Focus: Breaking — Australian Government releases draft decryption legislation
15 August 2018
In brief: The Australian Government has released draft legislation to provide national security and law enforcement agencies with means to access encrypted communications and devices. The draft legislation aims to respond to the increasingly widespread use of encryption by Australian consumers and the challenges this poses for investigative and counter-terrorism activities. The legislation is subject to public consultation until 10 September 2018.
How does it affect you?
- The end of end-to-end encryption? The draft legislation appears to be aimed at providing law enforcement and security agencies with increased powers to conduct investigations via electronic means, while side-stepping the controversy over the creation of 'backdoors' in end-to-end encryption. The legislation expressly provides that a company cannot be required to build systemic weaknesses into its systems.
- What information can be accessed? There is no limitation on the type of information that may be accessed through the new regime, except that it must be for the purpose of helping an agency perform its core functions under the law.
- Whom does it apply to? A wide range of 'designated communications providers', including carriers, carriage service providers, device manufacturers, and software and application providers, will be required to provide assistance to law enforcement and security agencies (where the agency has authority under a warrant). For the first time, authorities will be able to require foreign companies with a nexus to Australia to provide such assistance.
- What can I be compelled to do?
- The Attorney-General will now be able to specify measures that a designated communications provider must take to provide agencies with assistance, including access to communications and devices, provided such measures are reasonable, proportionate, practicable and technically feasible. This may include removing a form of electronic protection (if the company already has the capability to do this), installing or using software provided to the company by an agency, or substituting a service for one provided by another company.
- Under a new system of warrants, law enforcement and security agencies will be able to seek authorisation to access devices and telecommunications facilities remotely in order to collect data as part of their investigations, including from account-based platforms that are associated with those devices, such as Facebook.
- What are the checks and balances? To request or compel cooperation with investigations, law enforcement and security agencies will still be required to obtain a warrant from a judge or an AAT member. The measures that a company can be required to take must be reasonable, proportionate, practicable and technically feasible.
- How can I comment on the draft legislation? The Department of Home Affairs is accepting feedback until 10 September 2018. Comments can be submitted to firstname.lastname@example.org.
On 14 August 2018, the Department of Home Affairs released an exposure draft of the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 (the Bill). The release of the draft Bill follows months of speculation and controversy among Australia's tech community over the potential for security risks and civil rights abuses to occur as a result of national security and law enforcement agencies being able to access encrypted communications and devices.
See Code breakers – Australian Government flags forced decryption reforms for our summary of the controversial debate surrounding this long-mooted reform in Australia (and similar debates overseas).
- obligations on foreign and domestic communications providers, device manufacturers, application providers and others to provide law enforcement and security agencies with access to certain communications and devices;
- a new system of computer access warrants to enable law enforcement to covertly obtain evidence from individual devices, including online accounts such as Facebook; and
- the increased ability for law enforcement and security agencies to overtly access data through the existing system of search and seizure warrants.
Section 313 of the Telecommunications Act 1997 (Cth) currently requires domestic carriers and carriage service providers to provide 'such help as is reasonably necessary' to law enforcement and security agencies. The draft Bill provides a new framework for industry's cooperation with government agencies in respect of section 313.
- Voluntary assistance: Designated communications providers will be able to provide voluntary assistance under a 'technical assistance request' to assist ASIO, ASIS, the ASD and other interception agencies (the Bill also provides protections for providers who do so);
- Mandatory requirement to provide assistance: The Director-General of Security will be able to issue a 'technical assistance notice' requiring a designated communications provider to give assistance where they are already capable of giving assistance that is reasonable, proportionate, practicable and technically feasible. This means that government agencies will be able to require decryption where the provider has existing means to decrypt (ie where communications are not end-to-end encrypted and the provider holds the encryption key themselves); and
- Mandatory requirement to build means of providing access: The Attorney-General will be able to issue a 'technical capability notice' requiring a designated communications provider to build a new capability that will enable them to give access to ASIO and interception agencies, but this cannot require a provider to build or implement a capability to remove electronic protection (such as encryption). The Attorney-General must be satisfied that any requirements on a provider are reasonable, proportionate, practicable and technically feasible, and the provider has 28 days to give feedback on the requirements, which the Attorney-General must take into account.
- Designated communications providers include foreign and domestic communications providers, device manufacturers, component manufacturers, application providers, and traditional carriers and carriage service providers.
The ability of law enforcement and security agencies to access communications and devices as described above will still be dependent on them obtaining a warrant or authorisation from a judge or AAT member under the Telecommunications (Interception and Access) Act 1979 (Cth).
The draft Bill provides a number of other protections, including that the various requests and notices able to now be issued cannot:
- require a provider to build or implement a systemic weakness or vulnerability into a form of electronic protection (likely a response to strong concerns about the risks associated with creating a 'back door' to encrypted communications and devices);
- prevent providers from upgrading or fixing systemic weaknesses in their products; or
- be used to impose data retention of interception capability obligations on providers.
- In addition, the various decision-makers able to issue requests and notices must revoke them if the requirements become unreasonable.
The draft Bill allows Commonwealth, state and territory law enforcement agencies to apply for new computer access warrants under the Surveillance Devices Act 2004 (Cth).
A computer access warrant will enable agencies to search electronic devices and access content on those devices. These warrants are distinct from existing surveillance device warrants, which enable agencies to use software to monitor inputs and outputs from computers and other devices. The new warrants will also authorise the carrying out of concealment activities.
The Bill will also amend the ASIO Act 1979, the Crimes Act 1914 and the Customs Act 1901 to:
- enable ASIO to:
- intercept communications for the purpose of executing a computer access warrant;
- temporarily remove and return a computer or thing from a premises for the purpose of executing a warrant; and
- conceal its access to a computer following expiry of the warrant;
- enable criminal law enforcement agencies to remotely collect evidence from electronic devices and telecommunications facility, including 'account-based data' from online platforms associated with or accessed through those devices or facilities, under an overt warrant, rather than having to physically attend the relevant premises. Presently, the Crimes Act only allows overt search warrants to be issued for the purpose of searching computers; and
- enable the Australian Border Force to collect evidence from seized computers or other data storage devices, under a warrant.
The Department of Home Affairs is accepting feedback on the draft Bill until 10 September 2018. Comments can be submitted to email@example.com.·
Further information, including copies of the draft Bill and a detailed explanatory document, is available here.
- Valeska BlochPartner,
Ph: +61 2 9230 4030
- Gavin SmithPartner, Sector Leader, Technology, Media & Telecommunications,
Ph: +61 2 9230 4891
- Ian McGillPartner,
Ph: +61 2 9230 4893
- Michael MorrisPartner,
Ph: +61 7 3334 3279
- Michael ParkPartner,
Ph: +61 3 9613 8331
You can leave a comment on this publication below. Please note, we are not able to provide specific legal advice in this forum. If you would like advice relating to this topic, contact one of the authors directly. Please do not include links to websites or your comment may not be published.