Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
 Download Current HansardDownload Current Hansard    View Or Save XMLView/Save XML

Previous Fragment    Next Fragment
Thursday, 14 February 2019
Page: 10201


Senator McALLISTER (New South WalesDeputy Opposition Whip in the Senate) (11:24): I move opposition amendment (1) on sheet 8642:

(1) Page 9 (after line 8), at the end of the Bill, add:

Schedule 3—Systemic weakness or systemic vulnerability

Telecommunications Act 1997

1 Section 317B ( definition of electronic protection )

Repeal the definition.

2 Section 317B ( definition of systemic vulnerability )

Repeal the definition.

3 Section 317B ( definition of systemic weakness )

Repeal the definition.

4 Section 317B ( definition of target technology )

Repeal the definition.

5 Section 317ZG

Repeal the section, substitute:

317ZG Designated communications provider must not be requested or required to implement or build a systemic weakness or systemic vulnerability etc.

(1) A technical assistance request, technical assistance notice or technical capability notice must not have the effect of:

(a) requesting or requiring a designated communications provider to implement or build a systemic weakness, or a systemic vulnerability; or

(b) preventing a designated communications provider from rectifying a systemic weakness, or a systemic vulnerability.

(2) The reference in paragraph (1)(a) to implement or build a systemic weakness, or a systemic vulnerability, includes a reference to implement or build a new decryption capability.

(3) The reference in paragraph (1)(a) to implement or build a systemic weakness, or a systemic vulnerability, includes a reference to one or more actions that would render systemic methods of authentication or encryption less effective.

(4) The reference in paragraph (1)(a) to implement or build a systemic weakness, or a systemic vulnerability, includes a reference to any act or thing that would or may create a material risk that otherwise secure information would or may in the future be collected, accessed, used, manipulated, disclosed or otherwise compromised by an unauthorised third party.

(5) The reference in subsection (4) to otherwise secure information includes a reference to the information of, about or relating to any person who is not the subject, or is not communicating directly with the subject, of an investigation to which the relevant technical assistance request, technical assistance notice or technical capability notice relates.

(6) The reference in subsection (4) to an unauthorised third party includes a reference to any person other than:

(a) the person who is the subject of, or who is a person communicating directly with the subject of, an investigation to which the relevant technical assistance request, technical assistance notice or technical capability notice relates; or

(b) the person that issued, or asked the Attorney-General to issue, the relevant technical assistance request, technical assistance notice or technical capability notice.

(7) Subsections (2), (3) and (4) are enacted for the avoidance of doubt.

(8) A technical assistance request, technical assistance notice or technical capability notice has no effect to the extent(if any) to which it would have an effect covered by paragraph (1)(a) or (b).

6 Application provision

Section 317ZG of the Telecommunications Act 1997, as amended by this Schedule, applies in relation to a technical assistance request, technical assistance notice or technical capability notice given on or after the commencement of this Schedule.

I foreshadowed this amendment in my second reading speech. It goes to the definition of systemic weakness, which this was a core issue in the material that was presented to the committee during our hearings. Essentially, stakeholders were concerned that the protection in the bill which prohibits an agency from forcing a provider to implement any kind of systemic weakness or systemic vulnerability is inadequate because those terms are not defined.

The government sought to address that in their amendments to their own bill in December last year, but the government's amendments have been condemned as difficult to understand, ambiguous and significantly too narrow. In fact, technology experts Dr Chris Culnane and Professor Vanessa Teague have described the government's amendments as an abomination.

The amendments before us now would repeal the systemic weakness definitions that were introduced by the government and give clear legislative effect to the advice provided publicly by the Director-General of ASIO. Our amendments are supported by the main industry groups, and I named those groups in my second reading speech. By contrast, we are not aware of any non-government organisations or individuals who support the government's amendments on this issue.

The critical paragraph on sheet 8642 is to amend 317ZG(4) to include this phrase:

(4) The reference in paragraph (1)(a) to implement or build a systemic weakness, or a systemic vulnerability, includes a reference to any act or thing that would or may create a material risk that otherwise secure information would or may in the future be collected, accessed, used, manipulated, disclosed or otherwise compromised by an unauthorised third party.

These changes seek to protect the information of innocent people, and I commend the amendment to the house.