Assistance and Access Act, December 2018 - Uncertainty created by new rushed-in data encryption laws

On 6 December 2018, the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 (Cth) (the Act) was rushed through both houses of Federal Parliament without amendment and received royal assent on 8 December.

According to its Explanatory Memorandum, the Act is intended to 'introduce measures to better deal with the challenges posed by ubiquitous encryption'. It amends primarily the existing Telecommunications Act 1997 to establish frameworks for voluntary and mandatory industry assistance to law enforcement and intelligence agencies in relation to encryption technologies, via the issuing of technical assistance requests, technical assistance notices and technical capability notices. It also amends a host of other Criminal Code and Crimes legislation providing new and additional powers to national intelligence agencies, including the Australian Border Force, in relation to the use of existing computer and data access warrants and powers, a crackdown on whistle-blowers, as well as increased penalties for non-compliance (up to $10 million per offence in many cases).

The Act has been subject to immense public scrutiny and backlash, in particular from the Australian technology sector, due to the holy grail of uncertainty surrounding the obligations that these new, rushed-in, powers impose on communications providers to assist national security and law enforcement agencies in intelligence gathering. Of particular public concern is the issue raised that law enforcement agencies will be allowed to directly intercept messages sent through end-to-end encryption under technical assistance and capability notices, affecting tools used by companies such as Google, WhatsApp, Apple iMessage, and Telegram (who have all publically denounced the Act).

A technical capability notice issued under the Act mandatorily requires designated communications providers (ranging from global carriers to OTT messaging providers) to do one or more specified 'acts or things' necessary to assist agencies. While there is some caveat in the language used that the notice must be 'reasonable, proportionate, practicable, and technically feasible', there is no certainty as to the limits placed on these 'acts or things'. It may require, for example, spyware to be hidden in a software or hardware update to target a particular device or user subject to a warrant or Australian Security Intelligence Organisation (ASIO) investigation. There is also uncertainty as to the scope of technical characteristics of provider systems that must be disclosed to law enforcement authorities under technical assistance requests and notices, as well the nature of software installation and new systems designs that may be required to be built under the Act to allow the collection of information and data.

Whilst the Department of Home Affairs and regulators are at pains to say that the Act does not introduce equivalent 'back door' compelling powers, relying no doubt in part on the Act's proviso that a communications provider will not be 'requested or required' to implement or build a systemic weakness or systemic vulnerability into any form of electronic protection, the use of sweeping and unclear language, as well as ill-defined terms, in the legislation, has fuelled outcry as to the future impact and implementation of the new laws.

Further, the increased $10 million fines have also received criticism as being sufficiently serious to warrant attention by all providers acting in this space. With no de minimus or other threshold for small and medium sized enterprises, the start-up community in particular has fired back that the legislation places them at a significant disadvantage compared to the larger providers and will detrimentally impact future investment in innovation in the technology sector in Australia.

Lessons from the UK?

The scope of access provided for in the Act is modelled on, and appears to have taken lesson from, the similarly focused UK Investigatory Powers Act 2016 (the UK Act), which, earlier in 2018, was found to be inconsistent with European Union law by the UK High Court. The UK Act was subsequently amended but is currently in a sea of controversy, not least due to its siloed approach to the EU General Data Protection Regulation (GDPR), and is due to face further legal challenges this year.

Legislators here have tried to take on board some of the more thorny issues faced by challenges to the UK Act (including in relation to data retention periods and oversight powers on technical capability notices). However, the rushed-in nature of the Act and its vague and uncertain language leaves it open as to how successful the legislators actually were.

Further, as the Act applies to systems 'with an Australia presence', including to a broader range of providers than are presently captured by the Telecommunications Act (including manufacturers of components either for use, or even 'likely to be used', in Australia), there is widespread concern of the wider impact to the Australian technology industry. Many denounce that there is real potential for foreign customers and investors to be dissuaded from doing business with Australia based on the widening of this scope as well as the uncertainty and vulnerabilities created by the Act. This is especially problematic for companies selling to the EU, who must also comply with the onerous obligations imposed on data retention, security and transfers, at least, under the EU GDPR. It is particularly unclear how this Act will operate alongside the obligations imposed by the GDPR and the extent to which legislators considered these issues, if at all.

The Parliamentary Joint Committee on Intelligence and Security has said it will continue to scrutinise the legislation even though it has been passed into law, and will recommend amendments if necessary. However, at the earliest, amendments will not be considered until mid-February 2019.