ANU data breach

Australia will be a testing ground for the “Five Eyes” powers’ attacks on encryption due to our lack of privacy protections and national security oversight mechanisms.

A bill to implement the Coalition’s attacks on encryption was introduced into parliament during its last sitting week, after a risible 10-day “consideration” of thousands of submissions the government invited on its proposals, which revolve around forcing tech companies to help install malware on devices or find other ways of “cooperating” with security agencies. The bill has gone to Parliament’s intelligence and security committee for review.

That came a couple of weeks after the domestic security ministers of Five Eyes countries (US, Canada, UK, Australia, New Zealand) met here and issued a communique, in effect saying they would impose decryption requirements on tech companies, but cloak it in the guise of “cooperation” and without using backdoors that undermine encryption for everyone. As with the government’s approach here, the detail has been left nebulous, but it is clear that the use of secretly inserted malware is central to the Five Eyes’ approach — which of course is no safer than encryption backdoors, because malware, like backdoors, can be lost or stolen and repurposed by malicious actors.

Perhaps that’s why, as US cybersecurity law expert Susan Landau pointed out last week in an incisive analysis, the statement has come from domestic security and immigration ministers and not from Five Eyes intelligence agencies. Whatever their views on encryption, senior signals intelligence officials, who are usually charged with the dual roles of stealing enemies’ secrets and protecting their own, understand that anything that undermines encryption can end up coming back to hurt you and your allies — as happened when the NSA lost a trove of malware later repurposed for a massive ransomware attack.

The government has been at pains to insist that its anti-encryption legislation will be based on similar UK legislation. The problem for the UK government, however, has been that while it remains in the European Union, its citizens are able to use the European Convention on Human Rights to defend themselves. Last month, the European Court of Human Rights struck down parts of the UK’s mass surveillance laws in response to a suit brought by an array of privacy and human rights organisations. 

Australians have no such protection, nor access to a US-style bill of rights that entrenches human rights in law and provide a case for civil society groups to take governments to court, or an equivalent to the Canadian Charter of Rights and Freedoms. As Landau noted, “Australia is the perfect candidate: the country’s lack of a comprehensive set of human rights protections means that Australia does not face the balancing requirements of privacy and civil liberties protections that the U.K. and U.S. do.”

Australia is perfect in another way. The US Congress has two intelligence committees, and although they can be partisan, they aren’t under the thumb of the executive and can pursue whatever they want, even if intelligence agencies object. While less independent, the UK Intelligence and Security Committee, especially since reforms in 2013, has a wide-ranging remit including the operations of agencies and capacity to handle highly sensitive information and cabinet material. Canada’s equivalent committee can also now examine operational matters.

Here, the Parliamentary Joint Committee on Intelligence and Security (PJCIS) is controlled by the government and can’t examine the operations of security and intelligence agencies.

Recent moves to address this have been kicked into the long grass. Last year an intelligence review commissioned by Malcolm Turnbull shied away from real reform, recommending the PJCIS be given the power to initiate inquiries — but it would still be prohibited from looking at operational matters. In any event, the government has done nothing to progress any reform since then, except announce yet another intelligence review earlier this year.

More curious is the case of Labor. Once gung-ho for improving the PJCIS, Labor introduced a reform bill John Faulkner left behind when he retired. Turnbull had that bill killed off. But in August, Centre Alliance Senator Rex Patrick introduced the Intelligence Services Amendment (Enhanced Parliamentary Oversight of Intelligence Agencies) Bill 2018, which would add agency activities to the committee’s general review remit (subject to a ministerial veto), enabling it to pursue operational matters off its own bat.

Patrick had earlier tried to move the relevant sections as amendments to government legislation, putting pressure on the government to accept the change if it wanted its bills passed, but Labor refused to back him. Labor has now sent the bill off to an inquiry by the senate’s Finance and Public Administration committee, where it sits in obscurity with just one submission. Perhaps Labor wants to sit on the issue until it is in government. But it’s a curious way to treat an issue it used to support.

Meantime, Australians remain unprotected from the Five Eyes’ war on privacy.

What do you make of the proposed bill on encryption? Write to [email protected] and let us know.

Peter Fray

Help us keep up the fight

Get Crikey for just $1 a week and support our journalists’ important work of uncovering the hypocrisies that infest our corridors of power.

If you haven’t joined us yet, subscribe today and get your first 12 weeks for $12.

Cancel anytime.

Peter Fray
Editor-in-chief of Crikey

JOIN NOW