Home Insights Australia’s security monitor recommends changes to controversial ‘anti-encryption’ legislation
Share

Australia’s security monitor recommends changes to controversial ‘anti-encryption’ legislation

In December 2018, the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (Cth) (TOLA Act) was enacted. An omnibus Act, the legislation included amendments to the Telecommunications Act 1997 (Cth) (Telecommunications Act), granting new powers for law enforcement and intelligence agencies to obtain information and industry assistance from Designated Communications Providers (Providers).

There has been polarising commentary on the TOLA Act, with it being dubbed as Australia’s ‘anti‑encryption law’. On the one hand, concerns have been raised over the ‘serious threats’ that the TOLA Act poses to ‘cybersecurity, privacy and freedom of expression in Australia and around the world’,[1] and on the other, the view that ‘the true danger is the thing the TOLA Act seeks to prevent: terrorists, paedophiles and other criminals communicating in secret, without law enforcement and security agencies being able to ‘crack their code’’.[2] 

In March 2019, the Parliamentary Joint Committee on Intelligence and Security (PJCIS) requested that the Independent National Security Legislation Monitor (INSLM), Dr James Renwick SC, review the TOLA Act. The INSLM was required to report on whether the TOLA Act:

  • contains appropriate safeguards for protecting the rights of individuals;

  • remains proportionate to any threat of terrorism or threat to national security, or both; and

  • remains necessary.[3]

The INSLM report was submitted to the Attorney-General on 30 June 2020 and publicly released in a 316-page report last week.[4] A key recommendation was that the process to authorise compulsory orders must be made by a technically informed decision-maker who was independent of the Government agency that would utilise the power once granted. This was considered to be a missing factor to ensure proportionality and human rights protection in both perception and practice. To ensure this independence, the INSLM recommended the power be removed from the agency and the Attorney‑General and vested in an Investigatory Powers Commissioner (IPC) within the Administrative Appeals Tribunal (AAT).

A quick revisit of the powers under the TOLA Act

The TOLA Act introduced three types of industry assistance powers, differing in their coercive nature. As we have covered in a previous article , the primary powers can be summarised as follows:

Request / Notice

Description

Technical Assistance Request (TAR)

  • A voluntary request for a communications provider to assist the Australian Security Intelligence Agency (ASIO), Australian Secret Intelligence Service (ASIS), Australian Signals Directorate (ASD) or an interception agency[5]
  • The Provider may use their existing capabilities or build a new capability

Technical Assistance Notice (TAN)

  • A compulsory notice requiring the communications provider to assist ASIO or an interception agency.
  • The assistance is limited to the use of the Provider’s existing capabilities and cannot be used to build a capability the Provider does not have

Technical Capability Notice (TCN)

  • A compulsory notice requiring the communications provider to build a new capability. Once built, ASIO or an interception agency can seek assistance under an issued TAN

Broadly applied, a request or notice can be issued to a Provider, which includes any company, business or person who contributes to the communications supply chain in Australia. A website owner, for example, could be bound by the TOLA Act. Non‑compliance may result in civil penalties of approximately A$10 million for a corporation and $50,000 for an individual.[6]

The INSLM’s recommendations for change

The INSLM largely accepted as valid the following three key criticisms of the TOLA Act:[7]

  • the absence of independent authorisation for the compulsory notices (TANs and TCNs);

  • the inadequacy in the definitions of some key technical terms; and

  • the absence of independent technical assessment of proposed notices.

The 12 key recommendations for change were as follows:

Recommendation 1 – Expansion of powers to integrity agencies

Currently, the power to issue a request or notice is limited to intelligence and interception agencies and the Attorney-General. However, integrity and anti‑corruption agencies ‘face the same challenges in fulfilling their mandate as a consequence of the growth in encryption of communications as do police’.[8] As these agencies are already empowered to exercise various investigative powers under other legislative schemes (e.g. the power to make requests under s 313 of the Telecommunications Act), the INSLM recommended that the reach of the TOLA Act be extended to integrity and anti‑corruption agencies.[9] This will include the Commonwealth Integrity Commission, if it is subsequently established.

