Division Description Changes — Bills — Telecommunications and Other Legislation Amendment (Miscellaneous Amendments) Bill 2019; in Committee — 14th Feb 2019

Change	Division
senate vote 2019-02-14#3 Edited by mackay staff on 2019-03-14 17:29:25	Title Bills — Telecommunications and Other Legislation Amendment (Miscellaneous Amendments) Bill 2019; in Committee Telecommunications and Other Legislation Amendment (Miscellaneous Amendments) Bill 2019 - in Committee - Definitions Description ~~<p class="speaker">Jenny McAllister</p>~~ ~~<p>I move opposition amendment (1) on sheet 8642:</p>~~ ~~<p class="italic">(1) Page 9 (after line 8), at the end of the Bill, add:</p>~~ The majority voted in favour of [amendment (1) on sheet 8642](https://www.openaustralia.org.au/senate/?id=2019-02-14.22.1), which was introduced by NSW Senate [Jenny McAllister](https://theyvoteforyou.org.au/people/senate/nsw/jenny_mcallister) (ALP). ### What does this amendment do? [Senator McAllister said](https://www.openaustralia.org.au/senate/?id=2019-02-14.22.1) that the amendment related to the definitions of 'systemic weakness' and 'systemic vulnerability' and explained that: > ... stakeholders were concerned that the protection in the bill which prohibits an agency from forcing a provider to implement any kind of systemic weakness or systemic vulnerability is inadequate because those terms are not defined. > The government sought to address that in their amendments to their own bill in December last year, but the government's amendments have been condemned as difficult to understand, ambiguous and significantly too narrow. ... > The amendments before us now would repeal the systemic weakness definitions that were introduced by the government and give clear legislative effect to the advice provided publicly by the Director-General of ASIO. Our amendments are supported by the main industry groups ... > The critical paragraph on sheet 8642 is to amend 317ZG(4) to include this phrase: >> (4) The reference in paragraph (1)(a) to implement or build a systemic weakness, or a systemic vulnerability, includes a reference to any act or thing that would or may create a material risk that otherwise secure information would or may in the future be collected, accessed, used, manipulated, disclosed or otherwise compromised by an unauthorised third party. > These changes seek to protect the information of innocent people ... ### What does this bill do? The [bill](https://parlinfo.aph.gov.au/parlInfo/search/display/display.w3p;query=Id:legislation/billhome/s1178) was introduced to: * speed up the mandated review of the operation, effectiveness and implications of the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 by requiring that it take place before the end of the 18 month period beginning on the day the Act received Royal Assent; and * extend the definition of 'interception agency' to include the [Australian Commission for Law Enforcement Integrity](https://en.wikipedia.org/wiki/Australian_Commission_for_Law_Enforcement_Integrity), the [Independent Commission Against Corruption of New South Wales](https://en.wikipedia.org/wiki/Independent_Commission_Against_Corruption_(New_South_Wales)), the [New South Wales Crime Commission](https://en.wikipedia.org/wiki/New_South_Wales_Crime_Commission), the [Law Enforcement Conduct Commission* of New South Wales](https://www.lecc.nsw.gov.au/what-we-do/who-we-are-and-what-we-value/who-we-are-and-what-we-value), the [Independent Broad-based Anti-corruption Commission of Victoria](https://en.wikipedia.org/wiki/Independent_Broad-based_Anti-corruption_Commission), the [Crime and Corruption Commission of Queensland](https://en.wikipedia.org/wiki/Crime_and_Corruption_Commission), the [Independent Commissioner Against Corruption (SA)](https://en.wikipedia.org/wiki/Independent_Commissioner_Against_Corruption) and the [Corruption and Crime Commission (WA)](https://en.wikipedia.org/wiki/Corruption_and_Crime_Commission).* ~~<p class="italic">Schedule 3—Systemic weakness or systemic vulnerability</p>~~ ~~<p class="italic"> <i>Telecommunications Act 1997</i></p>~~ ~~<p class="italic">1 Section 317B ( definition of <i>electronic protection</i> )</p>~~ ~~<p class="italic">Repeal the definition.</p>~~ ~~<p class="italic">2 Section 317B ( definition of <i>systemic vulnerability</i> )</p>~~ ~~<p class="italic">Repeal the definition.</p>~~ ~~<p class="italic">3 Section 317B ( definition of <i>systemic weakness</i> )</p>~~ ~~<p class="italic">Repeal the definition.</p>~~ ~~<p class="italic">4 Section 317B ( definition of <i>target technology</i> )</p>~~ ~~<p class="italic">Repeal the definition.</p>~~ ~~<p class="italic">5 Section 317ZG</p>~~ ~~<p class="italic">Repeal the section, substitute:</p>~~ ~~<p class="italic">317ZG Designated communications provider must not be requested or required to implement or build a systemic weakness or systemic vulnerability etc.