Home Insights Australia’s new decryption legislation: What does it mean for you?
Share

Australia’s new decryption legislation: What does it mean for you?

Despite widespread criticism from individuals and industry participants, the controversial Telecommunications and Other Amendments (Assistance and Access) Bill 2018 (Bill) has now passed through both Houses of Parliament. It is now set to become law once it receives Royal Assent.

Probably the most significant aspect of the Bill is that it provides Australian State, Territory and Federal law enforcement agencies with the ability to demand that ‘‘designated communications providers’’ create a capability to provide access to encrypted communications and data. (The legislation uses the terms ‘systemic weakness’ and ‘systemic vulnerability’ to describe the possible consequences of this access.)

While there are some limitations on that power (e.g. the capability can only be exercised to target a particular person, and it should not result in a ‘weakness’ or ‘vulnerability’ that is ‘systemic’), there are significant privacy concerns, and questions about whether compliance with such a demand is even technically possible.

This article takes a look at some of these issues, and the significant impact the Bill may have on most individuals and businesses operating in the technology or communications supply chain.

Decrypting encrypted technologies

The Part of the Bill that has received the most controversy is the introduction of the ‘industry assistance’ provisions. These provisions allow Australian law enforcement agencies (including State, Territory and Federal Police and ASIO) to request or order that a ‘designated communications provider’ provides assistance with the decryption of encrypted communications / data.

Who is a ‘designated communications provider’?

The industry participants that may be subject to an assistance request or order are called ‘designated communications providers’. The definition is extremely broad, and could include most individuals and businesses in the communications supply chain.[1] For example:[2]

  • businesses who operate messaging platforms (e.g. WhatsApp, Google etc.);
  • phone and internet service providers;
  • technicians and retail repairers;
  • developers of software used in connection with certain communication services; and
  • manufacturers of any component used in telecommunication equipment.

The Bill is intended to apply to foreign companies who provide a relevant communication service with one or more end-users in Australia. It also captures anyone who develops, supplies, or updates software in connection with that service.

It’s not entirely clear how the Bill will interact with certain foreign laws given the proposed extraterritorial scope (including, in particular, the GDPR). The Bill has a defence for not complying with requested assistance if compliance in the foreign country would contravene a law of the foreign country. However, this defence does not cover the situation where compliance in Australia could violate the laws of another country the provider operates in.[3]

What type of assistance might be required?

After debate in Parliament, the Bill was amended so that a law enforcement agency could only require a ‘designated communications provider’ to do specific acts or things known as ‘listed acts or things’.[4]

However, the definition of ‘listed acts or things’ is almost as broad as the definition of ‘designated communications provider. Importantly, it includes:

  • removing the electronic protection from a service or device;
  • providing specified ‘technical information’;[5] and
  • facilitating access to devices or requested data.

How is an industry assistance request/order made?

There are three types of requests/orders that law enforcement agencies can make (each subject to certain limitations or consultation requirements discussed below).

The requests/orders are:

  1. Technology assistance request (TAR) – a TAR is a request for voluntary assistance with the law enforcement agency’s functions or activities. A TAR can include a request for any assistance – it is not limited to ‘listed acts or things’. One limitation is that the request must relate to a ‘relevant objective’ of the requesting agency (e.g. safeguarding national security or assisting the enforcement of serious criminal offences in Australia or a foreign country).
  1. Technology assistance notice (TAN) – a TAN is a notice obliging ‘designated communications providers’ to assist with a law enforcement agency’s functions or activities. The type of assistance must be a ‘listed act or thing’. Additionally, the actual assistance must relate to safeguarding national security or assisting the enforcement of serious criminal offences (of Australia or a foreign country).
  1. Technology capability notice (TCN) – a TCN is similar to a TAN in that both are compulsory notices. However, the purpose of a TCN is to compel a ‘designated communications provider’ to build new capabilities that will enable them to assist a law enforcement agency with a ‘listed act or thing’ (likely intended to be used in connection with a TAN). This has attracted criticism that a TCN could be used to require a company to build backdoors into its software / hardware.

The scope of a TCN still requires the notice to relate to assisting the enforcement of serious criminal offences (in Australia or a foreign country). There are also additional oversight measures (including requiring the Attorney-General to first issue a ‘consultation notice’ setting out details of the proposed TCN for discussion with the provider). However, there are still major concerns about privacy implications and whether the compliance with the requirements are actually technically possible.

What are the penalties?

Unless an exception applies (discussed below), the maximum penalty for non-compliance with a TAN or TCN is ~A$10 million (for a body corporate who is not a carrier or carriage service provider).

Compliance with a TAR is voluntary, meaning there are no penalties for non-compliance.

Are there any exceptions to compliance?

In an attempt to balance privacy concerns and the uncertainty whether it is technically possible to comply with requirements in an order or notice, the Bill includes several exceptions to compliance.

Two of the most significant are:

  1. A request/notice cannot compel a designated communications provider to implement a systemic weakness/vulnerability. Systemic weakness/vulnerability is defined as something that would affect a whole class of technologies, but does not include not a weakness/vulnerability that targets a particular person. This exception is intended to ensure that companies won’t be compelled to include a backdoor affecting the security of all devices. Given how modern end-to-end encryption works, it is arguable that many requests/notices might fall under this exception.
  1. The issuing law enforcement agency must consider whether the request / notice is ‘reasonable and proportionate’ and compliance is ‘practicable and technically feasible’. The terms ‘practicable’ and ‘technically feasible’ are not defined in the Bill. However, it contains several factors for a law enforcement agency to consider when determining if a request / notice is reasonable and proportionate. They include:
    • the interests of national security and law enforcement;
    • the legitimate interests of the designated communications provider;
    • the privacy and cybersecurity interests of the Australian community; and
    • whether other less intrusive forms of industry assistance exist.

It’s not clear how ‘practicable’ and ‘technically feasible’ will be interpreted, or how these factors will be balanced by a law enforcement agency.

Another potential avenue available under the Bill is for a designated communications provider to request an assessment of a ‘consultation notice’ (that is, the ‘consultation notice’ which must be given prior to a TCN being issued). Such an assessment will be carried out by a retired judge and an assessor with sufficient technical knowledge. The assessors’ report will be considered before a decision is made whether to proceed with giving the TCN.

Costs of compliance

The Bill also provides that a ‘designated communications provider’ must comply with the requirements of a TAN or TCN on a no profit-no cost basis (unless otherwise agreed, or the issuing law enforcement agency declares it would be contrary to the public interest). Arbitration is an option for resolving an agreement as to the assessment of costs.

The above is only a general outline of some of the key features of the Bill. Despite voting to approve the Bill, the Labor Party has announced that it will seek to make necessary amendments on the first sitting day of Parliament next year. We will provide further updates as they become available.


[1] Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018, sch 1, s 317.

[2] Parliament of Australia, Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018, Bills Digest No. 49 of 2018-19, 3 December 2018, 21.

[3] Ibid 31.

[4] Voluntary requests can cover any other type of assistance.

[5] The term ‘technical information’ is not defined in the Bill, which has led to some industry participants being concerned that it could even include the source code for proprietary software.


Authors

CEGLIA Robert SMALL
Robert Ceglia

Senior Associate


Tags

Cyber Security Technology, Media and Telecommunications

This publication is introductory in nature. Its content is current at the date of publication. It does not constitute legal advice and should not be relied upon as such. You should always obtain legal advice based on your specific circumstances before taking any action relating to matters covered by this publication. Some information may have been obtained from external sources, and we cannot guarantee the accuracy or currency of any such information.