Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
 Download Current HansardDownload Current Hansard   

Previous Fragment    Next Fragment
Wednesday, 18 June 1997
Page: 5651

Mr DARGAVEL(6.29 p.m.) —The member for Moore (Mr Filing) said a lot about the increased use of heroin in his electorate, the need to continue the so-called war on drugs and the consequential need, in his view, I suppose, for wire taps to be more easily available for law enforcement agencies. The clinical evidence is that heroin as a sub stance is certainly nowhere near as damaging in terms of mortality rates in the Australian community than are legally sanctioned drugs such as tobacco and alcohol. That is the reality of the situation. Far more people die from tobacco and alcohol in Australian society and far greater cost is imposed on the community through those two substances than through any of the illicit substances which we spend a lot of money on fighting.

Having said that, security is a big concern for people communicating through modern technologies, for both personal privacy and hard-nosed business reasons. Jeff Kennett found out what happens when communications systems, such as the analogue mobile phone he was using to make some pertinent points about members opposite, are the subject of easy interception.

Telephone intercepts is a debate about balancing the community demand for privacy with the real challenges that law enforcement and intelligence organisations face. We have accepted that private communications of citizens should prima facie not be subject to surveillance unless an approved officer orders otherwise. That is the broad assumption underlying this bill, notwithstanding the debate about what the approved officer may be.

We do not condone industrial spying by way of private wire taps. However, in the emerging technology of the Internet, the same degree of privacy that we might like to enjoy on the telephone system is extremely problematic. Any technically competent individual with a modem and a reasonable grounding in UNIX can intercept electronic mail and Web transactions.

This is a very serious issue for two principal reasons. The first and obvious concern is privacy. Citizens send personal e-mails to friends and relatives, and they should be able to do so without a fear of them being intercepted by smart but unkind individuals. In addition, organisations are increasing their use of the Internet as a method of transmitting information. Lawyers and doctors are sending confidential information to each other about clients and patients over the Net. It is essen tial that this personal information is not intercepted and used maliciously.

The second serious but less considered implication for security issues in relation to the Internet is the limit that insecure networks place on commercial development. Small business in Australia stands to gain substantially if, and only if, consumers are confident that their credit card and other personal details are secure and are not intercepted and used for wrongful purposes.

This is particularly the case when we see repeated stories of stolen credit and personal details sourced from insecure Net transactions or sites. Many people on the Net will not use their credit card to order services or products because of this problem.

So consumers do not feel confident about using the Net for commerce, and small business suffers. Because Australians have the highest take-up rate of new technology per capita in the world, there is a credible argument that says that Australian small business suffers the most. Privacy on the Net, therefore, is not only one of the largest IT issues; it is one of the largest issues for those small businesses that would like to use emerging technologies to market their respective products.

There is a solution to these issues, and it does not actually require much government action or many resources at all. Sophisticated encryption products fix the privacy problem. Good encryption products scramble messages so that sensitive information about people's personal details and their commercial-in-confidence information cannot be intercepted by some kid with a modem and a bit of knowledge of UNIX. It keeps that information safe from malicious eyes, because it scrambles it to render that information unintelligible to those without the keys to decipher it.

Of course, intelligence agencies have become a little concerned that their ability to peruse the personal interactions of citizens will become compromised if they cannot decrypt the contents of e-mails and commercial transactions. Those agencies have successfully convinced governments to prohibit the export of encryption products that the agencies themselves cannot decipher.

Of course, what agencies can decipher others can too. The United States have adopted a standard which they insist is safe yet provides consumers with confidence that their information is not decryptable but also provides agencies with an ability to decrypt information in a legitimate capacity.

The standard adopted by the United States and security agencies elsewhere, not surprisingly, is a poor standard; it has been shown to be unreliable. A number of studies, including those produced by Belcore and the Weisman Institute, have shown that the American encryption export standard is decryptable. Even students from MIT have been able to successfully decrypt within a couple of hours e-mails that have been encrypted with that particular standard.

Put simply, personal or commercially sensitive information that is encrypted using software the Americans approve for export can be intercepted and decrypted by teenagers. So consumers lack the faith that successful Net commerce or successful expansion of commerce on the Net requires. It is a legitimate concern that consumers have about this emerging technology.

The argument then becomes how good the encryption product may be. There is an Australian small business, as fortune or, rather, hard work would have it, that has delivered a solution to the problem. A small business in the electorate of Grayndler has come up with an encryption product that is a recognised world leader. With a bit of indulgence, I will just explain why it is a world leader.

The Australian Financial Review described it as ideal for sending files over the Internet. The APC said in January 1997 that it offered an unequalled level of protection. PC Week in November 1996 said that it was `beating the pants off the overseas competition'. Of course, it was beating the pants off the overseas competition.

The company that developed the product is called Nexus Solutions. Who has been ob structing this new technology every step of the way? Not surprisingly, it is its international competitor, but, somewhat surprisingly, it is also the Australian government. Nexus Solutions, which is based in Grayndler, as I have said, has developed its product relying on a 447-bit key, resulting in a combination possibility of one billion times 10 to the power 481. That is a pretty big number of combination possibilities. To put it another way, it would take around 2,000 to 3,000 years to decrypt an e-mail encrypted using this encryption product.

Nexus landed a very large contract to sell thousands and thousands of site licences to the World Health Organisation. The Australian government would not let them fulfil the contract, using the Customs (Prohibited Exports) Regulation 13E Dual Use Technology Controls. It acted to prevent the Australian small business from exporting a product to fulfil a contract it had landed with the World Health Organisation. This was despite the frequent and capable representations made on their behalf by the member for Grayndler (Mr Albanese). Why the Australian government feels that it needs to maintain a capacity to snoop on the World Health Organisation is, frankly, absolutely and utterly beyond me and, no doubt, probably beyond the World Health Organisation.

