Today I testified telephonically before Australia's Parliamentary Joint Committee on Intelligence and Security regarding the proposed Assistance and Access Bill. At the Committee's request, I submitted supplemental comments in advance of the hearing about the interaction between the Bill and the recently-enacted CLOUD Act in the United States. This was my third round of comments on the Bill; the others are here and here.
Below is my opening statement to my testimony (more or less - I made some tweaks on the fly; the full transcript is here):
Thank you to the Committee for inviting me to testify today. First, thanks for heeding the feedback from the last hearing about the very short notice on which witnesses were invited to testify. The longer that witnesses have to prepare, the better the job we can do when we appear before you.
Next, I want to take a step back and question the necessity for this Bill to be passed, at least in its 172-page current form. It is not clear whether the alarmingly broad powers it seeks for Australian agencies are really called for. What are the specific problems this Bill is trying to solve, and how big are those problems? Do they merit the serious trade-offs to multiple crucial interests that the Bill would entail if passed as-is? Would the Bill actually solve the problems it’s supposed to solve? Are there other, more narrowly-drawn means to accomplish the agencies’ goals? And might those goals be achievable under current law, or with modest changes, if the agencies get more resources and training and better coordination with the technology sector?
On these questions, the American experience may be helpful. U.S. law enforcement agencies do not focus on the ultimate goal of effectively preventing, solving, and prosecuting crime. Instead they focus on how many devices they can’t open and how many messages they can’t read.
But that is not the proper yardstick. The correct focus is on whether law enforcement can ultimately do its job, of disrupting plots and seeing criminals brought to justice. If your agencies can do that even where they cannot access encrypted data, that undercuts the asserted need for this Bill. There exists a wealth of other digital evidence sources, from location information, to cloud backups, to the Internet of Things. All of those are still available to help solve crimes even in an age of ubiquitous encryption. Thus, I urge you to ask the agencies for better information about outcomes, because that will help you evaluate how much of the Bill is really necessary.
So, is it possible that law enforcement can solve its problems, or get most of the way towards fixing them, without this Bill, given proper resources, education, and coordination? Again, the U.S. experience is illustrative. A recent report from a U.S. think tank surveyed federal, state, and local law enforcement across the USA. What it found is that the biggest challenge investigators say they face concerning digital evidence-gathering is not encryption. Rather, the #1 problem was identifying which provider would have the relevant evidence in the first place, and #2 was difficulties they encountered in approaching providers, finding out what data was available, and getting that data, without long delays, in a usable format. It does not take this sweeping Bill to address those issues.
What is more, this Bill would entail significant negative trade-offs. You have heard from the public about the Bill’s potential impact on the cybersecurity of Australian individuals, business, and the Government itself. The Bill also implicates national security, economic growth, trade and innovation, and personal rights.
And the irony is that for all that downside, the putative upside might not be worth it. The Bill can’t guarantee that agencies will catch the kinds of sophisticated criminals and terrorists who are savvy about their use of encryption and other security measures. They are the justification for this Bill, but even top U.S. law enforcement officials have acknowledged that sophisticated bad actors will always find a means of communicating securely even if a Bill like this is passed into law.
So by making it illegal for providers to offer the very best security they can to their Australian users, you’d be making your constituents more vulnerable than they are now to the very criminals who seek to prey upon them—such as organized crime rings, ID thieves, and cyberstalkers. You would be making it the law of the land that innocent, law-abiding Australians have worse security than criminals.
Finally, I want to say how troubling I found the testimony by Home Affairs representatives during the previous hearing. They insinuated that public comments weren’t, quote, “appropriate for consideration” unless they provided specific feedback on specific language in the Bill and suggested specific amendments.
No government official in a democracy should be heard to say that the opinion of a member of the public is not “appropriate for consideration.” It is legitimate to express concern about the Bill as a whole, and to say it shouldn’t be passed, in any form, and that it’s not enough just to change a word here and add a phrase there.
To analogize to a recent example from the United States, that’s like saying it isn’t legitimate for a member of the American public to oppose a policy of putting little children in internment camps, full stop; it’s only legitimate to quibble over the specifications for the size of the cage.
Narrowing the definition of what is an “appropriate” way to talk about a topic narrows the discourse. It channels the conversation into the framing preferred by the party seeking to control the discourse. It shapes people’s very thinking about the topic. If someone can get you asking the wrong questions, they don’t have to worry about the answers.
And, that kind of narrowing stifles opposition. There is a saying: “No” is a complete sentence. 15,000 members of the public took a look at this Bill and said: “No.”
That concludes my opening remarks. I welcome the Committee’s questions.