In a submission to the fresh review that is taking place on the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018, Culnane and Teague, who made detailed submissions to the Parliamentary Joint Committee on Intelligence and Security last year, claimed that the definition of 'computer' which had been added to the Surveillance Devices Act was "just funny".
"[According to] 36 Subsection 6(1) (definition of computer) computer means all or part of:
- "(a) one or more computers; or
- "(b) one or more computer systems; or
- "(c) one or more computer networks; or
- "(d) any combination of the above," they said.
And they added: "So 'computer' could mean 'all or part of one or more computers', which could mean 'all or part of one or more (all or part of one or more computers)s' which could mean 'all or part of one or more (all or part of one or more (all or part of one or more computer networks)s)s, which could mean 'all or part of one or more (all or part of one or more (all or part of one or more (all or part of one or more computer system)s networks)s)s', which could go on forever without telling us much about what 'computer' means."
"Next time the Australian parliament chooses to interfere with the most complex logical systems that have ever been devised, we recommend giving at least one computer scientist the opportunity to read the legislation before it is passed through both houses of parliament," they added.
But their submission was not limited to jocularity, also pointing out what they termed were "two examples that show that this legislation is draconian in its provisions and nonsensical in its drafting".
One of these, they said, was the definition of the term "systemic weakness". The definition added the law reads: "systemic weakness means a weakness that affects a whole class of technology, but does not include a weakness that is selectively introduced to one or more target technologies that are connected with a particular person."
Culnane and Teague said this allowed "law enforcement to demand modifications that undermine the cyber security of millions of people, as long as something less than 'a whole class of technology' is affected. It addresses concerns about others' security by simply defining the issue away".
A second point they raised concerned forcing a person with knowledge of a computer system to compulsorily assist in an investigation.
"A person who refuses to assist can be jailed for five years. A similar provision now added to the Surveillance Devices Act (2004) allows the innocent person to be jailed for 10 years. There is no exclusion for jeopardising the information or security of others," the two academics pointed out.
"We would like to know whether any MP or Senator stood up in Parliament and seriously advocated jailing innocent Australian technologists, mathematicians, or engineers for refusing to undermine the security of critical Australian infrastructure.
"We are not lawyers, and have heard some more expert legal scholars say that this is probably not the way this clause was intended. If that is the case, it should be repealed and replaced with something that more closely resembles what the MPs of a democracy should support."
The encryption bill became law on 6 December but just 12 days later, the PJCIS said it would begin a fresh review.
The new review has asked for submissions and will submit a report by 3 April.