The dust has settled on the federal election, and advocates from all sectors are either crowing over their wins or licking their wounds. On the battleground for the internet, there is a much darker spectre looming. Over the coming year, Australia will rapidly be relegated to the backwaters of the global digital world. We will no longer have a functioning industry of security software manufacturers, nor will we have faith in the safety and security of our telecommunications systems.
The security of every digital device in homes all over the world will likely be compromised, for criminals, scammers and bored teenage hackers to play with at their whim. Situations where unknown persons miles away are able to manipulate smart home thermostats, listen in on baby monitors or remotely start cars in driveways will become more prevalent. We will see a growing distrust within the public when it comes to app updates and security patches, resulting in even more vulnerabilities and security breaches.
We may even witness an increase in foreign powers executing cyber attacks against our police forces and military, as our own government moves to compromise the very architecture of the digital world. This is the future of criminality and statecraft—a likely expansion of efforts to exploit our digital vulnerabilities.
All of this is due to the swift passage of the Assistance and Access Bill in the last sitting period of Parliament last year, which fundamentally weakened one of our key defences against such attacks. It was a disaster of both policy development and democratic process that will have far-reaching ramifications into the way that we use technology in all its forms. Worst of all, those who ushered this flawed policy into law are only now realising their mistake, and now have the unenviable job of clawing back civil liberties that could have been protected, had they listened to the widespread concerns put to them in the first place.
First mooted in mid 2017 by then Prime Minister Malcolm Turnbull as the ultimate ‘war on maths’, the Assistance and Access Bill was put forward as a way to give law enforcement the power to break into the encrypted communications of terrorists, criminals and pedophiles. Apparently this is a necessary measure due to the purported high number of cases in which police can not read the secret messages that flit between the criminal gangs and terrorists on a daily basis—a phenomenon commonly referred to as ‘going dark.’
The problem with the proposal to tackle this phenomenon is that encryption is based on maths. You cannot weaken it for one purpose, without weakening it for all purposes. Even if law enforcement and intelligence agencies have a legitimate reason for wanting to weaken encryption, it’s not possible to do this without creating vulnerabilities that can be exploited by others later on. Turnbull’s frankly moronic remarks only highlighted the poverty of our political class. Strong encryption is incompatible with laws that are designed to weaken it. Turnbull may claim that the laws of mathematics do not apply in Australia, but what he really means is that the laws of logic do not appear to apply in politics.
The laws in question consist of several lengthy and complex documents, as most legislation tends to, but the most controversial aspects are contained in Schedule 1. This contains powers that allow police and national security agencies to call on companies to assist them to carry out their duties in basically a limitless way. An agency (which ranges from the Northern Territory Police Force to the Australian Secret Intelligence Service) can ask anyone who hosts a website to do almost anything—from installing malware to handing over their source code—to assist them. To refuse a notice issued under this schedule risks a penalty of lengthy imprisonment or a significant fine.
There are limitations on this, but they are little more than window dressing. The legislation says that an agency cannot request that a company create a ‘systemic weakness.’ Whilst this is nice to say, it is near impossible to meaningfully enforce. What constitutes a systemic weakness, when today’s technology architecture heavily relies on systems to compute, share information and connect thousands of users?
In global terms, this is a highly significant law. Such a law would never pass muster in the United States, not least because they have a bill of rights which prevents the ‘forced speech’ of writing or disclosing code. The United Kingdom is similarly constrained by various protections of rights, domestically and at a European level. Australia was the perfect place to introduce these laws because unlike every other liberal democracy, we do not have a bill of rights.
It’s virtually unprecedented—the equivalent regime in the UK is limited in various practical and significant ways and also, critically, involves judicial oversight. There is no requirement to obtain a warrant under the Australian law to make use of these powers. The agency needs to have an underlying ‘warrant or authorisation’ in order to make use of these powers, but a judge will not see how the agency plans to execute them.
The concept of pre-existing authorisation is being utilised quite sneakily here, through a combined effort with another surveillance law passed in 2016. Australia’s metadata retention regime currently allows agencies to obtain a person’s metadata without a warrant, with the laws simply giving the authority to request it. With no judge necessary, law enforcement agents have been given the ability to tie metadata requests up in a pretty bow with the Assistance and Access laws. If an agency wanted to obtain the metadata, for example, of a journalist’s source, it could use powers under the Assistance and Access Act to install malware on a journalist’s phone, utilising the authorisation to obtain the metadata of the journalist’s source. There would be no need to go before a judge at all.
