The Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 will make Australians less secure. It will threaten our tech industry, and it attacks our civil liberties. This now opens up a door into people's private communication with each other. I'm talking not just about messaging services where you want to keep your messaging confidential but about communications that we all have with our banks and with people that we buy things from over the internet. All of this now is going to be required to be able to be unlocked and looked at by government agencies and by others.
The problem is that, once you create a door into what are otherwise encrypted and secure communications, you do not know who's going to be able to access that key. This is why, in other countries, when they've looked at legislation like this, they've said no. They've said that the threat of saying that secure communication is no longer secure outweighs any arguments—any security-related arguments, any arguments about law and order—that there might be to allow people to go and snoop on that kind of communication. It's a very simple proposition: once you introduce a weakness and you require by law the introduction of a weakness into otherwise secure communication, you lose control over who can exploit that weakness. It beggars belief that there is, somehow, some suggestion from the government or from the opposition that: 'It's okay; we're putting in protections about not allowing systemic weaknesses.' And I'll come to that in a moment, and I'll come to these hastily circulated amendments that we're being asked to consider immediately and on the fly—I'll come to all of that in a moment.
But the basic principle is there's no such thing as requiring companies to be able to create a key that unlocks secure communication that doesn't also create a systemic weakness. Of course it does. Once you go down that road and introduce not only a back door but, in some instances, a front door, which the government says can now be opened and can be walked into to look at otherwise secure communication—whether it's between people having secure and confidential messages because you want to keep things private, or whether it's what you buy online, or whether it's between you and your bank, or between financial institutions—and once you say, 'You've got to create that key and allow the door to be opened,' anyone can walk through it. That is a fundamental problem with this bill, and it's why other countries have decided not to go down this road.
This bill says that government and government agencies can, at first instance, go to technology companies, communication companies, Telstra, internet providers and the like, and say, 'We want you to assist by handing over some information about communication between a couple of people.' But it does more than that; it doesn't just say, 'We'd like you to be able to assist us and hand that information over'—that's called a 'technical assistance request'. The bill goes further and creates things called 'technical capability requests', which say, 'We want you to actively change your software—your product—to include a way in.' So, if you as the service provider—for example, the people who run WhatsApp—don't actually know what the information is that's passing between two people, or between a person and a bank, or between two business entities—which is, in many instances, the case; the people who run the app may not know what's being said between two people, because it's encrypted—then the bill says, 'You've got to change it so that there's a way in, so that you can know what it is, and you can find out that information, and you can hand it over to us.'
It's because of that that this bill has managed to raise the ire of people who are concerned about civil liberties. And, for a Liberal government—they should just change their name and junk the word 'liberal', because 'liberal' is completely gone now from anything that they stand for; completely gone. The civil liberties groups are saying, 'Well, hang on; this actually poses a significant threat'—not only because people might want to keep communication confidential but also because, now, even if you never use a confidential messaging app in your life, you presume that the information between you and your bank, or about your online shopping, will be kept confidential. Well, you can no longer presume that, because there is every chance that whoever you're engaging with may have been served with one of these notices and required to include a back door or an open front door into the communication that you're having. Not only are civil liberties groups saying, 'Hang on, there's a reason other countries haven't done this. It's because this is going to mean, in many respects, the end of privacy'—but the tech industry has also said, 'If Australia is now going to be the place where, when you develop software, you've got to include weaknesses in it, then why would people develop their software in Australia? Why wouldn't they go to the other countries where you don't have to have these in-built back doors or front doors that anyone can walk through?'—and not just government agencies but wrongdoers and evildoers as well. You're opening that door. And they're saying, 'If Australia has to go down this road, why would people continue to develop software in Australia?'
These are very, very important questions, and, as we deal with updated technology and what it means to keep Australians safe, they are questions that require the utmost thorough consideration. But what have we got?
We've got a bill where people from across the spectrum are lining up and saying: 'Hang on. There are big red flags here. Go slowly.' Instead what is happening, as is usually the case on the last day of sitting in this place, is all of a sudden there are these urgent things that can't wait. Legislation that could have been dealt with six months ago, and gone through the proper process, is now being pushed through the parliament.
We're told by the opposition: 'It's okay. We fixed it. Trust us. We've had a closed door meeting with the government. We've reached a bunch of agreements. Trust us. We've completely fixed it.' Well, pardon me. Fifty pages of amendments were circulated about 10 minutes ago and we were told: 'It's okay. We've all fixed it.' People say: 'No, hang on. I'm not prepared to take you on face value, because we've seen this before.' We were told, 'Don't worry, if we pass legislation in this place allowing agencies to access metadata there's only going to be a handful of requests. It'll be alright. It's okay. We've got some concessions. We fixed it.'
