Digital rights groups call for government to scrap surveillance bill

Proposed legislation ‘effectively enacts insecurity by design’

A coalition of digital rights groups has called for the government’s draft surveillance bill to be scrapped wholesale, saying that it “effectively enacts insecurity by design” and will create “extremely broad powers with almost no oversight without any substantive justification”.

The government has argued that its proposal to increase the ability of police and national security organisations to access online services will not weaken the security of services relied on by millions of Australians.

The exposure draft of the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 would create new powers for law enforcement agencies to demand tech companies cooperate with requests for assistance and in some circumstances even build new tools that would allow for user security to be bypassed during investigations.

The government has repeatedly argued that it doesn’t want to undermine encryption and, notes an explanatory memorandum accompanying the draft, the bill includes a prohibition on “requiring a provider to build or implement a systemic weakness or systemic vulnerability into a form of electronic protection”.

“This includes systemic weaknesses that would render methods of authentication or encryption less effective,” the document adds.

However, the term “systemic weakness” is not defined, notes an analysis of the draft bill authored by a range of digital rights organisations and individual activists.

“While we note there are potential difficulties in defining such a term, the absence of a definition renders the section virtually meaningless,” states the submission to the government’s consultation.

“Consultation with appropriately qualified experts in cryptography may be a useful addition into the regime as a safeguard. Further, the limit does not impose any requirement on any agency to disclose systemic vulnerabilities to designated communications providers.”

The submission also notes the potential danger of agencies hoarding systemic vulnerabilities they unearth for use in collecting intelligence: The WannaCry ransomware, for example, used a vulnerability in Windows dubbed Eternalblue that was exploited by the US National Security Agency.

Among the 35 recommendations of the submission — which is backed by the Australian Privacy Foundation, Digital Rights Watch, Electronic Frontiers Australia, Future Wise, the Queensland Council for Civil Liberties, the NSW Council for Civil Liberties, Access Now and Blueprint for Free Speech — was that systemic weakness should be defined in the legislation.

Concern with the proposed legislation extends well beyond that, however.

“It is clear that the government’s entire approach to this legislation is untenable,” said Tim Singleton Norton, the chair of Digital Rights Watch.

“Their attempt to legislate powers that are broad, lack sufficient accountability and transparency, and put our digital society at risk has been rejected by experts in the field, and the government should take note.”

“Any attempt to break encryption would be devastating to our rights, our economy and the internet as a whole,” Singleton Norton said. “This bill should be withdrawn and its proponents sent back to the drawing board.”

The bill would cover any entity that uses the Internet to communicate material or facilitate the communication of material.

“The list of possible entities is endless, and may include banks, media companies, specific journalists, insurers, civil society organisations, law firms, universities and most small and large businesses,” the submission states, recommending that the scope of the legislation be reduced significantly.

The current draft includes an extensive list of acts or things that can be requested by an agency in a technical assistance notice or technical capability notice.

A non-exhaustive list includes removing one or more forms of electronic protection; providing technical information; installing, maintaining, testing or using software or equipment; facilitating access to a facility, customer equipment, data processing device, a carriage service, an electronic service, or software used in conjunction with a carriage service or electronic service;  substituting, or facilitating the substitution of, a service provided by the designated communications provider;  and concealing that an act or thing has been done.

The digital rights groups argued that “the list of acts or things should be reduced in scope, and be targeted to avoid creating a general capacity to undermine encryption” and that the statutory list of acts or things “should be exhaustive for the purposes of technical assistance notices and technical capability notices”.

Technical assistance requests, technical assistance notices and technical capability notices should be subject to judicial oversight, the submission recommends.

However, the most appropriate response to the exposure draft is that the bill be rejected wholesale, the submission says.

“Despite the ridiculously short timeframe that the government allowed for this consultation, the volume of criticism has been overwhelming — from privacy experts, technology companies, civil liberties advocates and telecommunications providers,” Singleton Norton said.

“We’ve also seen a staggering response from the Australian public, with over 14,000 people writing directly to the government in defence of their right to use encryption,” he said.

“It is easy to assume the public is too disengaged or uninterested to have a view on these kinds of issues, but the strong and sophisticated response makes it clear the opposite is true. The government would do well to heed this warning.”

The full submission is available online.

Read more: NZTech calls for IT industry's own CTO

Major tech companies including Amazon, Facebook, Google, Oath, and Twitter have indicated they are also concerned about the proposed legislation.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags governmentprivacycyber securitycivil libertieswar on maths

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Rohan Pearce

Rohan Pearce

Computerworld
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?