A submission to the Independent National Security Legislation Monitor (INSLM)

In relation to the review of Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (TOLA Act)

The following submission is offered in good faith reflecting my views as an informed¹ private citizen. My observations are intended to reflect the concerns of an average Australian citizen with regard to the process leading to the recent passing of the TOLA Act. I point this out as I will not necessarily approach the terms of reference or scope of the review in the same manner as which may be presented by politicians, legal experts, industry representatives, human rights organisations and law enforcement agencies, as I imagine you will have many submissions from the latter group and relatively few for the former – average citizens who care deeply about the fundamental principles upon which we build and develop our society.

To frame this submission with accessible jumping-off points, I offer two quotes as general summaries of my positions: the first from British physicist David Deutsch, and the second from US President Benjamin Franklin.

“Problems are inevitable. All problems are soluble. Solutions create new problems.”² – David Deutsch

I present this quote as I believe it of vital importance to recognise that whatever outcomes we settle upon, there will be foreseen issues associated with them (the known unknowns), and unforeseen issues which will arise in the future (the unknown unknowns).

Whatever we do, there will be problems to be addressed. And every one of those solutions will bring about a new perspective upon which to approach these new problems. In our solving of problems, we should strike for objectivity (as much as is possible) and continually remind ourselves that it is upon behalf of, and for the benefit of, the people of Australia that we empower the Government of the day to make legislative decisions which impact our lives.

In crafting legislation for our nation, it is futile to expect or demand absolute perfection with regard to all future possibilities. That is a recipe for inertia, deadlock and stagnation. Our legislation must keep pace with our ways of living and should be updated accordingly. We must always consider, and seek to minimise as much as is reasonably possible, any predictable or inevitable harms which may arise from our legislative choices. And once the harms are identified, we should modify the legislation as efficiently as possible before any harm is inflicted.

“They who can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.” ³ ― Benjamin Franklin

This renowned quote serves to reminds us that we can never take our safety, nor our liberty, for granted. Whatever safety we carve out for ourselves, either as individuals or as communities/nations/societies, history has shown us that it will be, by some measuring-stick, relatively temporary in nature. Similarly, whatever rights or liberties we enshrine for ourselves, history has shown us there will be forces which seek to destroy them.

In my submission, I’ll try to not double up on many of the specific topics which I know will likely be dealt in considerable detail by Human Rights organisations, but instead will try to offer a somewhat-personal perspective which I believe would speak to the concerns of many other informed private citizens like myself. 

Overview

I have significant reservations about the legislation and the potential for harms arising from it for the following reasons:

·       I believe it poses a risk to fundamental human rights;

·       The technical nature of this domain creates a range of externalities which have not been adequately assessed;

·       The process for drafting and reviewing the legislation was objectively inadequate;

·       The legislation was critiqued and opposed by a vast majority of subject-matter experts for technical, economic and legal reasons yet the expert opinion was mostly ignored; and

·       Ultimately, due to the nature of the technologies in question (computation enabling the encryption of communications), the legislation will not be able to mitigate the core risk upon which its national security imperative is claimed.

The Telecommunications and Other Legislation (Assistance and Access) Act 2018 (TOLA) as it is currently realised increases the potential for harm by undermining fundamental human rights. It will do this while also failing to deliver upon the national security narratives which were utilised in fast-tracking the legislation through Parliament.

It is my forthright opinion that the TOLA Act be repealed as it poses an unacceptable risk to our concept and realisation of fundamental freedoms.

It my hope and expectation that the Independent National Security Legislation Monitor will recommend the same.

An Issue of Fundamental Human Rights

Australia is a modern, liberal democracy where we exercise the freedoms to express ourselves however we desire (up to the limit of inflicting harm or doing damage). That said, we don’t have any enforceable human rights established for ourselves. This is a matter which I believe to be of significant importance as we progress into the 21st century and one which must be addressed for us to maintain the models of democracy which we hold as our “current best misconceptions⁴” as to the best way to organise our societies.

As we have no constitutionally enshrined rights (such as the Bill of Rights utilised by the United States of America), we defer to organisations such as the United Nations (UN), and charters set out by the UN, for guidance on how to implement the everyday, fundamental human rights expected by our citizens.

The Human Rights (Parliamentary Scrutiny) Act 2011 defines the International Covenant on Civil and Political Rights⁵ (ICCPR), as one of the international instruments for assessing the compatibility of Australian legislation with human rights.