Of course, law enforcement agencies need to have all the necessary tools to do their job and protect the populace from threats large and small. But the situation amidst the encryption debate is different. We’re not talking about a targeted interception with pinpoint accuracy that will magically give the Feds the ability to listen in on a terrorist’s mobile phone. The very nature of end-to-end encryption requires a system-wide intervention that compromises the security of others who uses a similar technology. For everyone. Everywhere.
The best way to illustrate this is with an example. The WannaCry ransomware attack compromised thousands of computers around the world, by exploiting a vulnerability in Microsoft software that allowed an external party to prevent someone accessing their files unless they handed over a ransom. The attack threw the National Health Service into chaos, with ambulances diverting and people unable to access their medical records. It was eventually revealed to be the work of small-time criminals, who targeted computers seemingly without any political intentions. But there is a deeper story to this episode.
Microsoft claimed in a company blogpost that the National Security Agency had discovered the vulnerability well in advance of the attack. However, instead of disclosing it to Microsoft to patch, and therefore better protect users against the risk of such exploitation, the NSA kept it to itself. Experts argue that the NSA was using the vulnerability for its own purposes; that these kinds of weaknesses form a kind of digital arsenal that agencies can use in cyber warfare.
The problem was that at some point, intelligence about the vulnerability was apparently stolen or went missing. This was entirely predictable—such a vulnerability is a highly valuable commodity in the cyber underworld. But it was only at this point that the NSA decided to tell Microsoft about its existence. The President of Microsoft, Brad Smith, was highly critical of the whole affair:
‘Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today—nation-state action and organized criminal action.’
The Australian law not only allows agencies to exploit similar vulnerabilities, it gives them the power to create them. It facilitates the exact nation-state action that Microsoft claims as one of the most serious threats to cybersecurity. To be fair, the powers under the Australian law cannot be used to prevent a company from repairing such a vulnerability. But to be equally fair, this means very little in practice. The NSA had no need to use its powers to stop Microsoft patching the problem, for the simple reason that they never informed Microsoft that the problem existed.
The lesson of the WannaCry attack is that agencies prioritise their own interests above the security of our digital infrastructure. That infrastructure is now critical to many activities in our everyday lives, from healthcare to banking to public transit and the management of the electricity grid. Now that agencies have powers to create tools that weaken encryption, we face the risk that they can be stolen. We are also required to trust that these agencies will behave responsibly—which is overall placing the individual member of the public (and their right to privacy) at considerable risk.
Enforcement and intelligence agencies may well be pursuing dangerous criminals on a daily basis. Their reluctance to discuss these things openly may be strategically understandable, but it does not absolve them of accountability. In this context, it is perfectly reasonable to point out that these agencies already have considerable powers at their disposal to deal with the threat of terrorism. The claim that strong encryption has hampered their efforts to do their job has not been justified in any meaningful way—either through the inquiry into this Assistance and Access Bill nor in any other public arena. There have been countless private briefings of politicians, but the public is left in the dark, presumed to be gormless and untrustworthy. National security is supposedly for our spy agencies to be responsible for, whatever the cost, and the public are so often denied the right to a mature conversation about the risks facing us collectively.
This not only patronising, it’s dangerous. Protecting our digital infrastructure—which strong encryption does—is critical to our economy and society. Introducing threats to that protection—which this Bill undoubtedly does—puts us all at risk. Policy making in the national security sphere is less and less democratic, and almost entirely lacking in accountability and transparency.
The politics of the situation must also be considered, as national security policy is batted back and forth between both major parties in dark rooms. The Coalition likes to use incendiary talking points on this topic because it is one of the only issues that stands between it and electoral oblivion. Combatting this, the Labor party seems obsessed with making itself a small target and kowtowing whenever the spectre of terrorism is dangled in front of it. Ultimately, the public interest is left out of the conversation quite deliberately, and increasingly, the public is left with the consequences.
Politicians and agencies love to talk about protecting national security but in this case, they have dropped the ball. Our national security depends on strong encryption, and this bill has the potential to put us all at increased risk. Encryption is not a barrier to a safe society—quite the opposite—it is a form of protection against criminal acts, including state-sponsored hacking. It is an important line of defence against bad actors, and we weaken it at our peril.