</p>~~ ~~<p class="italic">(1) A technical assistance request, technical assistance notice or technical capability notice must not have the effect of:</p>~~ ~~<p class="italic">(a) requesting or requiring a designated communications provider to implement or build a systemic weakness, or a systemic vulnerability; or</p>~~ ~~<p class="italic">(b) preventing a designated communications provider from rectifying a systemic weakness, or a systemic vulnerability.</p>~~ <p class="italic">(2) The reference in paragraph (1)(a) to implement or build a systemic weakness, or a systemic vulnerability, includes a reference to implement or build a new decryption capability.</p> <p class="italic">(3) The reference in paragraph (1)(a) to implement or build a systemic weakness, or a systemic vulnerability, includes a reference to one or more actions that would render systemic methods of authentication or encryption less effective.</p> <p class="italic">(4) The reference in paragraph (1)(a) to implement or build a systemic weakness, or a systemic vulnerability, includes a reference to any act or thing that would or may create a material risk that otherwise secure information would or may in the future be collected, accessed, used, manipulated, disclosed or otherwise compromised by an unauthorised third party.</p> <p class="italic">(5) The reference in subsection (4) to otherwise secure information includes a reference to the information of, about or relating to any person who is not the subject, or is not communicating directly with the subject, of an investigation to which the relevant technical assistance request, technical assistance notice or technical capability notice relates.</p> ~~<p class="italic">(6) The reference in subsection (4) to an unauthorised third party includes a reference to any person other than:</p>~~ <p class="italic">(a) the person who is the subject of, or who is a person communicating directly with the subject of, an investigation to which the relevant technical assistance request, technical assistance notice or technical capability notice relates; or</p> ~~<p class="italic">(b) the person that issued, or asked the Attorney-General to issue, the relevant technical assistance request, technical assistance notice or technical capability notice.</p>~~ ~~<p class="italic">(7) Subsections (2), (3) and (4) are enacted for the avoidance of doubt.</p>~~ <p class="italic">(8) A technical assistance request, technical assistance notice or technical capability notice has no effect to the extent(if any) to which it would have an effect covered by paragraph (1)(a) or (b).</p> ~~<p class="italic">6 Application provision</p>~~ <p class="italic">Section 317ZG of the <i>Telecommunications Act 1997</i>, as amended by this Schedule, applies in relation to a technical assistance request, technical assistance notice or technical capability notice given on or after the commencement of this Schedule.</p> <p>I foreshadowed this amendment in my second reading speech. It goes to the definition of systemic weakness, which this was a core issue in the material that was presented to the committee during our hearings. Essentially, stakeholders were concerned that the protection in the bill which prohibits an agency from forcing a provider to implement any kind of systemic weakness or systemic vulnerability is inadequate because those terms are not defined.</p> <p>The government sought to address that in their amendments to their own bill in December last year, but the government's amendments have been condemned as difficult to understand, ambiguous and significantly too narrow. In fact, technology experts Dr Chris Culnane and Professor Vanessa Teague have described the government's amendments as an abomination.</p> <p>The amendments before us now would repeal the systemic weakness definitions that were introduced by the government and give clear legislative effect to the advice provided publicly by the Director-General of ASIO. Our amendments are supported by the main industry groups, and I named those groups in my second reading speech. By contrast, we are not aware of any non-government organisations or individuals who support the government's amendments on this issue.</p> ~~<p>The critical paragraph on sheet 8642 is to amend 317ZG(4) to include this phrase:</p>~~ <p class="italic">(4) The reference in paragraph (1)(a) to implement or build a systemic weakness, or a systemic vulnerability, includes a reference to any act or thing that would or may create a material risk that otherwise secure information would or may in the future be collected, accessed, used, manipulated, disclosed or otherwise compromised by an unauthorised third party.