The controversial Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 was introduced in the Australian Parliament on 20 September 2018 and immediately sent to the Parliamentary Joint Committee on Intelligence and Security for further consideration.
This article looks at the key provisions of the Bill and its potential future.
What are the key requirements of the proposed legislation?
The Bill provides for three new law enforcement tools, Technical Assistance Requests (TARs), Technical Assistance Notices (TANs) and Technical Capability Notices (TCNs).
- TARs: TARs request voluntary assistance to be provided by designated communications providers
- TANs: TANs are compulsory and require the recipient designated communications provider to provide assistance if its current capabilities allow it to do so and the assistance is reasonable, proportionate, practicable and technically feasible. A TAN cannot require a provider to build a capability or functionality that the recipient does not already possess
- TCNs: TCNs are also compulsory. Again, the required assistance must be reasonable, proportionate, practicable and technically feasible. However, a recipient may need to build a capability or functionality to provide the assistance.
These requests and notices may only be issued in limited circumstances, for example in connection with the enforcement of criminal laws (including in some cases criminal laws of other countries) or the protection of Australia’s national security. The type of assistance that may be requested or required includes (but is not limited to) removing electronic protections applied by the designated communications provider, providing technical information, assisting access to devices or services and installing software or equipment (or assisting with this).
The tools may only be used by specified agencies, though the category of eligible agencies is slightly broader in the case of TARs and only the Attorney-General, at the request of a relevant agency, is able to issue a TCN. Costs for compliance are recoverable.
The Bill does not provide law enforcement and national security agencies with new powers under Australia’s Telecommunications (Interception and Access) Act 1979 to intercept or access the content of communications such as emails or other electronic messages. The Bill does however create a new computer access warrant regime, under which specified agencies investigating particular offences may apply for warrants to search electronic devices and access content on those devices covertly. The Bill also provides for enhanced powers to require assistance in obtaining information from devices in relation to other types of warrants.
Who could be subject to the requirements of the proposed legislation?
'Designated communications providers' will be subject to the new requests and notices regime. This covers a broad range of companies – telecommunications service providers, software and app providers and device manufacturers will all be covered. In other words, the legislation goes well beyond the categories of phone and internet service providers who are traditionally called upon to assist law enforcement agencies in providing access to communications. Designated communications providers will cover most companies operating in some way in the areas of communications services or technology.
The 'Australian link' required for such companies to be regulated is generally that their products or services are used or likely to be used in Australia. This requirement has been criticised, given that it - in theory at least - would subject companies to the operation of the legislation even if those companies do not have a presence in Australia, had not intended that their products or services would be used in Australia and even if very few Australians use, or may consider using, those products and services.
What legal issues does the Bill raise?
Although there are a number of legal issues that are raised by the Bill (including what sort of independent oversight of Australia’s law enforcement and national security agencies is appropriate), the primary legal issue is privacy. On the one hand, you have the Government (supported by law enforcement and national security agencies) strongly arguing that this legislation is necessary. For example, at a recent hearing held by the Parliamentary Joint Committee on Intelligence and Security, representatives of the Australian Security Intelligence Organisation (ASIO) and the Australian Federal Police spoke of the fact that currently those agencies cannot access encrypted material, notwithstanding the widespread use of encryption, and that there is a need to modernise Australia’s legislation to allow law enforcement and national security agencies to protect the Australian community in the digital age.
But, on the other hand, there is the question of whether this legislation goes too far in providing rights to law enforcement and national security agencies that will undermine the use of encryption to protect the privacy of the communications of ordinary Australians. The Government points to the fact that the Bill expressly provides that the new tools cannot require any regulated company to create a so called ‘backdoor’ or systemic weakness in a communications system and therefore there should not be any weakening of protections for the legitimate communications of Australians. Critics of the Bill argue that the Bill does not do enough to ensure that backdoors into systems are not created which will then be able to be exploited by criminals and others to the detriment of Australians. On that view, any weakness in an encryption system – even if not systemic – has the potential to be exploited by ‘bad actors’ in breach of the legitimate expectations of privacy of Australians.
Irrespective of whether this has been the intention of interested stakeholders in commenting on the proposed Bill, the Bill has provided an opportunity to shine a spotlight generally on the amount of personal data that is able to be collected about Australians through their electronic communications and other online activity. It is not only law enforcement and national security agencies that seek to access personal information about Australians by online surveillance. Private companies are also very interested in collecting information in this way and do so via a myriad of tools, including cookies, location tracking and similar. When the question is asked what personal information Government agencies should be able to access it is also legitimate to ask what personal information should be able to be collected by private companies, including to use for advertising related purposes. That substantial amounts of personal information is already collected from online activity often comes as a surprise to many people.
Next steps for the Bill
The Parliamentary Joint Committee will be holding further public hearings on the Bill on 16, 27 and 30 November 2018. There are only a handful of Parliamentary sitting days in 2018 following the last public hearing. Therefore, practically speaking, the Bill (with or without amendments) could not be passed in 2018. A federal election is due in the first half of 2019. It is therefore not clear whether Parliament will have an opportunity to debate the Bill before that election. The Australian Labor Party has indicated concerns with the haste with which the Bill has been progressed by the Government, noting the Bill was introduced to Parliament less than two weeks after consultation had closed on an exposure draft of the Bill, This suggests that only limited consideration was given to submissions received on that exposure draft. Accordingly, although Australia’s main political parties typically adopt a bipartisan approach on national security issues, the timing for the passage of the Bill seems to be very uncertain.