Encryption bill could spell end of privacy

The new Encryption Bill proposes that the content of private communications be made accessible.

Things are hotting up in this modern climate of terrorism and security fears — and politicians are penning laws that are likely to directly affect our freedoms.

One of these is the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018, also known as the Encryption Bill, which if passed will change the landscape for law enforcement and surveillance companies.

Despite its significance, about 200 pages of draft legislation were recently introduced with very little public consultation. An exposure draft was released to key stakeholders including the NSW Council of Civil Liberties and the Law Council of Australia, on a confidential basis, with only two weeks to respond.

The response period closed on September 14 and on September 17, clearly without sufficient time for the submissions to be fully digested, the bill passed through the Coalition party room to be introduced to parliament.

This bill comes after the metadata retention legislation that came into effect last year.

When it was being proposed, the government was at pains to emphasise that the compulsory retention of data would be restricted to “metadata” only — the time, date, place, to whom and from whom of any data.

This was to reassure us that there would be no overreach and that human rights and freedoms would not be impinged.       

Spying on private communications

Yet, only a year later, the new Encryption Bill proposes that the content of private communications be made accessible.

Typically, content is encoded. What this legislation does is provide that communications and technology companies be required to decrypt messages to make the content of private communications accessible.

There are gradations of directives that can be given under the legislation, ranging from voluntary to mandatory.

Make no mistake about it, these are radical proposals — and it’s not just human rights and civil liberties organisations that are opposed, but the communications industry itself.

The real concern is that the powers conferred by the bill go far beyond the rationale given.

As the Law Council said in its submission: “According to the Department, the Exposure Draft Bill has been developed to address threats by terrorists, child sex offenders and criminal organisations who use encryption and other forms of electronic protection to mask illegal conduct.”

The bill intends to address these threats by introducing a suite of measures that will improve the ability of agencies to access intelligible communications content and data.

But, as the Law Council points out: “The measures proposed go far beyond these threats, to include assisting the enforcement of any criminal laws in force in any foreign country, enforcing laws imposing a pecuniary penalty (being many, if not most, laws, including local government authority and council by-laws), and any exercise of any power under any law protecting the public revenue.”

There are real concerns about the broad sweep of the bill in terms of who and what it covers, as well as its impact on individual privacy and weaknesses in accountability and oversight.

The Law Council’s view is that while there is significant value to public safety in allowing law enforcement authorities faster access to encrypted information where there are real threats to national security or to prevent the commission of serious criminal offences, this should not be at the cost of our fundamental rights.

No oversight

Another recommendation to ensure there is no unreasonable interference in the fundamental human right to privacy is that there should be an express statement in the legislation that the power to request or require decryption (or an individual to facilitate opening up a password-protected device) does not displace the need for an agency to obtain lawful authority to view the content of a communication or electronic record.

The Law Council also says that the weighting of the fundamental human right to privacy should be at least as high as for existing telecommunications interception powers and powers to view content of unprotected communications.

At present, the bill permits Technical Assistance Notices (TANs) and Technical Capability Notices (TCNs) (directives) to be issued based on the subjective view of individuals, without requiring an independent evaluation and authorisation by a judicial officer.

Given that the power to issue a directive is significantly intrusive, meaning that our private communications and private financial, health or other life records can be accessed, judicial oversight is essential.

The Law Council also believes that the purpose of “safeguarding national security” has an extremely broad scope, given that no actual laws need to be identified for it to apply.

In the circumstances where this appears to be a supplementary “top up” power for law enforcement and will have a significant effect on the fundamental human right to privacy, the Law Council believes that this should be aligned with the current definition of serious offences in the Telecommunications (Interception and Access) Act 1979, which would cover most critical matters of national security.

The definition of serious offences in section 5D of that act is useful here, as it includes acts of terrorism, sabotage, espionage, foreign interference and other serious criminal offences, as well as offences that would prejudice national security.

It is inappropriate to limit the scope of judicial review in respect of such intrusive powers, and that they should be subject to a judicial process that explicitly provides for TAN and TCN directives to be challenged before a judicial authority and set aside before compliance is required.

[Pauline Wright is a civil libertarian, NSW Council of Civil Liberties vice president and a Law Council of Australia executive member. This is an extract from a talk Wright gave at Politics in the Pub in Sydney on September 20]