Recommendation 2 – No change to Technical Assistance Requests

As a TAR is not a coercive instrument, the INSLM did not recommend any changes to the existing TAR arrangements, except for the use of a prescribed form.[10]

Recommendation 3 – Changing the authorisation for compulsory notices

The report noted the near unanimous concern from non-Government stakeholders over a lack of an independent authorisation process for TANs and TCNs. The INSLM did not accept the Government’s submission that effective and sufficient oversight mechanisms existed. Rather, the INSLM considered that the authorisation of coercive statutory powers without independent review must only occur in exceptional and justified circumstances. 

As the INSLM considered, ‘[a]ny scheme involving the use of coercive statutory powers must ensure that it has the necessary checks and balances to ensure not only that correct and lawful decisions are made but also that they are seen to be made’.[11] The INSLM highlighted the importance of instilling and inspiring trust in the community for the decisions that are made.

The INSLM recommended that TANs and TCNs should be authorised by a body with access to technical advice that is independent of the issuing agency or Attorney‑General. Accordingly, the INSLM recommended that the powers to issue the compulsory order vest in the AAT and assigned to a newly created Investigatory Powers Division (IPD).

Recommendations 4 to 6 – Establishment of the Investigatory Powers Division and Investigatory Powers Commissioner

The INSLM recommended the creation of a new IPD within the AAT with powers and procedures that build on the existing Security Division.[12] The IPD would use existing AAT powers, conduct private hearings and alternative dispute resolution, receive submissions from both the agency and the Provider, possess the expertise to resolve technical questions and ultimately determine whether a TAN or TCN should be issued. 

The IPD is conceptually based on the United Kingdom’s Investigatory Powers Commissioner’s Office, however differences exist.

The INSLM recommended that the IPD be comprised of an IPC and other eminent lawyers and technical experts as needed. The IPC should be a retired Federal or Supreme Court judge. Importantly, the INSLM found that the power to determine a TAN or TCN should remain with the AAT as a statutory office as there are fundamental difficulties in vesting such a function in a court. These difficulties were principally based on the public nature of court hearings such that difficulties may be present in limiting access to a Provider’s highly sensitive commercial-in-confidence information and the secret and operational information of the Government.[13]

Recommendation 7 – Definitions of ‘serious Australian offence’ and ‘serious foreign offence’

The industry assistance powers introduced by the TOLA Act may be exercised in relation to a ‘serious Australian offence’ or a ‘serious foreign offence’. Under the Telecommunications Act, a serious Australian or foreign offence is punishable by a maximum term of imprisonment of three years or for life.[14] The INSLM found that this three‑year threshold captures a range of less serious offences, rather than the offences for which the industry assistance powers were sought to be made available (e.g. terrorism and child sex offences).[15] 

The INSLM recommended that the threshold be aligned to s 5D of the Telecommunications (Interception and Access) Act 1979 (Cth) in which a serious offence is one on a proscribed list, an offence punishable by life imprisonment or an offence carrying a term of at least seven years imprisonment. 

Recommendations 8 to 10 – Amendments to key definitions including ‘systemic weakness’ 

Arguably, one of the most controversial and publicly debated aspects of the TOLA Act is that a request or compulsory order must not have the effect of:

  • requesting or requiring a Provider to implement or build a systemic weakness, or a systemic vulnerability, into a form of electronic protection; or

  • preventing a Provider from rectifying a systemic weakness, or a systemic vulnerability, in a form of electronic protection.[16]

What is allowed is for a weakness or vulnerability to be introduced to a ‘target technology’ that only affects an individual person (e.g. perhaps by way of introducing a security flaw in a mobile phone application that affects one user only). The provisions have been criticised for lack of clarity, breadth and practical application, and for potentially requiring subjective or arbitrary application. 

The INSLM recommended a number of changes including:

  • removing the definition of ‘systemic vulnerability’ as the term was not conceptually different to ‘systemic weakness;

  • clarifying the definition of a ‘target technology’ through the use of non‑exhaustive statutory examples of what is included (e.g. a particular device or mobile number for one target only) and what is to be excluded;

  • amending the definition of ‘systemic weakness’ to bring it in line with the submissions received from industry;

  • amending other key definitions; and

  • where a weakness is selectively introduced, re-drafting the provision relating to limitations with a focus towards an assessment of material risk. 

