Atlassian appeared before a Senate review of Australia’s anti-encryption law with concerns the law is harming local tech companies and that it needs a more comprehensive review and appeal framework.
A Senate review is underway evaluating the impact and effectiveness of Australia’s controversial anti-encryption laws that give spy agencies, like ASIO, the powers to compel companies to hand over encrypted messages.
The law, Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (TOLA Act), was passed back in December 2018 and ASIO admitted earlier this year it had successfully used the legislation within 10 days of it being in force.
Atlassian, a software management company considered one of Australia’s most successful tech unicorns, appeared at the hearing with two primary concerns over TOLA. Atlassian’s head of IP, policy and government affairs, Patrick Zhang, said the company believed the laws had a detrimental effect on Australia’s tech industry, and that a framework was needed to clear up some of the law’s ambiguities.
“It is my belief that the very rushed nature in which the TOLA bill was passed and then also the nature of the rights granted to government under TOLA have had a negative impact on the reputation of the Australian technology sector,” Zhang told the committee.
“I think the fear is that by working with an Australian company, whether by using its product or as a vendor, is that company going to be subject to orders by the government to weaken its security, or to build backdoors, that will make the product less secure and expose a weak link, if you will, in the technology supply chain.”
Atlassian says anti-encryption laws are too vague and far-reaching
Zhang pointed to two particular mechanisms of the legislation that cause the greatest concern — Technical Assistance Notices (TAN) and Technical Capability Notices (TCN).
A company can be served one of these notices by the head of an interception agency, ASIO or by the Attorney-General and the Minister for Communications at the request of the head of an interception agency or ASIO. Once served a TAN or a TCN, a company is compelled to assist with any requests for data access.
While it does specifically state no government ‘backdoors’ — a way for spy agencies to ‘peek’ at encrypted messages — are to be built in, it’s not clear how this encrypted data is de-encrypted.
Additionally, the justification behind these requests being made extends beyond national security investigations. ‘Serious’ crimes carrying penalties of three years or more are also included too.
“Assistance may only be sought by law enforcement agencies in the course of enforcing the criminal law or assisting to enforce foreign laws in force overseas where those laws carry penalties of three or more years imprisonment,” the Home Affairs page on the law reads, adding that “this threshold does not apply to intelligence agencies”.
A clearer framework and appeals process is needed
A report conducted by the head of the country’s national security watchdog, Dr James Renwick, determined that both TCNs and TANs were in need of an independent authorisation process by a judge or someone outside of government.
Zhang and Atlassian argue, in-line with Renwick’s report, both the process of granting a TAN or TCN as well as the broad number of crimes that could fall under its purview mean the Act could be subject to abuse.
“We believe that the rights granted under TOLA are of the nature that it should be restricted only to the most serious instances, and so having those rights made available to crimes that are punishable by only three years imprisonment, we believe opens up the act to too many potential applications and abuses,” Zhang said.
“As much as we trust that law enforcement would not abuse those rights granted under the TOLA Act … it is difficult for an agency who is motivated to seek that information to make an assessment of the proportionality of that request … in an objective … way as can be done by an independent authority.”
Instead, the company proposes each individual request is conducted by someone outside of the spy agency or ministerial position and that a formal review and appeal process be made available.
“I think our only concern is that there is an independence from the agencies seeking the data, and that there is input opportunities … from the DCPs [Designated Communications Provider], an opportunity to appeal, and then an opportunity for technical experts to aid in the assessment of the applications,” Zhang said.
“I think those are the keystones for our position.”
The committee is expected to deliver its review by the end of September 2020.