Ok. A third thread updating where things are at on the #aabill...
Since my last thread, the government came back to the negotiating table in the PJCIS and agreed to a series of amendments to the bill designed to prevent the issuance of Technical Capability Notices that could undermine strong encryption.
These amendments have been intensely negotiated with the government in a process that has been far from ideal, which is why Labor also secured agreement to continue scrutiny of the Bill through the PJCIS into 2019 and via the Independent National Security Legislation Monitor.
What’s the negotiated Bill about? 99% of the commentary is about the Industry Assistance provisions so let’s focus on that.
As I indicated in my previous thread on how this bill operates, despite the government’s rhetoric, the Bill on its face, doesn’t ban strong encryption, require companies to build insecure products or outlaw maths.
Instead it creates a power for Ministers to issue a Technical Capability Notice to a company compelling it to provide assistance to give effect to a warrant.
In the past, if an law enforcement agency was investigating a crime, they could go to a court to get a warrant that would require a phone carrier to help them ‘tap’ their phones.
The Technical Capability Notice regime is intended to create a similar regime for internet communications - where possible (we'll come to the obstacles).
That’s why this Bill isn’t about creating a mass surveillance regime. It replicates the targeted surveillance of people where it is lawfully authorised by existing law enforcement or national security laws (this is a big difference to the metadata access regime BTW).
BUT doing this in the internet space is far more complicated than doing this for phone carriers.
You could easily imagine ways that govt could compel a company to provide access to a targeted user’s comms in a way that would make everyone else’s communications insecure.
You could easily imagine ways that govt could compel a company to provide access to a targeted user’s comms in a way that would make everyone else’s communications insecure.
eg
On the other hand, depending on the circumstances, there might be some things that you could conceive that might give access to coms that wouldn’t require breaking end to end encryption maybe: wired.com/story/whatsapp… or risky.biz/bannedmath/
PJCIS focused on how you could create a regime that allowed the Minister to issue a Technical Capability Notice where it might help in giving effect to a warrant against an individual, but ensured that Ministers were not able to issue notices that damaged everyone else’s security
To deliver on this the original bill included a provision that prevented the issuance of a Technical Capability Notice where it might create a ‘systemic weakness’.
The problem was that it didn’t define this and didn’t have safeguards for if a Minister got it wrong.
The problem was that it didn’t define this and didn’t have safeguards for if a Minister got it wrong.
My previous thread gave some examples of the many hypotheticals we tested in PJCIS about what might be a ‘systemic weakness’ eg key escrow, mandating weaker encryption algorithms, mandating higher password rate limits etc.
Public consideration of this hasn’t been helped by the regular public contradiction of the public comments of Ministers and PMs about the Bill by the government’s own subject matter experts.
Just this week, a podcast recording of a Home Affairs official at the Crypto 2018 Workshop on Encryption and Surveillance was released, openly contradicting Malcolm Turnbull's silly war on maths comments:
"I know some of you may have heard our PM Malcolm Turnbull say that the laws of mathematics don’t apply in Australia. They very much do. And this legislation reflects that... We don’t want to undermine the laws of mathematics." lawfareblog.com/lawfare-podcas…
Most substantively, while George Brandis publicly endorsed a key escrow regime smh.com.au/politics/feder…..
Home Affairs confirmed to the PJCIS that this would be a ‘systemic weakness’ prohibited by the bill. 
A big focus of the PJCIS wrangling was properly defining ‘systemic weakness’ and creating checks and balances on the Minister’s decision making in the form of review process.
A few practical observations on this.
As I indicated in my 2nd reading speech on this bill, this means that there will be circumstances where it’s not possible to design a Technical Capability Notice that gives effect to a particular warrant.
As I indicated in my 2nd reading speech on this bill, this means that there will be circumstances where it’s not possible to design a Technical Capability Notice that gives effect to a particular warrant.
The nature of the system used by the individual might make this impossible to do without creating a systemic weakness and the Bill wouldn’t allow the notice to be issued in this situation. A method that works in one context might not work in another or might not be enduring.
This bill can’t and won’t ‘solve’ the ‘going dark’ obstacle for law enforcement.
A few other responses to some of the online commentary I’ve seen.
The Bill doesn’t ‘break’ internet banking. You can rest assured that if it did, Parliament would have been crawling with CSOs and indeed CEOS of the banks. Instead, they didn’t even make a submission to the PJCIS
The Bill doesn’t ‘break’ internet banking. You can rest assured that if it did, Parliament would have been crawling with CSOs and indeed CEOS of the banks. Instead, they didn’t even make a submission to the PJCIS