</p> ~~<p>These changes seek to protect the information of innocent people, and I commend the amendment to the house.</p>~~ ~~<p class="speaker">Linda Reynolds</p>~~ <p>The government opposes the opposition's amendments for the following reasons. First, the amendments moved by the opposition propose to delete the definition of 'systemic weakness' from section 317B and leave that term undefined. These amendments also propose to rewrite the prohibition in section 317ZG. The amendment version of section 317ZG removes references to the term 'electronic protection'. This term anchors the current prohibition by explaining what the powers are prohibited from weakening. Electronic protection includes things such as encryption and also authentication. Without reference to electronic protection, it is unclear what section 317ZG prohibits from being weakened. In one instance, for example, these amendments replace 'electronic protection' with 'systemic methods of authentication or encryption'. This includes a narrower set of things than the previous language.</p> <p>The second reason is that these amendments would also change the legal standard required before the prohibition becomes operative from 'likely' to 'may'. This creates material risk to information security. This standard is too high to be practicable, as it concerns a question of future possibilities. When explaining what is otherwise secure information, these amendments refer to persons other than the person communicating directly with the target person. This concept fails to consider contemporary communication styles, such as forms and broadcast platforms, wherein a communication may not be directly communicated to any person or persons.</p> <p>Third, the government opposes the opposition's amendments because these amendments refer to an unauthorised third party in order to explain when otherwise secure information has been compromised. This description provides only that the person who is communicating directly and that the interception agency using the power are not unauthorised third parties. We believe this is too narrow. Under this construction, telecommunications companies would become unauthorised third parties.</p> ~~<p class="speaker">Jordon Steele-John</p>~~ <p>The Australian Greens will be supporting the amendment put forward by the opposition. They make a bad bill slightly better. I am fascinated to hear Senator McAllister quote from the good Dr Chris Culnane and Professor Teague in relation to this bill. I have been working very closely with individuals, such as themselves, and I can assure the chamber that their preferred outcome would have been for the opposition to oppose the bill and to now have a position of repealing the bill. But, as I said, this makes it a little bit better, so, until we have an opportunity to repeal, it will do.</p> ~~<p>The CHAIR: The question is that opposition amendment (1) on sheet 8642 as moved by Senate McAllister be agreed to.</p>~~

~~Jenny McAllister~~
~~I move opposition amendment (1) on sheet 8642:~~
~~(1) Page 9 (after line 8), at the end of the Bill, add:~~
The majority voted in favour of [amendment (1) on sheet 8642](https://www.openaustralia.org.au/senate/?id=2019-02-14.22.1), which was introduced by NSW Senate [Jenny McAllister](https://theyvoteforyou.org.au/people/senate/nsw/jenny_mcallister) (ALP).
### What does this amendment do?
[Senator McAllister said](https://www.openaustralia.org.au/senate/?id=2019-02-14.22.1) that the amendment related to the definitions of 'systemic weakness' and 'systemic vulnerability' and explained that:
> *... stakeholders were concerned that the protection in the bill which prohibits an agency from forcing a provider to implement any kind of systemic weakness or systemic vulnerability is inadequate because those terms are not defined.*
> *The government sought to address that in their amendments to their own bill in December last year, but the government's amendments have been condemned as difficult to understand, ambiguous and significantly too narrow. ...*
> *The amendments before us now would repeal the systemic weakness definitions that were introduced by the government and give clear legislative effect to the advice provided publicly by the Director-General of ASIO. Our amendments are supported by the main industry groups ...*
> *The critical paragraph on sheet 8642 is to amend 317ZG(4) to include this phrase:*
>> *(4) The reference in paragraph (1)(a) to implement or build a systemic weakness, or a systemic vulnerability, includes a reference to any act or thing that would or may create a material risk that otherwise secure information would or may in the future be collected, accessed, used, manipulated, disclosed or otherwise compromised by an unauthorised third party.*