Outside of the political class, the only people who were in favour of these reforms were those who gained powers from them. Virtually every major tech company, and most of the local industry, were strongly opposed, as well as civil society. Over the intense period in which this Bill was discussed before its passage, this chorus of opposition sought to point out that it is a mistake to presume that increased powers for such agencies is synonymous with national security.
These arguments are not new, nor are they particularly sophisticated for anyone with a passing understanding of how digital technology works. It would be nice to think that our lawmakers know not what they did, because on almost any read it is unjustifiable.
The history of this law can give us some insight into the troubles that plague our social democracy when it comes to digital rights and cybersecurity. It was nothing short of a deeply worrying and shambolic failure of democratic process. After months of testing the waters on possible approaches through media statements, the Home Affairs department announced an incredibly truncated ‘consultation’ on the exposure draft of a Bill. Diligently, members of civil society set to work, pointing out the various flaws in the proposal in lengthy submissions. This was accompanied by widespread and significant opposition from industry, the academy and civil society.
Nonetheless, less than two weeks after the close of submissions, the Turnbull government introduced a largely unchanged Bill to the Parliament, which was immediately referred to committee. The function of a Parliamentary committee is to collect evidence, hear from experts, assess the impacts and provide the Government of the day with impartial, measured and well-researched feedback. Unfortunately, the constant power struggles between our two major parties over decades has fundamentally changed this system from its original intention to one of laughable relevance.
The committee in question is the Parliamentary Joint Committee on Intelligence and Security (PJCIS), and it is rare to find evidence of either of those two words making an appearance anywhere near one of these hearings. The PJCIS has operated under a ‘gentleman’s agreement’ of bipartisan support for matters of national security for well over a decade, which in regular parlance means that if the word ‘terrorist’ is uttered, everyone bends over backwards to push the legislation through as fast as possible.
We’ve been here before, with the mandatory metadata retention scheme that sailed through Parliament with Labor happily patting it on its way. This bipartisanship has allowed a scaremongering Coalition Government to grant law enforcement huge, unchecked powers that will undoubtedly be inherited by future Labor Governments who are highly unlikely to wind them back. Even if such bipartisan consensus was considered appropriate ‘for the good of the nation’ at some point in the past, it definitely is no longer. It now represents a serious threat to our democracy.
The PJCIS sat and heard the evidence put to them, and there can be no mistake that it was overwhelmingly negative. The scale and diversity of this opposition was also unprecedented—it included human rights organisations, trade unions, cryptographers, academic security experts, business and industry groups, technology companies and telecommunication providers. This damning evidence could not have been clearer—that the significant negative ramifications of this Bill far outweighed the purported need.
The committee heard from Frank Galbally, Chairman of cybersecurity company Senetas, who highlighted the disproportionate nature of the legislative drafting. In a compelling appearance, in which he comfortably batted away every Coalition talking point with calm authority, he submitted that the Bill ‘is the equivalent of dropping an atom bomb in order to find some nefarious character.’ He also went as far as pointing out that Australian law-makers are attempting to succeed where others with considerably larger resources have failed:
‘The National Security Agency of the United States has had its systems hacked into and tools stolen. The tools have been available for sale on the dark web and have been used for hacking into systems. [Just last night we saw] yet another tool from the NSA hacking into routers, exposing millions of devices to attack. If the NSA can be broken into, I guarantee any agency in this country will be broken into.’
His concerns are shared by global tech giant Apple, whose warning to the Committee was similarly singular:
‘This is no time to weaken encryption. There is profound risk of making criminals’ jobs easier, not harder. Increasingly stronger—not weaker—encryption is the best way to protect against these threats.’
Strong criticism was heard from John Stanton, Head of the Communication Alliance, which counts Telstra, Optus and Vodafone among its members, as he explained that the legislation ‘sets a disturbing first-world benchmark and poses real threats to the cyber security and privacy rights of all Australians.’ Even the United Nations weighed in, with the Special Rapporteur on the Right to Privacy Joe Cannataci stating that it ‘enables gross invasions of privacy [and the Australian Government] has not substantiated the need for this Bill.’