The most relevant clauses from the ICCPR with regard to this submission include:

Article 17

1. No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation.

Article 18

1. Everyone shall have the right to freedom of thought, conscience and religion. This right shall include freedom to have or to adopt a religion or belief of his choice, and freedom, either individually or in community with others and in public or private, to manifest his religion or belief in worship, observance, practice and teaching.

2. No one shall be subject to coercion which would impair his freedom to have or to adopt a religion or belief of his choice.

3. Freedom to manifest one’s religion or beliefs may be subject only to such limitations as are prescribed by law and are necessary to protect public safety, order, health, or morals or the fundamental rights and freedoms of others.

4. The States Parties to the present Covenant undertake to have respect for the liberty of parents and, when applicable, legal guardians to ensure the religious and moral education of their children in conformity with their own convictions.

Article 19

1. Everyone shall have the right to hold opinions without interference.

2. Everyone shall have the right to freedom of expression; this right shall include freedom to seek, receive and impart information and ideas of all kinds, regardless of frontiers, either orally, in writing or in print, in the form of art, or through any other media of his choice.

3. The exercise of the rights provided for in paragraph 2 of this article carries with it special duties and responsibilities. It may therefore be subject to certain restrictions, but these shall only be such as are provided by law and are necessary:

(a) For respect of the rights or reputations of others;

(b) For the protection of national security or of public order (ordre public), or of public health or morals.

For human rights to mean anything in practice, they must be agreed upon by the relevant parties and enforceable. Alas, by taking a look around at the world around us we can say that we humans have not yet come close to ensuring fundamental rights for all people on the planet.

An attack on human rights anywhere is an attack on human rights everywhere.

There are functional relationships between rights and rational reasons why these rights must be constructed in conjunction with each other. Often, it is only through the continued enforcement of the rights as a collection that the individual rights continue to hold their efficacy. Nowhere is this more obvious than in the relationship between the rights relating to freedom of expression and the rights protecting private correspondence.

For the vision of the society I believe Australia aspires to be, it is a fundamental necessity that we strive to maximise our freedoms of expression, freedoms of speech, freedoms of the press, the rights to free assembly and other such rights which are required to ensure that we are always able to maintain the societal conversation, which is required to address issues and problems as they present themselves.

It is not irrational to be somewhat fearful of the unknown and the bad actors who might try to harm us. It is wholly irrational to ignore history and believe that building tools of state surveillance comes without risk.

It is an inescapable conclusion that we are building capability for mass surveillance which could be wielded in ways which are not currently envisaged or considered due to our relative political stability and harmonious society.

We should tread very carefully and with great trepidation when considering to the building of tools and systems designed to control and mitigate the risk of bad actors, which additionally create incentives for other bad actors to exploit the tools and capability. These tools, without the appropriate constraints and oversights, risk creating a new web of influence which negatively impacts good actors caught up in the same system.

A question I pose when discussing these types of matters is as follows: “Would you be comfortable in giving control of these tools to your ideological opponents or to people who would potentially pose a risk to your safety and security?”

A criticism of my approach here might ask “Are you suggesting our Government would turn tyrannical upon the people?”. To which I would have no answer beyond opinion and would simply have to refer to history books with questions, seeking patterns to analyse from any number of countries or periods of time. Has there ever been a tyrannical government? What were the circumstances of the time which brought about the tyranny? Are there any parallels to today?

While this question might seem outlandish, as a hypothetical it is imperative that we ask it of ourselves, because there will inevitably come a time when the turnkey tools of tyrannical totalitarianism are unleashed on the unsuspecting and we don’t have the system memory to control-z and undo our actions⁶.

The Unquantified Externalities

In regard to the externalities created by this legislation, I’ll briefly outline some high level commentary as to do the actual research required would require extensive time and effort (perhaps demonstrating that there should be a minimum standard besides the requirements for compatibility with human rights laws as per The Human Rights (Parliamentary Scrutiny) Act 2011).

The Australian business community, including many leading technology companies, have expressed their concerns as to the lack of consultation and also the significant negative impact experienced in the international commentary on this matter. On a personal level, I know numerous technology professionals who now hold contempt towards Australia for its quasi-Luddite approach to dealing with perceived threats.

Australian businesses selling products and services which depend on strong encryption are now considered to be of a lessor quality than our international competitors. We can give all the assurances in the world that the product or service is not compromised but people will believe what they believe. Currently the international community believes that the Australian Government is trying to undermine encryption standards because it doesn’t understand how the technology actually works. This is not a good narrative for our technology industry nor our nation in general.

Despite assurances (which can’t be guaranteed in practice) from the Department of Home Affairs that adequate protections, oversight and constraints are in place to manage risks associated with the powers derived from the legislation, I have observed no evidence which would alleviate concerns that these additional powers can actually be restrained and prevented from being abused.