Recommendation 11 – Removal of reference to a natural person 

The INSLM recommended that the definitions of a Provider should not be taken to include a natural person who is an employee of the Provider. This potentially removes a scenario where an individual employee may be issued a notice personally that may limit certain protections. The INSLM made it clear that a natural person should only apply to an individual who is a sole trader. 

Recommendation 12 – Reduced role for the Australian Federal Police 

Presently under the TOLA Act, the AFP Commissioner must approve a TAN that is requested by the police force in a State or Territory.[17] The INSLM has recommended that AFP approval is no longer required. 

What happens next?

Following the release of the report, the Attorney-General acknowledged the work of the INSLM and confirmed that the Government will carefully review the report’s recommendations and the outcome of a PJCIS review which is due in September 2020.[18] 

Although it is not likely that the Government will move to amend the TOLA Act prior to September 2020, some of the controversial and presently existing aspects of the TOLA Act may inhibit the Government’s ability to enter into a bilateral executive agreement with the United States under the Clarifying Lawful Overseas Use of Data Act (CLOUD Act). Australia’s intention to accede to the CLOUD Act follows the recent introduction of the introduced Telecommunications Legislation Amendment (International Production Orders) Bill 2020 (Cth). 

There is also a private members bill, the Telecommunications Amendment (Repairing Assistance and Access) Bill 2019 (Cth) which was introduced by Senator the Hon Kristina Keneally. This proposes a number of amendments to the TOLA Act, many of which align with those proposed in the INSLM report. The Bill has been before the Senate since December 2019.

Subject to exceptions that can be addressed through change, the INSLM review ultimately concluded that the TOLA Act is, or is likely to be, necessary, proportionate to the security threat faced, and affording the proper protection for human rights.[19] On this basis, and with the Attorney-General reiterating the criticality of the TOLA Act to protect Australia’s national security,[20] we suspect that the TOLA Act is likely to remain for the long haul.


[1] Human Rights Watch, International Civil Liberties and Technology Coalition Comments on the PJCIS Review of the Assistance and Access Act, 2018, view here.
[2] Australian Signals Directorate, Director-General ASD statement regarding the TOLA Act 2018 view here.
[3] Independent National Security Legislation Monitor, Review and Report of the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018, view here.
[4] The full report is available here..
[5] An interception agency is the Australian Federal Police (AFP), Australian Criminal Commission (ACIC) or a State or Territory police force.
[6] A notice to an individual occurs in the context of a sole trader and not to the employees of a corporation.
[7] Independent National Security Legislation Monitor, Parliament of Australia, A Report Concerning the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (2020) (Report on the TOLA Act) [1.24].
[8] Ibid [10.49].
[9] Ibid [10.44], [10.49].
[10] Ibid Act [1.64], recommendation 2.
[11] Ibid [10.9].
[12] Ibid [11.1].
[13] Ibid [11.9].
[14] Telecommunications Act s 317B.
[15] Report on the TOLA Act [12.33] – [12.35].
[16] TOLA Act s 317ZG(1).
[17] Ibid s 317LA.
[18] Attorney‑General for Australia and Minister for Industrial Relations, ‘Independent National Security Legislation Monitor Report tabled’ (Media Release, 9 July 2020, view here.
[19] Report on the TOLA Act [1.4] – [1.6].
[20] Attorney‑General for Australia and Minister for Industrial Relations, above n 19. 


Authors

MAGNESS_Phillip_SMALL
Phillip Magness

Lawyer and National Forensic Technology Manager


Tags

Technology Cyber Security Data Privacy

This publication is introductory in nature. Its content is current at the date of publication. It does not constitute legal advice and should not be relied upon as such. You should always obtain legal advice based on your specific circumstances before taking any action relating to matters covered by this publication. Some information may have been obtained from external sources, and we cannot guarantee the accuracy or currency of any such information.