Does your business use the internet or do you use it for personal reasons?
If you are reading this post, the answer is a resounding “yes” and, like most businesses and individuals, you may be affected by the Assistance and Access Bill 2018 proposed by the Federal Government, also known as the Encryption Bill. Ai Group and many others have expressed concern about unintended consequences and the need for long and careful scrutiny of these proposals.
Why is the Government pushing for this Bill?
The Bill creates powers for law enforcement and intelligence agencies to seek or compel assistance from a wide range of businesses in circumventing data protections in the products and services they offer to customers who are subject to some form of investigation.
However, Australia was not the first to come up with this type of legislation. The UK introduced the original model for this Bill. Meanwhile, the so-called Five Eyes intelligence-sharing nations (USA, UK, Canada, NZ and Australia) have recently made a joint statement that supports the rationale behind the Bill.
What are the general problems with this Bill?
Industry and the public support the need to assist law enforcement and intelligence agencies to tackle national security, terrorism and crime in the digital world. We are also all strong proponents for online safety, cybersecurity and privacy of data.
Public discussion ahead of the release of the Bill focussed on whether the Government would be creating “backdoors”, i.e. weakening encryption. Encryption is fundamental to keeping our communications and online activity safe, secure and private. In an attempt to assuage public and expert concerns, the Government stated that it does not intend to deal with encryption or require the creation of backdoors. They drew attention to a provision in the Bill stating that it should not require the implementation or building of a systemic weakness or systemic vulnerability.
Despite this, we are of the view that introducing any type of technical capability or functionality to grant access to a user’s hardware or services potentially creates a systemic weakness or vulnerability. This is because once developed it may be capable of extension to any and all users and could also create an opening for others to take advantage of new and existing weaknesses in the system. We are certainly not alone in this view, with others ranging from human rights advocates and civil society groups to technical experts and technology companies expressing similar concerns.
The Internet Architecture Board, which rarely comments on government legislation, has gone a step further and warned that weakening encryption would threaten internet security and integrity, leading to fragmentation of the internet.
In its present form, this Bill is broadly and vaguely scoped legislation, without sufficient judicial oversight. Passing it in this form and without adequate scrutiny would be inconsistent with the public interest. Passing a Bill that overly strengthens government power to the detriment of citizens’ rights could see Australia sleepwalking into a digital dystopia.
Will my business be affected by this Bill?
The current Bill is not just about “communications businesses” and “IT businesses”. It is relevant and of potential concern to a much wider range of businesses than may have been originally envisaged by the Government. This includes manufacturers and industrial solutions providers whose products and services are increasingly networked and digital, incorporating cloud services, networked systems, telecommunications services, telecoms or IT hardware or other digital services into manufacturing.
Some suggest the Bill’s net is cast so wide that it also extends to businesses and individuals who operate websites, and just about any business and person who uses the internet. Ubiquitous smartphones and connected devices in the workplace and at home mean the effects could be almost universal.
Why might this Bill be of concern to businesses?
From an industry perspective, an underlying concern with legislation of this type is whether it will create a loss of trust between businesses and their customers by compromising, or being seen to compromise, their privacy, data protection rights, security or safety. Legislation that weakens this protective framework leads to public distrust – the impact of which should not be underestimated by legislators and policymakers, as recently seen with My Health Record.
If your business holds private data on behalf of customers, or supplies them with equipment and services through which they create, store or exchange their own data, or provides related products and services to businesses that do these things, you may be affected. Related to this, if your business is required to comply with new pieces of legislation such as the Notifiable Data Breach scheme and the EU General Data Protection Regulation, the Bill could also create a potential conflict of data protection laws in Australia and foreign countries.
From an employer-employee perspective, what does it mean if the individual is compelled by an agency under the Bill to do something that results in a weakness to the system without the employer’s knowledge? There are proposed secrecy provisions in the Bill that could prevent the employee from advising their employer, which leads to other issues such as industrial espionage and breach of employment contract.
If businesses are required to give government information for the purposes of the Bill, this may reveal their intellectual property. What protections are provided to guarantee that businesses’ sensitive commercial information will not be compromised?
The above examples are just snapshots of concerns that have been raised about this Bill. The breadth of potential impact and the fact that many affected businesses haven’t previously been involved in these issues means that there may be more.
What is the current state of the Bill?
The Government rushed the Bill into Parliament on 20 September, just 10 days after the close of submissions on an exposure draft (see our submission here), with minimal amendments in response to widespread critical feedback.
The Bill has been referred to the Parliamentary Joint Committee on Intelligence and Security (PJCIS). Submissions to the PJCIS are due to close on 12 October and hearings intended for 19 October: https://www.aph.gov.au/Parliamentary_Business/Committees/Joint/Intelligence_and_Security/TelcoAmendmentBill2018.
This is a very tight schedule for any form of adequate consultation.
The rushed process and limited time for the Government to properly consider thousands of submissions suggest that the Government does not appear to have seriously considered the views of a broad range of stakeholders including industry and civil society groups.
And while it has been suggested that technology companies have been consulted over the last year about this Australian Bill, we suspect that: (1) only a limited range of stakeholders were consulted; and (2) the representation of technology companies during this consultation period suggests that there remain substantially unresolved and outstanding matters with this Bill.
Many other submissions have been made with similar concerns to ours (see submissions here).
What is Ai Group doing?
In addition to our recent submission to the Government (and also reported in the AFR and The Guardian), we have raised this issue with the PJCIS, as well as other relevant Ministers, Shadows and crossbench Senators.
As a sign of unified concern that Government is not taking relevant stakeholders views into account, we have joined a diverse alliance of consumer representatives, human rights organisations, industry, technology and telecommunications companies to raise our voices about the Bill.
We also plan to make a further submission to the PJCIS’s Review of the Bill and intend to testify before the PJCIS in October.
We would welcome further member feedback about the Bill and related issues by emailing firstname.lastname@example.org. Your continuing participation in our policy work enables us to advocate for the benefit of Australian industry and the broader community in the long term.
Latest posts by Charles Hoang (see all)
- Should your business be worried about the Encryption Bill? - 10 October, 2018
- Cyber security has just become more urgent on the boardroom agenda - 1 March, 2017
- New mandatory data breach notification scheme for businesses - 22 February, 2017