In the process of passing this legislation, I did not observe any evidence⁷ which demonstrated adequate consideration was given to quantifying the impacts associated with implementing the legislation. 

The Parliamentary Process

To begin highlighting my concerns about the process, I will quote⁸ Labor MP Mark Dreyfus, Shadow Attorney-General & Shadow Minister for National Security (bold indicating my own suggested emphasis for particular consideration):

The Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 was introduced into the parliament on 20 September 2018. Without specifying a reporting date and without any suggestion that it was urgent for the inquiry to be concluded by the end of the year, the Attorney-General referred the access bill to the committee on the same day. Although the government claimed that it had consulted widely on the access bill before its introduction into the parliament, the public consultation was very short, especially for such a lengthy and complicated bill, running as it does to some 175 pages.

An exposure draft of the bill was published on 14 August and submissions closed on 10 September 2018. Disappointingly, it became apparent over the course of the inquiry conducted by the Parliamentary Joint Committee on Intelligence and Security that many affected organisations were hardly consulted at all before 14 August, including, extraordinarily, the government’s own Inspector-General of Intelligence and Security and the Commonwealth Ombudsman. In fact, the inspector-general and the Ombudsman told the committee that they found out about the exposure draft of this bill from media reports. A number of Australian companies also indicated to the committee that either they were not consulted by the Morrison government or, alternatively, if they had been consulted, when they had made submissions they were essentially ignored.

The committee heard compelling evidence that in the form the government introduced this bill to the parliament it could well do more harm than good. Specifically, as presented to this House, the bill could, among other things, pose a significant risk to Australia’s national security, jeopardise security cooperation with the United States and create unnecessary risks to Australian businesses and, in particular, local technology exporters.

Mr Dreyfus spoke further to the bill, outlining various concerns held by the Opposition party and closed with the following paragraph:

As honourable members would have gathered by now, this is a large piece of legislation of considerable complexity. In response to the government’s demand that consideration of it through the intelligence committee be accelerated, the Labor members of that committee—and the Labor Party as a whole in this place—have assisted in that process. The government produced draft amendments to Labor early this morning. It’s anticipated that those amendments will be moved in the Senate. On that basis, I commend the bill to this House for passage in this House—I say again on the basis that the amendments encompassing the recommendations of the intelligence committee will be moved in the Senate.

In the Senate

Senator Penny Wong Labor Senator, Leader of the Opposition in the Senate spoke to the bill:

The committee also heard compelling evidence that, in the form the government introduced the bill, it could do more harm than good. Specifically, as originally presented, this bill could, amongst other things, pose a significant risk to Australia’s national security, jeopardise security cooperation with the United States and create unnecessary risks for Australian business and, in particular, local technology exporters. Labor has been consulting with industry and civil society stakeholders, both through the committee process and outside, and we have negotiated with the government to give effect to many of the core concerns, and these are reflected in the recommendations and in many but not all of the government amendments. While there are significant outstanding issues, this compromise will deliver security and enforcement agencies the power they say they need over the Christmas period and ensure adequate oversight and safeguards to prevent unintended consequences while enabling continued scrutiny of the bill into 2019. These review processes provide an opportunity to resolve our ongoing concerns about the bill with the assistance of industry experts and civil liberties groups, while also upholding our responsibilities to keep Australians safe.

The Bill passed the House of Representatives and the Senate by close of business on 6 December 2018 (not without controversy given the legislative congestion on that particular day⁹). The bill passed with 173 amendments that were introduced only hours before the vote was cast. For a complex piece of legislation, this time-line either reflects remarkable expediency or a failure in oversight by the houses.

Bill Shorten, then Labor Leader of the Opposition said on the following day:

We will seek to improve the legislation in the new year. There are legitimate concerns about the encryption legislation but I wasn’t prepared to walk away from my job and leave matters in a stand-off and expose Australians to increased risk in terms of national security¹⁰.

It is my subjective view that process and adequate oversight was neglected in letting the legislation pass. At the time (December 2018), the Government was on precarious ground in terms of its expected chance of success in the forthcoming (yet still unconfirmed Federal election). I believe the legislation was utilised as a strategic political wedge issue as the Government knew that Labor would struggle to control the national security narrative in the lead up to the election if it was seen to oppose laws which were intended to address impending terrorist threats. It used this hesitancy from the opposition to rush through laws as there were only 10 sitting days remaining in the 45th Parliament.

I believe that much of Labor’s efforts to scrutinise the bill were offset against the requirement to stay strong on the national security narrative until such time they were voted back into Government and could then address the bad legislation which passed on their watch as Opposition.

