The Assistance and Access Bill, or TOLA (Telecommunications and Other Legislation Amendment), is back on the agenda. After the debacle that occurred on the last day of parliament in 2018, it is up to parliament to fix the bad legislation they passed in such a hurry. The first question should be was the rush justified? We’ve seen reports of the legislation being used for what appear to be criminal cases, but there has been no news of terror cells being busted – yet if you were to believe the rhetoric from some politicians last December there was an imminent danger that needed to be addressed.
A step in the right direction
The legislation did not pass without some amendments. One such amendment covered one of the issues raised in a previous blog post, about Technical Assistance Requests (TARs) not being included in Division 7. Division 7 is the part of the legislation that imposes limitations on what can be asked for in Technical Assistance Notices (TANs) and Technical Capability Notices (TCNs). On a positive note the amendment causes TARs to now be covered in the same way as TANs. However, there remains a gap in the restrictions.
Broadly speaking TANs cannot ask for the development of new capabilities, whilst TCNs can. More specifically, TANs explicitly prohibit the building of new capability in part 317L(2A)
“(2A) The specified acts or things must not be directed towards ensuring that a designated communications provider is capable of giving help to ASIO or an interception agency”
No such restriction exists in definition of TARs. As for TCNs they cannot ask for the development of a new capability to remove electronic protection, specifically they cannot require the listed act or thing covered by 317E(1)(a). The problem is that TARs fall between the two, they can request the development of new capabilities, and are therefore are more closely related to TCNs than TANs, but don’t include a restriction on building new capabilities to remove electronic protection (317E(1)(a)).
The amendment should have limited TARs in the same way as TCNs, not TANs. Without such restrictions, TARs can still ask for the development of new capabilities to remove encryption, and remain the most powerful tool in the legislation, with the fewest restrictions.
When is a weakness not a vulnerability?
Even with better restrictions the protection still comes down to the definition of systemic weakness or systemic vulnerability. The legislation, and the debate around it, has been dogged by ambiguity around the definition of systemic weakness. This definition is critical to the checks and balances within the legislation, and needs to be watertight to have any useful value. Unfortunately, what we have now is bordering on insane. It makes no technical sense, and quite frankly makes very little sense in terms of the English language.
One of the amendments introduced two new definitions, one for systemic weakness and one for systemic vulnerability. The two definitions are shown below:
“systemic vulnerability means a vulnerability that affects a whole class of technology, but does not include a vulnerability that is selectively introduced to one or more target technologies that are connected with a particular person. For this purpose, it is immaterial whether the person can be identified.”
“systemic weakness means a weakness that affects a whole class of technology, but does not include a weakness that is selectively introduced to one or more target technologies that are connected with a particular person. For this purpose, it is immaterial whether the person can be identified.”
The first thing you’ll notice is that the two definitions are identical except for the word vulnerability is replaced by weakness in the latter definition, and there is good reason for that, weakness and vulnerability are synonyms. If the two were not identical it would create a conflict within the definitions themselves. This really highlights both the poor quality drafting, and the omnishambles that has been the passing of this legislation. We have a duplicate definition which is masquerading as being something different. It is completely pointless, yet is duplicated throughout the legislation.
Lacking in class
The bigger issue is that on first reading the definition it almost seems like it is providing some constraints or limitations, but when you start to look at it in more detail you realise it doesn’t actually do much at all, and could even be internally inconsistent. The definition blocks a vulnerability that affects a whole class of technology, but immediately excludes target technologies that are connected with a particular person. The first problem with that is there is no definition of what a “class of technology” even is. It is not a term that is exists in technology literature. If you search Google for that exact phrase you get only 38 results (and that is by asking to see all results including the ones Google thinks are duplicates). Of those 38, 4 are about the Assistance and Access bill, asking what on earth does class of technology mean. Several others are about someone who was in a class, about technology. (it is a shame that more politicians haven’t attended a class about technology, then maybe we wouldn’t be in this mess).
The only reasonable reading would be to assume that class of technology would be so broad as to be all Mobile Phones, or all ADSL connections, or all social media. The problem with such a definition is that no TAR/TAN/TCN could ever be issued to a single organisation that controlled an entire class of technology, since no such organisations exist. Therefore a TAR/TAN/TCN will never cover an entire class of technology. Crucially it does not state a class of technology offered by a provider. If it did, it would prevent a single provider having to weaken its entire service or network. Without such a clause it would appear that it will be perfectly legitimate to ask a telco to introduce a vulnerability to the whole of its network, since that will not cover an entire class due to other telcos not being included in the same TAR/TAN/TCN.
Obviously trying to guess what was intended by the definition is always going to be a challenge. But realistically we should assume it will be taken in its broadest sense, let’s face it, that is how it is going to be taken by an intelligence agency justifying its voracious appetite for data.
A target so big no one could miss
The problem gets worse when we look at the longer definition of target technologies, it effectively covers pretty much anything, provided it is being targeted at a particular person. For example, part a of the definition states:
“for the purposes of this Part, a particular carriage service, so far as the service is used, or is likely to be used, (whether directly or indirectly) by a particular person, is a target technology that is connected with that person;”
If a carriage service can be a target technology that would indicate our very broad reading of class of technology is correct. Since a carriage service would encompass all traffic going through a service provider’s network. As such, it would appear that the definition of systemic weakness and systemic vulnerability do not even preclude the building of bulk interception capabilities for a carriage service provider, providing at least one person of interest is using that service provider. Furthermore, the latter part of the definition of target technologies states:
“For the purposes of paragraphs (a), (b), (c), (d), (e) and (f), it is immaterial whether the person can be identified.”
Think about that for moment. If it is immaterial whether the target person can be identified, that implies that the legislation would permit bulk interception. If the individual cannot be identified it seems very much like it is not targeted. Additionally, since the definition of target technology only requires that it is likely to be used by a particular person it could be entirely speculative.
There are many other problems with the legislation, for example, does the amendment to part 3LA of the crimes act – to increase the maximum sentence for not providing assistance in gaining access to a computer to 10 years - (which is already being used/threatened) infringe on the right to remain silent?
The only thing we can be certain of is that an omnishambles does not produce good legislation.