As Encryption Bill opposition digs in, data-retention abuse a reminder of unintended consequences

Damning reports of government agencies’ ongoing misuse of investigational powers have poured fuel on the fire as concerns about the Morrison government’s planned encryption interception legislation led Labor to step away from national-security bipartisanship by declining to blindly support the new legislation.

Debate over the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 had been minimal in the wake of government decisions to publish just a small portion of the nearly 15,000 submissions lodged during the consultation process over the bill.

The bill was initially greeted with cautious optimism by industry figures who welcomed the decision not to require explicit back-doors to work around encryption controls.

But as the government accuses Labor of siding with terrorists and tries to ramrod the legislation through Parliament, it has attracted criticism from all corners – including Apple, which took the unusual step of warning that the bill is “dangerously ambiguous”; Australian security success story Senetas, which warned during recent hearings that the legislation could push it and much of Australia’s software community overseas; and the Media, Entertainment Arts Alliance (MEAA), whose chief executive Paul Murphy is concerned that the risk of snooping on encrypted conversations would have a chilling effect on investigative journalism by discouraging confidential sources from speaking out.

“Journalists increasingly rely on encrypted communications to protect the identity of confidential sources,” Murphy said. “Offering this protection is vital [and] gives whistleblowers the confidence to come forward with public interest concerns. In the absence of that confidence, many important stories will never come to light.”

Absolute power corrupts absolutely

Concerns about the Encryption Bill are heightened by recent revelations to the Parliamentary Joint Committee on Intelligence and Security (PJCIS) that existing powers – putatively granted to law-enforcement authorities under telecommunications data retention legislation passed in 2015 – are being routinely abused by an expanding roster of authorities that were never meant to have access to the data.

Recent reports, for example, noted that more than 100 bodies are making thousands of requests for details on mobile phone users, with bodies including Brisbane City Council; the Queensland Office of Fair Trading; Bankstown, Fairfield, and Rockdale councils in Sydney; and others.

Just 22 agencies are officially supposed to be accessing the data, but the many dozens of organisations are actually lodging a reported 350,000 requests per year for the data – reflecting scope creep that many fear would be repeated in the context of the passage of the Encryption Bill.

Industry association the Alliance for a Safe and Secure Internet (ASSI) – whose membership includes a range of telecommunications industry bodies as well as privacy and pro-consumer groups such as ACCAN, Access Now, Blueprint for Free Speech, Amnesty International Australia and the Human Rights Law Centre – welcomed Labor’s “principled” decision not to cave to government pressure to fast-track the Encryption Bill.

“The powers contained within the Bill appear to have far reaching consequences that could be devastating to the security of all Australians if enacted,” the group said in a statement, “and it is important that leaders within the Government slow down and listen to the experts when they receive overwhelming evidence of the harm this Bill could cause.”

In October, ASSI released the results of a survey of 2028 Australians in which 84.8 percent of respondents said it was important or very important that anti-crime efforts shouldn’t compromise online security; 74.2 percent were concerned that increasing government cyber surveillance would compromise the security of all Australians’ data; and 80.9 percent were concerned about the powers elucidated in the Encryption Bill.

Copyright © 2018 IDG Communications, Inc.

The 10 most powerful cybersecurity companies