There has been a significant amount of debate online about this. Dane Pratzky made a good point—remember this promise? 'When the metadata collection laws were passed in 2015 the government said only a limited number of agencies would use them. Now reports suggest that even local councils are using these powers to the tune of 350,000 requests a year.' So pardon us, but we're not prepared to accept on face value this idea that somehow you've fixed it.
They said, 'We fixed it, because we have forced the government to accept a definition of "systemic weakness".' In the time that's available to me I've got to page 5 of these 50 pages. 'Systemic weakness', as defined in these proposed amendments, is:
… a weakness that affects a whole class of technology, but does not include a weakness that is selectively introduced to one or more target technologies that are connected with a particular person.
You could imagine that there's basically a group of people—people under 18 or people in Victoria—all of a sudden now under this proposal. Does that now not count as a systemic weakness, if you say: 'I'm just introducing a backdoor into your app for a particular group of particular people. It's only them that we're going to spy on'? Who knows? Probably.
What does it mean by 'a whole class of technology'? Does that mean a particular app? What if a particular app is operating in a particular state or with a particular group of people, are they exempt? Who knows? It still doesn't deal with the fundamental point that I raised before, which is that, once you open that door, you create a systemic weakness.
Why are we in this situation? We're in this situation because a few days ago the Labor Party showed a bit of spine on this. They were applauded, and rightly so. The Labor Party said: 'We're not going to be bullied into passing something because the government says, "There's a rush before Christmas." If the government want particular laws before Christmas, we'll give them those, but not the broader suite.' Well, that didn't last very long.
What we're seeing here is a repeat of every time that the Liberals bowl up something that threatens people's liberty and security—as long as they put the stamp 'national security' on the front of it, Labor falls into line. It doesn't matter what threat it has to our industry, what threat it has to our security or what threat it has to our safety Labor will do it. Justin Warren put it well on Twitter:
If you want @AustralianLabor to pass a law, just scribble "National Security" on it somewhere in crayon.
That pretty much sums up exactly what we've seen here. Or the way Greg Jericho put it:
In 10 years the LNP will propose everyone having a tracking microchip inserted in their arm, the ALP will protest and then agree to legislation that has it inserted into people's legs instead and they'll say how wonderfully they have improved the bill.
That summarises exactly what has happened here as well.
We've got these amendments that come in and maintain the fundamental problems with the bill. They will now mean that Australia will become a place that people will start avoiding when it comes to developing their tech industry, which is why there are comments online. Adam Chalmers said online:
if the #aabill passes I just won't be able to work in Australia :( I have an ethical obligation to users of my software not to expose their data. Breaking all their crypto/security is just a non-starter.
That is the situation that people are going to find themselves in. I think everyone in the country wants to know that we in this parliament are doing everything we can to keep people safe and that our laws are updated to deal with changes in technology, but they also want to know that the right balance is being struck. One of the ways that you ensure that is by doing this carefully, not rushing it through the week before parliament is due to rise, when you haven't bothered to progress it through the parliament through the usual processes in the last six months, but instead saying, 'We are going to have proper scrutiny and the capacity to deal with this,' which is why Mike Cannon-Brookes said online:
Whatever you feel about the #AABill in Australia, I agree with the @thelawcouncil that rushing such complex legislation through in days is reckless. At the least, these unprecedented laws need far more expert scrutiny & debate.
He is dead right. It may not have dawned upon Liberal and Labor, but no one party has a majority in this House or in the Senate. Why is that? It is because people across the country are saying, 'We do not agree with your having absolute power, cooking up backroom deals and then asking the rest of us to just accept on face value that it's all going to be okay, because we've been down that road before and we've seen what happens.'
We are now in a power-sharing parliament in large part because the Australian people want to shine a bit of daylight and sunlight on the decisions that are being made in this place. They want third voices like the Greens to hold the others to account, especially when it comes to making sure that people are secure online and that people's liberties and privacy are protected online. You don't seem to have got the message, walking in here and saying: 'There are a bunch of amendments. Just trust us. It will all get through. It's alright, we've cooked up this deal. Don't worry.' No, that is not the way you deal with an issue as important as this. This bill should not be proceeding today. This bill should be put to the proper scrutiny and a proper test to ensure that it doesn't affect our industry, our safety and our liberties. If the government seriously needed additional powers to deal with things over the Christmas break, they would have come and asked us six months ago. Instead this is rushed legislation, a bad Liberal-Labor deal that is going to make people less secure online.
Photo credit: Mike Bowers from The Guardian