Why is this legislation needed if the Assistance and Access Act exists?
Could the difference be a lack of cost recovery for individuals or businesses having to implement backdoors? The new legislation[1] inserts a section 64B "Person with knowledge of a computer or a computer system to assist disruption of data" which appears to be similar to the Assistance and Access Act, but doesn't appear to allow a telecommunications carrier, data centre owner, computer repair shop, DNS hosting provider, some random contractor that worked on a software project 10 years ago and is now retired and going fishing every day to recover costs of complying with an order to backdoor something or provide advice on how to backdoor it?
Because the Assistance and Access Act is widely misunderstood as doing things that it doesn't.
The media drastically overreacted to that act, to the point where the Department of Home Affairs now has an entire page dedicated to addressing the false reporting [0].
The TL;DR is that the act doesn't allow the government to introduce mass surveillance. Section 317ZG [1] expressly forbids any law enforcement request from _having the effect_ of introducing any systemic vulnerability or weakness and _explicitly_ calls out new decryption capabilities as under that umbrella.
The media's widespread report that e2e encryption was dead in Australia was therefore false. The purpose of the act was more like if Facebook or Google have data that are encrypted at rest and they hold the keys, they can be compelled to decrypt it.
Under the new legislation, section 27KP(2)e(ii) refers to MITM attacks on network traffic if it'd be reasonable for the ISP to implement, or section 27KP(2)i refers to a surveillance device being provided to the ISP which then must integrate with it for whatever purpose (MITM attack or something else).
Isn't this the purpose of the Assistance and Access Act where the ISP in question doesn't have a present ability to perform MITM attacks on network traffic, and would therefore have to build and engineer at a significant cost a new solution for law enforcement use? And once that is achieved, 27KP(2)e(ii) of this new legislation is then reasonable for an ISP to perform because the capability has been built and is now present?
I believe section 317ZK, subsection (3) of the act [0] prohibits a provider from bearing the costs of compliance. If I read correctly, the cost is negotiated between the provider and the government and the government bears the cost.
And section 317ZGA [1] explicitly puts compliance with interception warrants (which I believe are the warrants in the new bill) out of scope.
I _think_ the effort a provider has to put in to comply with the new act is primarily limited by 27KP(2)e's "reasonable" wording.
Perhaps I can partly answer my own question? Section 64A of the in-force Act[1] already has similar provisions for assistance to be provided by a third party in accessing a computer, copying and converting data into a format accessible by law enforcement. However there does not appear to be current provisions for cost recovery if that assistance requires the company/person involved to dedicate significant time and expense.
Table 8 (PDF page 14) of the Surveillance Devices Act 2004 Annual Report 2019-2020[2] states that only 20 such warrants were issued in that year and 11 extensions issued, and none of them were issued as a result of international requests (PDF page 25). The report doesn't indicate how many of these 20 requests resulted in assistance needing to be provided and who needed to provide that assistance.
Given the low count (20) of computer access warrants issued and likely nature that anyone providing assistance would be well aware of whether the request related to e.g. CSAM, I'd guess that most businesses involved may be happy to help out for free even if their business wears a small cost of complying with the order. I suspect though if this Act or new types of warrants generated significant workload for Australian private sector companies, and warrants were difficult and expensive to comply with, there would suddenly be a lot of backlash.
ACMA states[3] that the private sector self-reported costs during 2019-2020 of AUD$24m related to telecommunications interception legislation and AUD$21m related to metadata retention for at least 2 years. It also reported only 8 requests to block websites (7 being ACMA wanting to block foreign gambling websites) and 17 requests for Internet/communications services being switched off.
Aside from the metadata retention laws which the private sector has reported costing $237m to implement to date (with only ~21% cost recovery from the government), the other costs of complying with law enforcement warrants appear to be fairly minimal in the grand scheme of things and are just a small consideration towards the cost of doing business in Australia.
Could the difference be a lack of cost recovery for individuals or businesses having to implement backdoors? The new legislation[1] inserts a section 64B "Person with knowledge of a computer or a computer system to assist disruption of data" which appears to be similar to the Assistance and Access Act, but doesn't appear to allow a telecommunications carrier, data centre owner, computer repair shop, DNS hosting provider, some random contractor that worked on a software project 10 years ago and is now retired and going fishing every day to recover costs of complying with an order to backdoor something or provide advice on how to backdoor it?
[1] https://parlinfo.aph.gov.au/parlInfo/download/legislation/bi...
reply