TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Tracker | Australia's first-in-the-world 'decryption' laws will impact tech providers globally Related reading: Notes from the Asia-Pacific region, 6 Dec. 2019

rss_feed

Amid controversy and political maneuvering, the Australian Parliament passed the Telecommunications and Other Amendments (Assistance and Access) Act 2018 (Cth) in less than three months of its introduction and without opposition at the end of parliamentary sittings for the year. The act makes amendments to the Telecommunications Act 1997 (Cth) by inserting new provisions in Section 317 and consequential supporting amendments to other laws. 

What is the purpose of the act?

Law enforcement, security and intelligence agencies globally (particularly those in the Five Eyes network) have been grappling with the challenge of gaining access to electronic messages that, increasingly, are encrypted, particularly when attempting to detect and prevent terrorist activities. It is a challenge that Australian agencies say they will now be able to address more readily following the introduction of the "decryption" laws by the act. This will help agencies comprising the Australian Security and Intelligence Organisation, the Australian Secret Intelligence Service, the Australian Signals Directorate and police, to request help from "designated communications providers" through a framework for voluntary and mandatory industry assistance in relation to encryption technologies through warrants.

How will the framework operate?

The act establishes three mechanisms by which these agencies can issue notices to DCPs in connection with their activities aimed at enforcing criminal law (including in a foreign country), or protecting Australia's national security, foreign relations interests or the national economic well-being. These mechanisms are:

  • Technical Assistance Requests (s317G, TA): a voluntary request to assist agencies to take a potentially broad range of actions to enable an agency to access an encrypted communication, including removing electronic protections that were applied by or on behalf of the provider, providing technical information about software or equipment and facilitating an agencies' access to the provider's facility, software or equipment (listed activities).
  • Technical Assistance Notices (s317L, TA): a mandatory request to assist agencies to undertake a listed activity.
  • Technical Capability Notices (s317T, TA): a mandatory request to build capability or functionality to enable it to undertake a listed activity.

Access may be via use of a password, push technology or a standing request. The framework will be dependent on amendments that also need to be made to other laws, for example to:

  • Ensure DCPs are not subject to criminal computer offenses when complying with a request or notice.
  • Make certain decisions made under the new laws are not subject to judicial review in the courts.
  • Give law enforcement agencies have additional powers in their use of existing computer access powers and collection of evidence from electronic devices.
  • Increase penalties for not complying with orders from a judicial officer requiring assistance in accessing electronic devices where a warrant is in force.
  • Increase the period during which an electronic device found while executing a warrant can be moved to another place for analysis from 14 days to 30 days.

Who is affected?

DCPs are defined broadly (in s317C of the TA) and could include any communications and device providers globally in respect of services or devices that have an Australian user or in certain cases have customer equipment in Australia. This includes the following providers, both in Australia and globally:

  • Carriage service providers and intermediaries.
  • Equipment vendors.
  • Smartphone and other device or related equipment manufacturers.
  • Software, data processing and other electronic services vendors.

Any DCP could receive a request or notice. Non-compliance with a mandatory notice could result in a penalty order being issued against a provider in the order of $10m (s317ZA, TA).

Security and privacy concerns

The Minister for Home Affairs called on Parliament to expedite its consideration of the act, so that the laws could be passed before the festive period, when there is traditionally an increased threat of terrorist activity. However, despite some attempt to include greater protections and independent oversight in relation to the operation of the laws, significant concerns remain about the lack of due consideration given to the bill, including the flow-on effect of reduced security of technology systems and the further erosion of Australian users' privacy.

In submissions made both on the exposure draft laws and to the parliamentary committee that considered the bill, technology industry experts were highly critical of the proposed laws. Of concern was that, by forcing providers to build the capability to overcome decryption, the outcome would be weaker technology systems overall, as these actions would alert malicious actors as to the ways in which these security features can be overcome.

Privacy experts and regulators also made submissions about the law's impact on the privacy of Australians, particularly those whose communications could be accessed by government agencies, without a proper basis or independent oversight of the circumstances in which these notices could be issued. However, in the absence of a nationally recognised individual right to privacy or a common law tort of invasion of privacy in Australia, the only limitations that can be placed on the exercise of these powers by relevant agencies are the statutory limitations within the act itself.

How have these concerns been addressed in the act?

Some of the ways Parliament has sought to deal with the security and privacy issues include introducing:

  • A requirement for an issuing agency to consult with a provider about what is technically feasible before issuing a mandatory notice (ss317P &WA, TA).
  • A requirement for the person making a decision about whether to issue a technical assistance request or technical assistance notice must have regard to (amongst other things):
    • Whether the request or notice is reasonable and proportionate, and whether compliance is practical and technically feasible.
    • The legitimate interests of the provider.
    • The availability of other means to achieve the objectives of the request.
    • Whether the request or notice is necessary.
    • Whether the request or notice is the least intrusive form of assistance, so far as people whose activities are not of interest to the relevant agency are concerned.

as well as the interests of national security and law enforcement (s317JC &RA, TA):

  • A limitation that a request or notice must not have the effect of requesting or requiring a provider to implement or build (or be prevented from rectifying) a systemic weakness, or a systemic vulnerability, into a form of electronic protection (s317ZG, TA).
  • The ability for a provider to request the Attorney-General to appoint two independent people to assess whether a technical capability notice should be issued (s317WA, TA).
  • Greater oversight of technical capability notices, which requires the Minister for Home Affairs to provide prior approval to a notice being issued (s317TAAA, TA).

Despite these measures, industry criticism remains.

Costs of compliance 

Providers who could receive one of these notices have also expressed concern that the cost of responding to requests or notices could be substantial, particularly if the provider is required to build new capability. The act provides that costs of compliance are recoverable on a no-profit-no-loss basis. Providers may also be able to enter into commercial terms for the provision of assistance. However, those with more limited resources may well find the cost of providing services in Australia is not viable, particularly if they are caught simply because they offer an app on a global store. The people who could feel the greatest impact of this will be Australians who can no longer access and use these apps or technology.

What's next? 

Although the act has passed, the ALP Shadow government agreed to the passage of the laws on the proviso that there would be further debate and amendments once Parliament resumes in 2019. There will also be a review of the new laws undertaken by the Parliamentary Committee of Inquiry. However, now that Australia has taken this significant step, it is difficult to see how the fundamental concepts access concepts in the act could be unwound in future.

photo credit: filipecastilhos Sydney Harbour via photopin (license)

Comments

If you want to comment on this post, you need to login.