The Government’s contentious encryption legislation (Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (Cth)) (‘the Act’) passed both houses of Parliament late Thursday (6 December), the last Parliamentary sitting day of 2018. The Act commenced on 9 December.
The legislation, first telegraphed in June 2017, is intended to provide government authorities (being ASIO and Federal, State and Territory law enforcement, but not including anti-corruption bodies) with greater powers to intercept and monitor electronic communications, in particular, those communications that are protected by encryption (such as WhatsApp, Telegram and Signal).
A draft bill was released in mid-August and introduced into Parliament on 20 September. A review undertaken by the Parliamentary Joint Committee on Intelligence and Security (PJCIS) was prematurely concluded on the request of the Minister for Home Affairs, but produced 17 recommendations on the basis of 105 submission and several public hearings.
The Opposition granted the legislation passage (agreeing to the 173 amendments the Government had proposed) on a handshake agreement that its own amendments would be considered when Parliament resumes in 2019. Those amendments include a further review of the operation of the Act by the PJCIS, the re-wording of several key definitions and the omission of others (such as ‘systemic vulnerability’ and ‘systemic weakness’).
The most significant aspect of the new law is the power granted to Australian government agencies to issue a range of notices (with confusing similar acronyms) requiring designated communication providers to undertake particular action regarding the security of their services. These notices are:
- Technical Assistance Notice (TAN) – the power to access existing decryption capabilities of communications providers;
- Technical Assistance Request (TAR) – a request that a communications provider provide voluntary assistance to the government agency; and
- Technical Capability Notice (TCN) – the most controversial of the new powers, which mandates that a communications provider establish new capability to intercept and decrypt communications that would otherwise be encrypted.
Notices issued under the Act can specify the timing with which compliance is required, the means by which a communication provider must comply as well as the outcomes required in order for a communications provider to satisfy their obligations under the new law.
In issuing notices, the Act requires the issuer to consider whether the requirements outlined in the notice are ‘reasonable and proportionate’ in light of national security interests, the interests of law enforcement, the expectations of the community with respect to privacy and cybersecurity and the availability of other means of achieving the intended outcome, among other considerations.
Much of the consternation around the Act concerns an exception to the obligation to comply with the notices issued under the Act where compliance with the request would result in a ‘systemic weakness’ or ‘systemic vulnerability’ to a communication provider’s systems.
Definitions of ‘systemic weakness’ and ‘systemic vulnerability’ were late inclusions in the Act and formed part of the 173 amendments agreed to in ensuring the passage of the legislation. The definitions provide that a weakness or vulnerability is systemic where it affects ‘a whole class of technology’, but not where a weakness or vulnerability is ‘selectively introduced to one or more target technologies that are connected with a particular person’.
On the face of the Act, it is unclear how these concepts are to be applied in practice and what protection, if any, they will provide to communications providers as well as individuals that are not the subject of investigation by law enforcement. This has been a key complaint raised by critics of the Act, as reflected both in the recommendation of the PJCIS to clarify the meaning of the term and in the Opposition’s preference that the current definition be omitted, and replaced with a provision stating that any new decryption capability, any action to make an existing authentication or encryption method less effective, or any action that would create a material risk that information may be compromised are not permitted, as set out in its proposed amendments.
Directed at terrorism and child abuse material only?
While much of the public debate surrounding the Act has focused on the need for these new powers to combat terrorism and child abuse, the powers granted under the Act may be used in respect of any “serious Australian offence”, being any offence that is punishable by a maximum term of imprisonment of 3 years or more.
This 3 year threshold captures many other types of offences, which most people would not class in the same seriousness as terrorism or child abuse, including many types of assault, sexual offences, public order offences, property offences, telecommunications offences and others. The law also extends to ‘serious foreign offences’ where seriousness is determined by the maximum penalty that may be imposed under the foreign law.
Civil penalties apply for a failure to comply with notices and may range up to $10m for body corporates. The Act also provides for enforceable undertakings and injunctive relief in the case of non-compliance.
Computer Access Warrants (covert)
The Act also amends a variety of legislation, including the Crimes Act 1914 (Cth) and the Surveillance Devices Act 2004 (Cth), to permit Commonwealth and state law enforcement to issue, and collect evidence under, a ‘computer access warrant’ – which allow the government agency to covertly seize and access information. These warrants were previously only available to ASIO.
A Judge or AAT Member must find that there are reasonable grounds for the suspicion giving rise to the application for the warrant and consider the application in light of the value of the information that law enforcement hopes to gain access to and the impact on the privacy of an individual, among other considerations.
While the legislation passed comfortably with the support of the Opposition, many of the concerns that characterised the debate over the Act remain unresolved.
The Government has agreed in principle to facilitate consideration of amendments to the Act in the new year, particularly those that are consistent with the recommendations of the PJCIS and given the tight timeline for consideration of the legislation, and the wide range of stakeholder concerns it is possible that the Act will be subject to further revisions.