Too often, questions on digital issues are perceived as too technically complex for the public to understand. Lazy arguments are made about how everyday people couldn’t possibly care about their privacy because to do so would be the height of hypocrisy when they happily log on to Facebook. But the experience of this bill showed that this view is increasingly out of touch. The Australian public expressed their concern about this proposal in considerable numbers. Facilitated through our own organisation’s efforts to inform and educate the public, a total of 14,981 people personally wrote to the Home Affairs department, speaking out in defence of strong encryption and their right to communicate and use digital technology securely.
Polling undertaken by the Alliance for a Safe and Secure Internet revealed that 84.8% of Australians believe it is important that anything the Government does to combat crime should not create weaknesses in Australia’s online security systems nor make it easier for criminals and terrorists to cause further harm to everyday Australians. The idea that people don’t care about their privacy, or don’t understand its relationship to cybersecurity, can only now be reserved for the most lazy and supercilious of observers.
The Australian public are not dupes who think that fear mongering around terrorism justifies compromising our digital infrastructure. They are prepared to entertain public discussions about how to manage the work of agencies in ways that build a culture of respect for rights. But none of this is possible in a context in which major parties feel entitled to make these decisions on behalf of the public, without meaningful scrutiny or accountability.
A coalition of civil society organisations and human rights experts, including Digital Rights Watch, also fronted the committee members, to provide a digital rights perspective and to convey the thoughts of the members of the public who have joined our campaign against the proposal. We urged the committee, particularly the Labor members, to recognise the strong and considered feedback that was provided to them – and for a moment, we thought this message had been heard.
Even we were surprised when, for a fleeting moment, the Bill appeared to break the tradition of bipartisanship on national security matters. The Labor Opposition started to talk tough. Back benchers were speaking openly about the flaws with the bill, and Senator Penny Wong and Shadow Attorney General Mark Dreyfus, both members of the Committee, began to start speaking their minds about the problems with the drafting. The Opposition publicly indicated it was going to file a dissenting report on the Committee.
This may sound like points scoring in the detail of politics, but the fact is that it’s never happened before. Dreyfus responded to the overwhelming criticism leveled at the Bill throughout the committee process. He pointed to the outrageous level of political interference in this inquiry, with comments conflating terrorism with encryption in the media from the Home Affairs Minister, the Prime Minister and even from the Chair of the Committee Andrew Hastie himself. He called for a rethink over how the legislation had been approached, and warned that the Government could no longer rely on Labor’s support to have it passed.
As you might expect, this caused uproar amongst the relevant Government Ministers. How dare Labor point out all the very valid flaws in this legislation! They must be on the side of the terrorists. They must want child sex offence rings to be able to operate under the cover of encrypted communications. They don’t want to protect Australian citizens! On that Friday afternoon we witnessed our Westminster adversarial political system produce dividends, and we saw light amidst the madness—an opposition willing to question a Government over its approach.
How long did this stance last? Four days. Late on a Tuesday afternoon, in the final Parliamentary sitting week of the year, Labor changed its tune. It began crowing about its willingness to find a compromise that would provide the necessary powers that law enforcement so desperately need before Christmas. This, of course, was a laughable idea given that almost none of the powers could be meaningfully implemented and used in the few short days before Christmas. But the idea that this was essential to our national security took on a zombie-like valence, surviving logical attacks and the weight of morally sound and politically sensible arguments.
The major parties began negotiating, behind closed doors. Such talks bore little in the way of tangible outcomes—there was some small changes around oversight mechanisms that allowed Ministers to rule on the use of powers, and a commitment to review the legislation in 2019. None of this was particularly significant in the context of the Bill, a point that was so clear the Labor party barely attempted to gain political mileage from them. The reality that was clear to everyone was that the Labor party had been presented with the spectre of terrorism and they did what they always do in these contexts: they sacrificed the human rights of ordinary Australians at the temple of the surveillance state. Around midday on Thursday, the Bill passed the lower house, with the Greens’ Adam Bandt and Independent Andrew Wilkie the lone voices of opposition. All the backbenchers, who not days before had openly highlighted the flaws of the bill (and supposedly their tech and progressive credentials by doing so) voted for it.
Now, to be fair to Labor, they claimed that they had an agreement with the Coalition for amendments to be introduced in the Senate. But this is when the true political circus broke out. For this to happen, it would require that the bill pass the House of Representatives a second time, as amended. However, as the House of Representatives prepared to finish for the year, there was another major piece of legislation slated for it to pass in the final hours: the Labor and crossbench medivac bill to expedite medical transfers of children from offshore detention facilities on Nauru.