> *These changes seek to protect the information of innocent people ...*
### What does this bill do?
The [bill](https://parlinfo.aph.gov.au/parlInfo/search/display/display.w3p;query=Id:legislation/billhome/s1178) was introduced to:
* *speed up the mandated review of the operation, effectiveness and implications of the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 by requiring that it take place before the end of the 18 month period beginning on the day the Act received Royal Assent; and*
* *extend the definition of 'interception agency' to include the [Australian Commission for Law Enforcement Integrity](https://en.wikipedia.org/wiki/Australian_Commission_for_Law_Enforcement_Integrity), the [Independent Commission Against Corruption of New South Wales](https://en.wikipedia.org/wiki/Independent_Commission_Against_Corruption_(New_South_Wales)), the [New South Wales Crime Commission](https://en.wikipedia.org/wiki/New_South_Wales_Crime_Commission), the [Law Enforcement Conduct Commission of New South Wales](https://www.lecc.nsw.gov.au/what-we-do/who-we-are-and-what-we-value/who-we-are-and-what-we-value), the [Independent Broad-based Anti-corruption Commission of Victoria](https://en.wikipedia.org/wiki/Independent_Broad-based_Anti-corruption_Commission), the [Crime and Corruption Commission of Queensland](https://en.wikipedia.org/wiki/Crime_and_Corruption_Commission), the [Independent Commissioner Against Corruption (SA)](https://en.wikipedia.org/wiki/Independent_Commissioner_Against_Corruption) and the [Corruption and Crime Commission (WA)](https://en.wikipedia.org/wiki/Corruption_and_Crime_Commission).*
~~Schedule 3—Systemic weakness or systemic vulnerability~~
~~ Telecommunications Act 1997~~
~~1 Section 317B ( definition of electronic protection )~~
~~Repeal the definition.~~
~~2 Section 317B ( definition of systemic vulnerability )~~
~~Repeal the definition.~~
~~3 Section 317B ( definition of systemic weakness )~~
~~Repeal the definition.~~
~~4 Section 317B ( definition of target technology )~~
~~Repeal the definition.~~
~~5 Section 317ZG~~
~~Repeal the section, substitute:~~
~~317ZG Designated communications provider must not be requested or required to implement or build a systemic weakness or systemic vulnerability etc.~~
~~(1) A technical assistance request, technical assistance notice or technical capability notice must not have the effect of:~~
~~(a) requesting or requiring a designated communications provider to implement or build a systemic weakness, or a systemic vulnerability; or~~
~~(b) preventing a designated communications provider from rectifying a systemic weakness, or a systemic vulnerability.~~
(2) The reference in paragraph (1)(a) to implement or build a systemic weakness, or a systemic vulnerability, includes a reference to implement or build a new decryption capability.
(3) The reference in paragraph (1)(a) to implement or build a systemic weakness, or a systemic vulnerability, includes a reference to one or more actions that would render systemic methods of authentication or encryption less effective.
(4) The reference in paragraph (1)(a) to implement or build a systemic weakness, or a systemic vulnerability, includes a reference to any act or thing that would or may create a material risk that otherwise secure information would or may in the future be collected, accessed, used, manipulated, disclosed or otherwise compromised by an unauthorised third party.
(5) The reference in subsection (4) to otherwise secure information includes a reference to the information of, about or relating to any person who is not the subject, or is not communicating directly with the subject, of an investigation to which the relevant technical assistance request, technical assistance notice or technical capability notice relates.
