Jake Bloom, who formerly worked with Facebook in California, listed the following changes which, he said, should be made to the law in the event that it was not taken off the books altogether:
- Remove the concept of a Technical Capability Notice (TCN) as it amounts to nothing more than servitude;
- Amend the legislation such that Technical Assistance Requests (TARs) and Technical Assistance Notices (TANs) can only be served to a corporation, not an individual;
- Narrow the scope of the legislation so that it can only be used in the case of terrorism and child sex offences, not the broad scope that currently exists;
- Properly define a “whole class of technology”;
- Allow the public to immediately view which companies have been served with TARs and TANs.
The new review has asked for submissions and will submit a report by 3 April.
In November 2018, during hearings on what is officially known as the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018, a number of law enforcement agencies — ASIO, the Australian Signals Directorate, the Australian Federal Police and Victoria Police — said the law needed to be passed as quickly as possible, and before Christmas, though no concrete justification was offered for this.
Later, Prime Minister Scott Morrison and Home Affairs Minister Peter Dutton told the media that they would be asking the Parliamentary Joint Committee on Intelligence and Security, which was holding hearings into the bill, to speed up the process and send the bill back to Parliament as soon as possible.
Elaborating on his suggestions, Bloom pointed out that serving a TCN appeared to be illegal, as it involved engaging an individual in servitude according to the definition in section 270.4 of the Australian Criminal Code.
The section reads: "(1) For the purposes of this Division, servitude is the condition of a person (the victim) who provides labour or services, if, because of the use of coercion, threat or deception:
"(a) a reasonable person in the position of the victim would not consider himself or herself to be free:
"(i) to cease providing the labour or services; or
"(ii) to leave the place or area where the victim provides the labour or services."
Said Bloom: "Under this definition, if an individual was to be served with a Technical Capability Notice, they would be a victim of servitude, as the Commonwealth is not remunerating the individual for building the capability, the individual is not free to cease building the capability, and is operating under the threat of jail time. While I do not claim to be a legal expert, in my mind, the concept of a Technical Capability Notice seems at odds with this definition."
He said he had ideological issues with the law as well, pointing out that in a democracy, "it is important for there to be methods of communication among citizens that is free of government oversight".
But Bloom also listed economic and practical concerns with the law. In the first instance, he pointed to the government ban on Chinese vendor from playing a role in the rollout of 5G networks. "This legislation ensures that there is no doubt when it comes to Australian technology – the Australian Government is listening, and the public debate around these laws means that the international community has noticed."
He provided the example of Apple and NASA using Australian firm Atlassian's BitBucket software to store source code.
"As a result of the passage of the bill, Apple and NASA know that a capability to read their source code could be installed into BitBucket without notice," Bloom said "As a result, international firms will move away from using Australian-made software to power their business, in a huge blow to the Australian export market."
He also pointed out that the GDPR, which came into force in May last year, required immediate disclosure of improper use of user data, even if only a very few users were affected.
"This means that an Australian company that has been subjected to a TAN or a TCN cannot comply with the GDPR laws and cannot legally export to Europe," Bloom said.
"As a result, this legislation cuts off the export market for Australian software companies, and puts in jeopardy the employment of Australians overseas. There are over 300 Australians employed at Facebook, and all of them are learning world class skills that many hope to bring back to Australian shores one day. This legislation would cut off this learning pathway for Australians overseas and stymie the knowledge that they bring home with them."
As many other have, Bloom also said the law did not provide clarity on what exactly constituted a systemic vulnerability. This could lead to someone creating a backdoor unintentionally, he suggested.
"Secondly, it is accepted practice when writing software that before you can deploy your code for users to interact with it, it needs to be reviewed by another person. This renders the confidentiality clauses within the legislation useless, as at least one other person will see that a weakness, vulnerability, spyware or redundant code is being inserted," Bloom said.
"Upon discovering this, it would be raised immediately to management or leadership of the company, and would likely resolve in an immediate termination of the engineer who executed the TCN. Having worked at a large multinational company, I can tell you that the rank and file employees as well as the leadership would be more inclined to pull a product from a market altogether rather than compromise the security of the application.
"Given that Apple has previously declined to unlock iPhones for the FBI, and Facebook and Google are unwilling to comply with Chinese Government to access a market of over one billion people, I find it difficult to believe that these companies would waste time and money making a product less secure to satisfy a market that they can be successful without."
Bloom said developers would often to caught between a rock and a hard place if they were asked to comply with any compliance notice.
"...for many people, being served with a request or notice under this legislation places them into an entrapment scenario, where ignoring the notice would breach laws in Australia and complying with the notice would breach laws such as Europe’s GDPR or the USA’s HIPPA. This creates a no-win scenario where being served with a notice means fines or jail time in multiple jurisdictions, regardless of the action taken," he added.