Since its passing on 9 December 2018, controversy has tainted the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018, primarily centring on the need to balance national security concerns and the right to privacy. Put forward by the Department of Home Affairs, the bill was proposed to keep pace with the increasing use of encrypted communications. It was designed to aid law enforcement and intelligence agencies to combat serious crimes, with an emphasis on “terrorism”. In fulfilling its design, it amends several statutes, all with the aim of empowering these agencies to access encrypted electronic devices that would be considered “private”. The amendments further seek to protect law enforcement and intelligence agencies, and providers from legal action. For the agencies, this is done through amending the Administrative Decisions (Judicial Review) Act 1977 to ensure that the actions carried out under the new legislation are not subject to judicial review. For those assisting law enforcement agencies, the Criminal Code Act 1995 is amended to offer protection from criminal liability, provided the conduct is consistent with the requests.
While the effect of this legislation has the potential to ripple outwards, it primarily concerns ‘designated communications providers’, which include carriers, carriage service providers, device manufacturers, and software and application providers. Thus, virtually all electronic communications will be open to scrutiny as there won’t appear to be a reason to exclude device or carriage service suppliers.
The core purpose of this legislation is to create a new scheme that regulates communication providers while allowing them to voluntarily assist intelligence and law enforcement agencies. Yet the legislation empowers these agencies to compel providers to grant them access to encrypted data. There are three mechanisms by which this can occur:
- Technical assistance requests;
- Technical assistance notices; or
- Technical capability notices.
While the former is a voluntarily action, the latter two are mandatory notices; if a communication provider does not comply with a notice, civil penalty provisions apply (with penalties up to $9,999,990).
Both technical assistance requests and technical assistance notices involve law enforcement and intelligence agencies asking or compelling communications providers to assist them in accessing encrypted data where they are already capable of such assistance. Technical capability notices, however, involve these agencies compelling communications providers to create a new capability that gives the law enforcement and intelligence agencies access. The latter is the most controversial, and as such involves a few caveats, one being that the notice cannot require the provider to construct a capability that removes electronic protection. In other words, law enforcement and intelligence agencies cannot compel companies to create a built-in ‘backdoor’ to their system.
Additionally, technical assistance notices and technical capability notices can only be issued if:
- it is in the interests of national security or
- it is in the enforcement of criminal law for serious Australian or foreign offences.
Technical assistance requests can be issued for these reasons and to protect Australia’s national economic wellbeing.
Moreover, any request or notice can only be issued if:
- the requirements proposed are reasonable and proportionate;
- it is practicable to comply; and
- it is technically feasible to comply.
Even with the accountability mechanisms described above, concerns still exist about the powers granted to government officials. Scattered throughout the legislation are provisions that enable law enforcement and intelligence agencies to bypass the restrictions “if not practicable”. For example, before issuing technical capability notices it is necessary to provide a written consultation notice to the communication provider, informing them of the proposed notice and inviting them to make submissions to alter the notice. This period must run for at least 28 days. However, section 317W(3) allows this period of consultation to be ignored if it is impractical or if the Attorney-General is ‘satisfied that the technical capability notice should be given as a matter of urgency’.
Ultimately, this newly passed legislation alters the landscape of Australian cyber security. With more changes potentially on the horizon, it would be prudent for those specifically targeted by these changes to understand their obligations.
What it means for us, is that we have more reason to remain vigilant as to what, politically, passes for our “national interest”, and also that we have a means of monitoring potential corrupt access and use of not only these powers but the information that is revealed.