National Security Legislation Monitor won’t be recommending Encryption Bill repeal
Australia’s Independent National Security Legislation Monitor (INSLM), Dr James Renwick, will not be recommending for the country’s encryption-busting Bill to be repealed and sent back for redrafting when he turns in his report by June 30.
Renwick, who appeared at the Lowy Institute in Sydney before his resignation from the post of INSLM — which will occur after he turns in the report commissioned by the Parliamentary Joint Committee on Intelligence and Security (PJCIS) — took the opportunity to touch on what his work to-date regarding the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (TOLA Act) has been.
The TOLA Act was rammed through Parliament in late 2018 and under the laws as currently written, agencies can issue:
- Technical Assistance Notices (TAN), which are compulsory notices for a communication provider to use an interception capability they already have;
- Technical Capability Notices (TCN), which are compulsory notices for a communication provider to build a new interception capability, so that it can meet subsequent Technical Assistance Notices; and
- Technical Assistance Requests (TAR), which have been described by experts as the most dangerous of all.
TANs and TARs can currently be approved by the head of the requesting law enforcement or intelligence agency. TCNs must be approved jointly by the Attorney-General and the Minister for Communications.
“Here in Australia, and internationally, there is great interest in, and strong views about, TOLA, which is seen as far reaching and novel in its scope,” Renwick said on Thursday.
“The short period allowed for consultation on the TOLA Bill clearly caused lingering disquiet, even anger. Some say that brevity of itself means that the TOLA Act should be repealed, with consultation to begin again, not least as a way of regaining trust.”
While Renwick appreciates the sentiment, he believes recommendations for the Bill to be repealed and re-drafted are not the way forward.
“Realistically, I do not think that is likely nor do I think it is appropriate to recommend it,” he said.
After holding hearings in Canberra last month, Renwick said his focus has been on three areas of the Act in particular.
The first, regarding the Act’s definitions of systemic weakness and systemic vulnerability, specifically, how disputes concerning the application of these statutory terms can be resolved.
Second, is whether replacing the current TOLA decision-makers, which are currently the attorney-general or agency heads, with current or retired judges — assisted by technical experts who understand the effect of the exercise of particular TOLA powers on privacy and on the effectiveness of encryption — is a more appropriate option.
And thirdly, finding better record-keeping and clear statements of review rights when compulsory powers are used “so that affected people and entities can exercise those rights, including by complaining to the Commonwealth Ombudsman or the Inspector-General of Intelligence and Security”.
While Renwick said he agrees that “going dark” has created a large problem for police, intelligence, and integrity agencies, he said such activity has justified a “proportionate but not absolute legislative response”.
“I have already announced that for so long as the police have access to TARs and TANs, so should the State and Territory ICACs, who have said how important these powers are to their work in ensuring integrity in government administration, including for police,” he added.
He also said there is at least some evidence that the law is either effective or capable of being made effective, especially in relation to the powers in schedules 2-5, and for the TARs and TANs in schedule 1.
“The publicly available material does not show that TANs have been used, because requests have been complied with voluntarily, but the use of TARs shows TANs are capable of being effective,” he said.
Renwick said there is no public evidence that the more intrusive TCN, which is for the creation of a new capability, has yet been used.
“The real question for me is whether any of these powers are proportionate to the undoubted threats — especially of criminality — that exist. And the answer to that question must focus on the thresholds and safeguards for their use,” he said.
Both Labor and Australia’s Independent National Security Legislation Monitor have proposed judicial approvals before cops and spooks can access encrypted communications, but the Department of Home Affairs isn’t keen.
There’s no sign of mass surveillance, but the Independent National Security Legislation Monitor suggests a UK-style ‘double lock’ system for authorising access to encrypted communications.
Most telco interception warrants are issued by non-judges. Important cybersecurity work isn’t being done. The Information Commissioner lacks funding. Does the government actually care about privacy and security?