Hastily written tech laws threaten online privacy and security

April 12, 2019
Australia is leading the world with its bad cyber security laws.

Politicians are generally pretty bad at understanding information technology (IT) and the internet, especially when it comes to legislation. But Australia’s parliament is leading the world in terms of bad laws that effect technology.

From the 2017 metadata retention laws to the social media laws passed in early April following the New Zealand far-right terror attacks, federal parliament has approved several hastily written bills that put onerous requirements on the IT industry while undermining online privacy, security and civil liberties.

The Telecommunications and Other Legislation Amendment (Assistance and Access) Act (TOLA), also known as the encryption bill, which was passed on December 6 is no different.

It has been widely criticised by civil libertarians and industry bodies for being too vague in its definitions, overly onerous on IT and telecommunications companies and ushering in unprecedented powers that allow intelligence agencies to spy on citizens.

Greater powers

The government’s justification for TOLA is that “secure, encrypted communications are being used by terrorist groups and organised criminals to avoid detection and disruption”.  Under the new law, enforcement and security agencies now have greater powers to compel IT companies to give them access to the encrypted data of criminal suspects.

TOLA is based on the British Investigatory Powers Act 2016, nicknamed the Snoopers' Charter, which was passed amid the turmoil of the Brexit debate.

Commenting on the Snoopers’ Charter on Twitter in 2016 former CIA whistleblower Edward Snowden said Britain had “just legalised the most extreme surveillance in the history of western democracy. It goes further than many autocracies”.

It is worth noting that while Britain remains part of the European Union, its citizens are protected against potential privacy breaches and government overreach by the EU’s Charter of Fundamental Rights. Australia has no such protections.

Writing about TOLA on August 17, digital rights group Electronic Frontier Foundation international director Danny O’Brien said it would require IT operators “to comply with broad and secret government orders, free from liability, and hidden from independent oversight. Software could be rewritten to spy on end-users; websites re-engineered to deliver spyware...

“Australia seeks to give its law enforcement, border and intelligence services, the power to order the creators and maintainers of those tools to do ‘acts and things’ to protect ‘the interests of Australia’s national security, the interests of Australia’s foreign relations or the interests of Australia’s national economic well-being’.

“The ‘acts and things’ are largely unspecified — but they include enabling surveillance, hacking into computers, and remotely pulling data from private computers and public networks.”

Rammed through parliament

The Coalition brought the encryption bill to the vote on the final day of the 2018 parliamentary sitting year.

However, keen to avoid an embarrassing vote on the Medivac bill, which sought to allow asylum seekers on Nauru and Manus Island medical treatment in Australia, the Coalition adjourned the sitting early, cutting off time for discussion and amendments.

Labor had several proposed amendments based on 17 recommendations, made by the bipartisan Parliamentary Joint Committee on Intelligence and Security (PJCIS), which would have softened some aspects of the legislation. But it ultimately withdrew them and voted to pass the bill unamended.

At the time, Labor leader Bill Shorten said: “We will pass the legislation, inadequate as it is, so we can give our security agencies some of the tools they say they need.”

Speaking at an IT industry forum in Sydney on March 27, shadow digital economy minister Ed Husic called TOLA “terrible”, but explained that Labor had allowed the bill to pass unamended because there might have been an “attempt by the other side of politics to blame us if, God forbid, something should happen”.

Industry opposition

In a joint submission to a second PJCIS inquiry, the Communications Alliance, the Australian Industry Group, the Australian Information Industry Association, the Australian Mobile Telecommunications Association, the Information Technology Professionals Association and the Digital Industry Group Inc — which is made up of major IT companies, including Google and Facebook — reiterated the industry’s concerns regarding TOLA.

The submission calls for additional changes to TOLA, saying: “As was manifestly clear in the lead-up to the relevant sittings of the House of Representatives and the Senate, the government amendments were drafted in haste in an overnight session and were distributed only in the early hours of 6 December.

“Almost inevitably, there remain, in our view, significant problems with the amendments and other elements of the legislation. Many of the amendments are difficult to understand or interpret, appear unlikely to remedy the problems identified by Industry and/or exhibit omissions which need to be addressed.”

The submission points out where the ambiguous definitions run into trouble. For example, it notes that TOLA is unclear on what constitutes a “class of technology” and whether “class” would apply to “all mobile handsets, or Android phones, but not iPhones, or the mobile handsets offered by one service provider but not another or some other combination of factors”.

Communications Alliance CEO John Stanton said on January 23: “This bill was rushed through parliament in flawed condition and we look forward to the government honouring its public commitment to have further amendments considered, in the interests of the cybersecurity of all Australians”.

Endangering security

Law enforcement and security agencies are already able to access a suspected criminal's computer, data, phone and emails under existing laws. Where they run into trouble is when the data or communication is encrypted.

The problem with the approach taken in TOLA is that there is no way to make encryption weaker solely for intelligence agencies or law enforcement. If a vulnerability is introduced for them it will exist for anyone, making that software a potential security risk for all users.

A review of the bill has been sent to the Independent National Security Legislation Monitor, though it will not report back to parliament until March 1 next year. This means that whichever party is in government after the coming elections can delay amending TOLA for at least a year.

Until then, TOLA remains in place, unamended, providing intelligence and law enforcement agencies with these new powers, ambiguous as they are and with no judicial oversight.

Even if TOLA is amended, it would still be one of the most overreaching and draconian laws applied to the internet in the world. It sets a terrible precedent for other countries looking to spy on their own citizens.

That is why some groups are calling for TOLA to be repealed.

That both major parties are more than happy to rush through legislation at the expense of online rights and privacy also highlights the need for a bill of rights to protect against government overreach, privacy breaches and spying on its own citizens.

You need Green Left, and we need you!

Green Left is funded by contributions from readers and supporters. Help us reach our funding target.

Make a One-off Donation or choose from one of our Monthly Donation options.

Become a supporter to get the digital edition for $5 per month or the print edition for $10 per month. One-time payment options are available.

You can also call 1800 634 206 to make a donation or to become a supporter. Thank you.