~~(6) The reference in subsection (4) to an unauthorised third party includes a reference to any person other than:~~
(a) the person who is the subject of, or who is a person communicating directly with the subject of, an investigation to which the relevant technical assistance request, technical assistance notice or technical capability notice relates; or
~~(b) the person that issued, or asked the Attorney-General to issue, the relevant technical assistance request, technical assistance notice or technical capability notice.~~
~~(7) Subsections (2), (3) and (4) are enacted for the avoidance of doubt.~~
(8) A technical assistance request, technical assistance notice or technical capability notice has no effect to the extent(if any) to which it would have an effect covered by paragraph (1)(a) or (b).
~~6 Application provision~~
Section 317ZG of the Telecommunications Act 1997, as amended by this Schedule, applies in relation to a technical assistance request, technical assistance notice or technical capability notice given on or after the commencement of this Schedule.
I foreshadowed this amendment in my second reading speech. It goes to the definition of systemic weakness, which this was a core issue in the material that was presented to the committee during our hearings. Essentially, stakeholders were concerned that the protection in the bill which prohibits an agency from forcing a provider to implement any kind of systemic weakness or systemic vulnerability is inadequate because those terms are not defined.
The government sought to address that in their amendments to their own bill in December last year, but the government's amendments have been condemned as difficult to understand, ambiguous and significantly too narrow. In fact, technology experts Dr Chris Culnane and Professor Vanessa Teague have described the government's amendments as an abomination.
The amendments before us now would repeal the systemic weakness definitions that were introduced by the government and give clear legislative effect to the advice provided publicly by the Director-General of ASIO. Our amendments are supported by the main industry groups, and I named those groups in my second reading speech. By contrast, we are not aware of any non-government organisations or individuals who support the government's amendments on this issue.
~~The critical paragraph on sheet 8642 is to amend 317ZG(4) to include this phrase:~~
(4) The reference in paragraph (1)(a) to implement or build a systemic weakness, or a systemic vulnerability, includes a reference to any act or thing that would or may create a material risk that otherwise secure information would or may in the future be collected, accessed, used, manipulated, disclosed or otherwise compromised by an unauthorised third party.
~~These changes seek to protect the information of innocent people, and I commend the amendment to the house.~~
~~Linda Reynolds~~
The government opposes the opposition's amendments for the following reasons. First, the amendments moved by the opposition propose to delete the definition of 'systemic weakness' from section 317B and leave that term undefined. These amendments also propose to rewrite the prohibition in section 317ZG. The amendment version of section 317ZG removes references to the term 'electronic protection'. This term anchors the current prohibition by explaining what the powers are prohibited from weakening. Electronic protection includes things such as encryption and also authentication. Without reference to electronic protection, it is unclear what section 317ZG prohibits from being weakened. In one instance, for example, these amendments replace 'electronic protection' with 'systemic methods of authentication or encryption'. This includes a narrower set of things than the previous language.
The second reason is that these amendments would also change the legal standard required before the prohibition becomes operative from 'likely' to 'may'. This creates material risk to information security. This standard is too high to be practicable, as it concerns a question of future possibilities. When explaining what is otherwise secure information, these amendments refer to persons other than the person communicating directly with the target person. This concept fails to consider contemporary communication styles, such as forms and broadcast platforms, wherein a communication may not be directly communicated to any person or persons.
Third, the government opposes the opposition's amendments because these amendments refer to an unauthorised third party in order to explain when otherwise secure information has been compromised. This description provides only that the person who is communicating directly and that the interception agency using the power are not unauthorised third parties. We believe this is too narrow. Under this construction, telecommunications companies would become unauthorised third parties.
~~Jordon Steele-John~~
The Australian Greens will be supporting the amendment put forward by the opposition. They make a bad bill slightly better. I am fascinated to hear Senator McAllister quote from the good Dr Chris Culnane and Professor Teague in relation to this bill. I have been working very closely with individuals, such as themselves, and I can assure the chamber that their preferred outcome would have been for the opposition to oppose the bill and to now have a position of repealing the bill. But, as I said, this makes it a little bit better, so, until we have an opportunity to repeal, it will do.
~~The CHAIR: The question is that opposition amendment (1) on sheet 8642 as moved by Senate McAllister be agreed to.~~