The company certainly lost export dollars. Nexus then tried to sell their product to the Australian government itself. To do this they were advised that they would have to get their product approved by the government. The process is that the software has to be tested and `rubber stamped' to go on the list for departments to buy from. The government has outsourced the testing of security software to a foreign company. It is an American company called CSC. That company, surprisingly, also happens to sell encryption software. So here we have a foreign market competitor being asked to test the Australian product. Who pays for the testing? The Australian small business, Nexus. The overall cost imposed by the overseas competitor for rubber stamping the Australian underdog product ends up being around $250,000. This is a product that sells for around $250 per twin- site unit. The company might make a very small margin for such a very large outlay being asked, under the authority of the Commonwealth government, by the competitor.

Worse still is yet to come for our small businessman in Grayndler. He is asked to hand over the source code of his product to his competitor. Those of us who know a little about computer software and innovation would be aware that being asked to hand your source code over to your competitor is about as senseless as it comes.

The Australian battler then manages to get financial backing for the testing, which only provides him with the opportunity to sell his product. That is, he gets backing of some $250,000 to get the product tested so that he might be able to sell it. But the government then tells him that they will not be able to get around to it, that they will not have time to have his product tested by this third party overseas. After some time and interaction, the government, through the office of the Defence Signals Directorate, agrees to allow the testing to take place, only if the small business can get a letter from a couple of departments saying that they will buy the product. Of course, the departments cannot provide a letter saying that they are going to buy a product that they cannot find on the list of approved purchases.

I will go to the letter from Mr Allan Owen, manager of the cryptographic evaluations section of the Defence Signals Directorate, to Mr Peter Pavlovic, the managing director of Nexus Solutions Pty Ltd. In that letter Mr Allan Owen says, in part:

You will also be aware that before we can undertake to evaluate NTrust—

which is the product—

you will need a government department to write to us requesting that we evaluate the product and confirming that they wish to purchase the product. This is our normal evaluation sponsorship arrangement.

Quite clearly, the Australian small business that came up with this revolutionary solution to the problem that small business confronts on the Internet globally was being given the royal run around.

I do not believe that this is government bungling on behalf of the office of the Defence Signals Directorate. I believe that this is a concerted campaign by the government through that office to deny all Australian small business the opportunity to benefit from consumer confidence in international commercial transactions over the Net. It is a government acting decisively to do over the small business sector in order to satisfy the spooks here and overseas. It is a government that is acting decisively and patently to put foreign business in front of Australian small business. It is a government that is acting decisively to deny privacy to the country's citizens.

As with phone communications, there is an expectation from the general public that they will not be subject to willy-nilly interception and that they are free to conduct their personal affairs without unsolicited and unlawful snoops listening in. There is a legitimate fear in the community of not only misuses of state sponsored surveillance but also privately sponsored surveillance. My view is that individuals have a prima facie right to privacy unless an approved officer orders otherwise to enable a legitimate intercept in the pursuit of a legitimate investigation.

Whilst there can be a legitimate role for surveillance by the state, I do not see the case for every Tom, Dick and Harry with a modem and some knowledge of UNIX to have the ability to listen in and watch the personal interactions of everyone on the Net. I certainly do not see why my e-mails or other personal interactions on the Net should be intercepted by every Tom, Dick and Harry. I am pretty sure that most people on the Net do not see why that should be the case for themselves either.

Members of the community who do use the Internet would like to avail themselves of secure and reliable encryption products. That is exactly what the government refuses by preventing local business from exporting a 448-bit key encryption technology. The office of the Defence Signals Directorate has invited Nexus to downgrade their encryption technol ogy to a government approved standard and has suggested that, if they did so, Nexus might have fewer problems.

In the letter that I previously quoted from, the Office of the Defence Signals Directorate suggests that a cryptovariable space of around 40 bits might do the job. Bear in mind that the product offered here by Nexus is 448-bit key encryption technology. So clearly the standard that the government would like Australian consumers to accept is an inferior one, and it is a standard that has been cracked. It is a standard that has been shown so far to be deficient by kids on the Net, and that is well understood by consumers on the Net. The position of the government at this stage, through the Office of the Defence Signals Directorate, is one of putting the brakes on Australian small business seeking to exploit the emerging opportunities presented on the Internet.

The IT industry is one that Labor would like the government to foster. I believe that, in the national and private interest, the government should cease its obstruction of this important encryption tool. If the government wants to ensure that its intelligence organisations can continue to snoop the Net, it must at least make sure that it is done in such a way that local companies that develop products which the government might find acceptable, such as the old unreliable 40-bit key technology, are not exposed to unfair foreign interest. Local small business should not be asked by the government to cough up around about a quarter of a million dollars and hand over the source code to their competitors in order to get approval for government purchase.

Clearly the conundrum presented in this debate is that, unlike telephone intercepts, the Net provides a framework of communication that does not accept prima facie that people have privacy. Technically that is not possible without the introduction of sophisticated encryption technologies, and that is what presents the difficulties for the spooks who like to rely upon a capacity of having a look at what everyone is doing at any given time. That is the very difficult paling that this government is straddling.

The government's traditional ideology purports to represent the rights of the individual. In this debate the government is supporting no privacy for citizens on the Internet at all, and it is supporting the proposition that Australian small business should be disadvantaged and should be slowed down on the Internet rather than exploiting this emerging technology and moving forward with it. I make the point again: Australians are one of the greatest users of technology. We have the fastest take-up rate of new technology. (Time expired)