The Government found itself in a predicament—it did not want to have the medivac bill put to the House for fear it would lose the vote, and yet, the ‘urgent’ encryption Bill would need to be passed again in an amended form if it was to be made law before Christmas. With the clock ticking down, the Government members of the House fillibustered, wasted time, quibbled and even called for extra time to go to the bathroom or to wish their colleagues a Merry Christmas. Time ran over, saving the Government the embarrassment on refugee policy.
This left the Assistance and Access Bill stranded in the Senate. The Labor amendments were proposed, and debate was underway. With the Greens support, the Bill could have been passed by the Senate (including the much needed amendments) and put on a waiting list, to be passed by the House of Representatives at the next sitting. It was at this point that Bill Shorten started paying games, demanding Coalition MPs return to the House to pass the un-amended Bill. A Bill that his own members had been publicly criticising days prior.
It would be nice to think that Labor held its nerve, or was forced into some kind of impossible position as a result of the numbers but neither are true. The truth is that Labor got played, and that it lacks a political spine. It withdrew its amendments and the Bill passed the Senate and into law. We are now saddled with an Act that is by all measures highly dangerous and widely considered a collection of very bad laws.
It is as Orwellian as it is vaudevillian to witness this disgraceful behaviour play out in our Parliament. The sobering reality is that the comedic absurdity of politics will fast transition to severe ramifications as these laws are implemented, despite any assurances from both government and opposition over last minute additional oversights and balances that are weak at best, and dangerous at worst.
We have seen something come of the rather odd (and entirely un-Parliamentary) ‘promise’ that Labor secured from the Government to revisit and review the legislation in the new year, after passing it in such a rush before Christmas. The Assistance and Access Act was re-introduced to the workload of the PJCIS, and Labor amendments were tabled in the Senate. But as the clock ticked down yet again on the Parliament’s February sitting calendar, the debate was abandoned and there they still sit – unfinished and unagreed by the chamber.
It’s been years since this legislation was first proposed, and the entire ordeal has taught us a few things. Not least of which is that an increasing lack of faith in our political system is entirely warranted, and that our collective hope that this system would ever deliver anything for the good of the Australian people was naive at best.
It’s clear that experts, specialists and people with detailed knowledge of their field are constantly and systematically disrespected and disregarded by those in politics. Their voices are not valued, and their expertise even less so. Even on matters where an actual technical impossibility stands in the way of a government’s agenda, this is swept aside in favour of cheap rhetoric and crisp soundbites. The party political system is failing Australians.
The fear mongering over terrorism and crime that pervade our media and Parliament will continue to darken our democratic concept of debate and analysis. The utterance of simple phrases such as ‘terror threat’ or ‘national security’ will be used as a proxy for the introduction of huge new state powers that would be completely untolerated under any despotic regime, and yet inexplicably accepted in a developed democracy like Australia.
Most depressing of all is the knowledge that we may never enjoy a democratic Parliament that operates as a true check and balance against the powers of those in office. Unless we address the precedents of ideological interference in our committee system, not to mention this deeply broken concept of bipartisanship on national security issues, we will continue to see an erosion of our human rights by successive governments from the two-party system.
Any member of the Parliament should be asking themselves what they can do about this mess. Civil society, academia and industry did their best to introduce logic and reason into the public debate, but this is not possible while the major parties allow their policies to be stewarded by the surveillance state. Our objective is now to make these discussions mainstream, to serve as a memory for the public that can help them hold their representatives accountable. We are prepared to work with pretty much anyone who shares this objective, including and especially members of major parties, but this requires that they no longer turn such a willing blind eye to such serious threats to our democracy.
The most fitting analogy is perhaps with nuclear proliferation. The surveillance state is claiming powers for itself that put us all at risk, and they are using pliant politicians to do their bidding. Cyber warfare is in our future, whether we like it or not, and one of our best protections against this is strong encryption. By using powers to create vulnerabilities in encrypted data flows, the surveillance state are building the digital equivalent of atom bombs. They may be useful against enemies, but they also risk our own destruction.
Our collective future should be one that embraces the opportunities that are presented by technology. We need a robust form of digital peace, where cybersecurity is recognised as a form of protection against attacks. Instead, this encryption legislation will only push us backwards—a direction in which both major parties seem determined to see our nation head.
Tim Singleton Norton and Lizzie O’Shea are founding directors of Digital Rights Watch.