While much of my attention has been directed at Labor in this process, I ultimately hold the Government to account for the substandard process and resultant legislation.

The Solution Won’t Actually Work

With regard to understanding encryption protocols and how they work, the devil really is in the details but thankfully the details are mathematically verifiable. In accessible terms, modern encryption protocols are realised via some elegant mathematical equations and complex calculations. The mathematics is designed to make guessing of passwords (cracking encryption keys) impossible (or at least very difficult) but with enough computation power (which for the purposes of cracking encryption is expensive to obtain), you can make significant inroads into the probability of cracking an encrypted ciphertext.

I make the claim that competent bad actors will not be disrupted in their attempts to communicate utilising strong encryption. While the legislation can compel network providers, device manufacturers, software providers, etc to work with the Australian security agencies, nothing can compel bad actors to not use the mathematical equations which are held in the public domain towards their own nefarious purpose.

It is a rudimentary task (well within the capability of any computer science graduate) to create bespoke solution which would encrypt information in a manner which would ensure complete security¹¹ and appropriate protection from law-enforcement surveillance.

Why is this relevant?

As it is a relatively trivial task for a bad actor to circumvent suspected-compromised communication channels by developing their own encrypted communication tools, this legislation creates the incentive to invest the time and effort doing just that. In turn, it assigns the cost and consequences in terms of freedom, privacy and general cyber security standards to be borne by the public – the very people the legislation was intended to protect.

The legislation was found lacking from inception, and nowhere was this more obvious than in the controversy associated with the definition of systemic weakness.

Encryption in Other Countries

Australia is not the only country tacking this issue. For context, I have included an excerpt from the report “Deciphering the European Encryption Debate: Germany” by the Open Technology Institute¹³ which outlines how Germany is navigating its pathway on the encryption issue.

“The legal and political landscape of surveillance in Germany, with its history of Nazi and Stasi repression, is quite unlike that of the U.S., the U.K., or France. In contemporary Germany, data privacy laws are among the strongest in the world, government surveillance is strictly regulated, and the right to privacy is especially strong. The German government explicitly encourages its citizens to use encryption, including end-to-end encryption systems in which only the sender and recipient can decrypt the message.

However, at the same time that it supports the use of strong encryption, the government conducts widespread investigatory hacking to gain access to encrypted evidence and intelligence. To govern that activity, Germany has a complex legal regime that regulates the use of hacking to access data before it is encrypted framework that was amended just last month to sharply expand the government’s hacking authorities.”

Looking Back & Looking Forward

With every innovation that springs forth from the well of human ingenuity, we are potentially hastening both our ascent and our downfall. The scale and interconnectedness of our technologies means that no stone can be thrown into a pond without it rippling in every ocean across the world.

Early steps on our journey into the Information Age were led by the like of Babbage (devised the original concept of a digital computer in 1812¹⁴), Turing (formalised the principles of the modern computer in 1936), Bardeen, Brattain & Shockley (the team which developed the transistor at Bell Labs between 1945 – 1950). For all their insight and genius, they were likely unaware of the far-reaching consequences of their discoveries.

More recently, we have seen large technology companies struggle to handle the societal responsibility of their innovations. I reference these examples to highlight our place in time in this larger epoch we call the Information Age. We are fallible and we are prone to missteps. We should never be too proud to admit such.

Technology has enabled bad actors as well as good. We must ensure that any steps we take to counter the bad actors do not inadvertently hinder (or destroy) the good actors along the way.

Summary

I believe that the legislation should be repealed in its entirety and if deemed necessary, begin the consultation process again ensuring that:

·       The problem space is adequately understood and not utilised as a means for political point-scoring;

·       Fundamental human rights are considered and unquestionably upheld;

·       The negative externalities borne by Australian citizens & businesses are quantified and duly minimised;

·       The process gives heed to all expert opinion; and

·       We remain vigilant about the tools and capabilities we build as a society and how we choose to use and deploy them.

If navigating uncharted territory, taking the wrong direction can expend vital resources or deliver us to an undesired destination. Whenever I feel I may be travelling in the wrong direction, I’ve found it’s never a bad idea to stop, pull over, solicit advice, use natural & self-evident bearings and if required, retrace steps until I’m back on a known path.

I believe that in our zealous quest to mitigate the risk of bad actors who threaten our national security, we have lost sight of what it is we are fighting to keep secure.

Freedom is my highest value. I believe it to be a fundamental requirement for the human species, and the societies we create and live in, to flourish.

Yours sincerely, etc.