will be harder to negotiate. It's likely that the bill will be sent to a senate committee for scrutiny, a process that could result in changes to the proposed law.
The government has to call an election no later than May 2019, which puts the legislation on a tight time-frame. The administration's decision to shove it through the system comes as industry and civil society groups start ramping up their opposition to the proposed rules and regulations.
Law firm Baker McKenzie is tomorrow (20 September) hosting an encryption forum bringing together industry representatives (carrier peak group The Communications Alliance, and academic network operator AARNet), Digital Rights Watch, the NSW Council for Civil Liberties, and law firm Gilbert and Tobin.
As well as fearing that the not-a-backdoor legislation will allow law enforcement to demand comms providers – who could be nearly anybody – to craft customized vulnerabilities for government snoops to exploit, the groups are concerned at the lack of ministerial and judicial oversight, and warn that it could demand vendors break laws of other countries to comply with Australian law.
Communications Alliance CEO John Stanton hopes the encryption forum will draw the government's attention to flaws in its current approach.
When's a backdoor not a backdoor? When the Oz government says it isn'tREAD MORE
“This broad and spontaneously-formed coalition of stakeholders is sending a strong message to the Australian Parliament – that players in all political parties need to act now to protect the interests, security and privacy of all Australians,” Stanton said.
The group echoed a warning last week by the global Internet Architecture Board, which said (PDF) the draft law risks fragmenting the internet.
For example, European GDPR compliance would put an international service provider in breach of the Australian rules: “This risk might cause some infrastructure providers to relocate, reduce service or even block service to Australian users. Such fragmentation of the Internet is one of the primary concerns we have today, as it reduces the value of a global, highly-connected internet.”
The IAB also warned the Australian government not to try an interfere in the Internet Engineering Task Force's work. “The IETF, in RFC 2804, has rejected the development of any system designed to aid state actors in compromise of the security of Internet communications," it urged.
"Compelling individual participants to act contrary to that consensus introduces doubts about the motivations of and influences upon a participant’s actions, and therefore may disadvantage Australian participants in these processes. Internet standards development is based upon mutual trust, cooperation and good-faith participation. Having those undermined by this legislation does not appear to be an appropriate result.” ®
Sponsored: Becoming a Pragmatic Security Leader