Update — Careful to Whom You Hand the Keys for Encryption

There was of course no way of knowing whether you were being watched at any given moment. How often, or on what system … It was even conceivable that they watched everybody all the time. George Orwell, Part 1, Chapter 1, in 1984

3041590472_69bb8e8ba9_z
Source: Flickr by walknboston

In an earlier post Careful to Whom You Hand the Keys for Encryption I described the extraordinary events of 6 Dec when the so-called “encryption busting” Access and Assistance Act passed into law on the last hours of the last sitting day of  Federal Parliament before the end of 2018.

It passed after the Labor Party opposition, who had been opposing the AA Bill (Shadow Attorney General Mark Dreyfuss described it as being “obviously dangerous”) gained a promise from the Government that amendments to the Bill would be considered when Parliament reconvened in February. Well that’s now and it occurred last week on the 13 and 14 Feb in a Bill introduced as the Telecommunications and Other Legislation Amendment (Miscellaneous Amendments) Bill 2019 [1].

The new bill at its first reading introduced new powers to Federal and State anticorruption agencies on the basis that these agencies need the same powers as the agencies that they might be called upon to investigate. Previously. the Australian Federal Police, Australian Crime Commission and state and territory police forces were the only agencies afforded the use of interception powers as the Act.

This makes some sense [2] but raises the age-old question of how do you ensure that these new powers will be held to account? Who watches the watchers? As in the fictional town of Hawtch-Hawtcher by Dr Seuss, the answer to this question often leads to an ever-growing proliferation of watchers [3].

Watching the Watchers

Quis custodiet ipsos custodes? Who watches the watchers? Juvenal from his Satires

In this case, new the Australian Commission for Law Enforcement Integrity and state crime and corruption commissions in NSW, Victoria, Queensland, SA and WA were all added to the list. Making the tally 17 Federal and State agencies that can use the Access and Assistance interception laws — assuming the new amendments are enacted.

The full list of agencies can be viewed in the pdf document below [4].

Telecommunications (Interception and Access) Act 1979 Annual Report 2016-17 – telecommunications-interception-access-act-1979-annual-report-16-17

Systematic Weaknesses and Vulnerabilities

The amendments introduced by the opposition Labor Party were aimed at tying down the definition of “systemic weakness” and  “systemic vulnerability” in the AA Act [5].

The idea of a “systematic vulnerability” in the original Bill, was intended, I presume, to limit technical assistance requests that could weaken internet infrastructure. But the definition given is an incomprehensible “Bullpitism” it reads:

systemic vulnerability means a vulnerability that affects a whole class of technology but does not include a vulnerability that is selectively introduced to one or more target technologies that are connected with a particular person.

A further indication of the confusion introduced into the Act with these two-terms: the definition of a “systemic weakness” is identical, except the word vulnerability is substituted by weakness.

The Labor Party amendment, passed by the Senate on 14 February, was to repeal the problematic definitions of systematic weaknesses or vulnerabilities in a new Section 317ZG that will prohibit:

  • preventing a known vulnerability from being rectified;
  • implementing or creating a new decryption capability;
  • taking actions that would render systemic methods of authentication or encryption less effective;
  • any act or thing that would cause otherwise secure information to be compromised by an unauthorised third-party;
  • revealing otherwise secure information for any person who is not the subject, or is not communicating directly with the subject of the technical request or notice.

The full text of the proposed Labour Party amendments can be found in the pdf document below:

8642 Telecommunications and Other Leg Amd (Miscellaneous Amendments) Bill 2019 McAllister

Meanwhile, Big Brother is Watching

Overall these amendments are a significant tightening of controls on the way that the AA Act can be applied. This is important because under Act it is the law enforcement and intelligence agencies themselves that decide how it will be applied, not an independent judge.

That the amendments gave the agencies a lot less room in deciding what they can and can’t do is probably why the Government tried to vote it down. But they failed by 37 votes to 28.

Labor Senator Jenny McAllister who proposed the amendments said: “[w]e have been forced to prioritise.” As a result, this Bill and Labor’s amendments don’t yet deal with all of the potential issues that have been identified in the legislation passed at the end of last year. Senator Jordan Steele-John of the Australian Greens said that the amendments only made a bad Bill “slightly better” [6].

Further discussion was postponed until the next parliamentary sitting day which is 2 April. At this stage, amendments have been passed by the Senate but have not been passed into law. The police and intelligence agencies are free to use the laws as they exist now, without any of the proposed amendments.

There are only 5 more sitting days for parliament from 2 April so there is no guarantee that the amendments will be further considered before the Federal election to be held in May. In any case, Home Affairs minister Peter Dutton has said that the Government is not obliged to accept any of the opposition amendments.

The Government have agreed to accept, with a very tight timeframe, further public input to Parliamentary Joint Committee on Intelligence and Security (PJCIS) by 22 February. Further, the PJCIS will table its recommendations to parliament by 2 April.

Potted History of the Bullpit Effect (see the previous article)

The Bullpit effect is where a politician, or other public figures, open their mouth to speak but the only words that come out make the speaker appear to be an ignorant and irrelevant stuck-in-the-mud from a time long past.

Senator Brandis trying to explain metadata (unsuccessfully).

What Ted Bullpit would have said if he were in Senator Brandis’ position: “Pickle me, Grandma! Metadata?” followed by “Metadata? Strike me Catholic!”

Former Prime Minister Malcolm Turnball trying to explain how the laws of mathematics don’t apply in Australia (yes, really).

What Ted Bullpit would have said if he were in the Prime Minister’s position: “someone should blow mathematicians up!

Home Affairs Minister Peter Dutton refused to say very much of any substance by stonewalling and deflecting. As a result, he didn’t fall into the trap of saying something that would reveal him as a dinosaur from a long-past age. By doing so, he left the trap for the Tech Industry.

Protestations by the Tech Industry were full of technical details about encryption and cybersecurity. Such technical details failed to make much impact upon the public at large in Australia. As a result, the tables were turned and the Tech Industry started to look like Ted Bullpit.

What Ted Bullpit would have said if he’d been in the position of the Australian Tech Industry: “The Kingswood! You’re not taking the Kingswood! I’ve just Mr Sheened the number-plate!

_________________

[1] Parliament of Australia, Telecommunications and Other Legislation Amendment (Miscellaneous Amendments) Bill 2019, available online, published: 14 February; accessed 18 February.

[2] It brings the definition of ‘interception agency’ into line with the definition under the Telecommunications (Intercept and Access) Act 1979.

[3] Theodor Geisel (Dr Seuss), “Did I Ever Tell You How Lucky You Are?” Random House, 1973. The whole town of Hawtch-Hawtcher become watchers watching over other watchers leading to the first watcher who is watching the “lazy town bee” so it will work harder.

[4] Department of Home Affairs, Commonwealth of Australia, “Telecommunications (Interception and Access) Act 1979, Annual Report 2016–17”,  Appendix B, available online, published 2018; accessed 18 February.

[5] See the article by Rohan Pearce “More law enforcement agencies to get access to ‘anti-encryption’ powers” in Computerworld; published 13 February; accessed 18 February.

[6] By for The Full Tilt,”Duelling ghosts battle over encryption laws in a dying Parliament” published in ZDNet on 14 February, available online; assessed 18 February.

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.