Global encryption day 2023

Joint letter: the Australian government must incorporate safeguards for encryption in the online safety codes

To:

Mark Dreyfus, Attorney-General of Australia

Julie Inman Grant, eSafety Commissioner

CC:

Peter Khalil, Chair, Parliamentary Joint Committee on Intelligence and Security

Stephen Donaghue KC, Solicitor-General, Attorney General’s Department

Sarah Chidgey PSM, Deputy Secretary, National Security and Criminal Justice Group, Attorney General’s Department

On Global Encryption Day, 21 October 2023, we, the undersigned organisations and experts, urge you to protect and strengthen privacy and secure communications in Australia. As stakeholders committed to a free, open, and secure internet, and strong cybersecurity that strengthens privacy and freedom of expression, we respectfully call on you to incorporate safeguards for encryption in the country’s legal and regulatory framework, including the online safety codes being drafted by the eSafety Commissioner. 

We commend the initiative taken by the Australian government to reform laws governing electronic surveillance and privacy. The Attorney-General’s Department’s objectives for the electronic surveillance reform note that the revised laws will “protect privacy; promote transparency; and be explicit for agencies, oversight bodies, industry and the public.” Equally notably, with reference to the ongoing review of the Privacy Act,  the AG’s Department states that “reforms are aimed at strengthening the protection of personal information and the control individuals have over their information. Stronger privacy protections would support digital innovation and enhance Australia’s reputation as a trusted trading partner.”

We humbly submit that categorical protection of end-to-end encryption, which is under threat from the imminent online safety codes, is essential to achieve the goals underlying the Australian government’s wider efforts to reform surveillance and privacy frameworks, and protect online privacy and security. 

The eSafety Commissioner has rejected two of the eight codes drafted by industry because they did not require services for cloud storage, email and instant messaging to scan content to detect child abuse material. The defining feature of end-to-end encrypted platforms is that no party other than the sender and the intended recipient/s, including the service provider, can ever access the content. This is a technological truth that enables privacy and security, and cannot be altered with any legislative intention. 

End-to-end encryption contributes to online safety and privacy in an environment of ever-expanding scope of surveillance. Any mandate to scan content on end-to-end encrypted platforms would make it impossible for services to offer this crucial tool, to the detriment of people across ages, backgrounds and regions. It would exponentially amplify existing concerns around surveillance by the private and public sectors, and jeopardise privacy by increasing the vulnerability of people’s personal information to indiscriminate surveillance. 

We are also concerned that the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (TOLA) remains yet to be amended. TOLA amplifies the government’s powers without adequate limitations, undermines encryption, and endangers human rights; authorities can issue a “technical capability notice” under the act to compel service providers to develop the ability to decrypt communications. Both the Independent National Security Legislation Monitor’s (INSLM) recommendations, which suggested stronger independent oversight, and Parliamentary Joint Committee on Intelligence and Security (PJCIS)’s review of amendments need to be addressed.

Regulation attacking encryption would also have an adverse impact on the Australian economy. It increases business uncertainty, thwarts innovation and undercuts the credibility of companies operating in Australia owing to compromised digital security in its product and service offerings. Platforms such as WhatsApp, Signal and Matrix, have categorically stated that they would exit any jurisdiction that imposes requirements to break end-to-end encryption. As a result, people in Australia would be deprived of access to secure platforms, either because they are not available in the region, or because their security has been compromised by the introduction of scanning capabilities. 

An obligation to scan private data on encrypted services will result in an erosion of end-to-end encryption, and consequently, the privacy and online safety that it enables, including for the user groups that the codes seek to protect. We respectfully urge the eSafety Commissioner to incorporate safeguards for end-to-end encryption in the online safety codes, and protect privacy and security in Australia. We also urge the AG’s department and other authorities to ensure that the electronic surveillance reform, and changes to TOLA, include such protection. 

Australia is at a critical inflection point with various ongoing streams of review, and development, of surveillance, privacy and online safety frameworks. The point where they all converge, and which ought to be the central focus of these processes, comprise the right to privacy of people in Australia, and the scope for innovation in the country, impacting its competitiveness in international markets as well.  

These reforms can have two potential outcomes. The new frameworks will either reflect a meaningful modernization of the surveillance regime by prioritising privacy and protecting security tools such as end-to-end encryption. Or they will risk perpetuating broad surveillance powers in the face of rising threats to privacy in the digital age, by weakening tools such as encryption, and therefore people’s privacy, based on the misconception that it undermines online safety. As privacy and cybersecurity experts have demonstrated time and again, encryption is pivotal for online privacy and it enhances online safety. The government’s objectives to uplift privacy protections can be considered to have been meaningfully fulfilled, only if the first outcome is achieved. 

The 2023 survey by the Australian Information Commissioner (OAIC), also highlighted in the government’s response to the Privacy Act Review highlights, makes it clear that the vast majority of people in Australia want more control over their personal information and place high priority on its security. By protecting and strengthening encryption, the Australian government must address the prevailing legislative and regulatory uncertainty on this important issue, and respond to the need for greater privacy protections so clearly expressed by its people. 

Signatories:

Access Now

ACT | The App Association

Africa Media and Information Technology Initiative (AfriMITI)

Center for Democracy & Technology

Centro Latinoamericano de Investigaciones Sobre Internet

deSEC

Digital Rights Watch

Fight for the Future

Global Partners Digital

Human Rights Journalists Network Nigeria

Internet Australia

Internet Freedom Foundation, India

Internet Society

Internet Society Catalan Chapter (ISOC-CAT)

Interpeer gUG

ISOC Ecuador

ISOC Ethiopia Chapter 

JCA-NET(Japan)

MEGA The Privacy Company

Privacy & Access Council of Canada

Proton 

SecureCrypt

Southeast Asia Freedom of Expression Network (SAFEnet)

Tech for Good Asia

The Tor Project

Tutanota

University of Bosaso

Individuals:

Samuel lemma

Sharon Polsky MAPP

Unggul Sagena