Last week, Australia’s parliament passed a controversial act that will enable law enforcement and intelligence agencies to compel access to encrypted communications. In an explanatory memorandum, the Australian Parliament stated that the new act, the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018, is intended to combat “the challenges posed by ubiquitous encryption.” Under the act, certain law enforcement and intelligence agencies will be able to approach “designated communication providers,” using one of the mechanisms below, for the purpose of gaining access to specific users’ encrypted messages and data.
- Technical Assistance Requests (TARs) – These are voluntary requests that allow law enforcement and intelligence agencies to request access to communications and data while bypassing the oversight rules surrounding mandatory notices. TARs may be issued by the directors-general of the Australian Security and Intelligence Organization (ASIO), the Australian Secret Intelligence Service (ASIS), or the Australian Signals Directorate (ASD), or by the chief officer of an “interception agency,” which includes the Australian Federal Police (AFP), the Australian Crime Commission (ACC), and the state and territory police forces, provided that they obtain the approval of the AFP commissioner.
- Technical Assistance Notices (TANs) – These are compulsory notices requiring a “designated communication provider” to use existing interception or decryption capabilities to provide access to communications or user logs. TANs can be obtained only by the director-general of the ASIO or the chief officer of an interception agency.
- Technical Capability Notices (TCNs) – These are compulsory notices requiring designated communication providers to build infrastructure to meet subsequent TANs. TCNs may be issued only by the attorney general, with the approval of the minister for communications, following a request from the ASIO or the chief officer of an interception agency, and require written notice to the communication provider, allowing them the opportunity to respond within 28 days.
The new act allows these agencies to directly approach specific individuals, such as engineers or IT administrators at an organization, rather than the organization itself. Companies that resist the demands could face a fine of up to $7.3 million, while individuals who refuse could face jail time.
The Assistance and Access Act has faced a variety of criticism from privacy and security watchdogs, as well as the tech industries. Security experts argue that creating encryption “backdoors” for law enforcement weakens the security of a device or software by creating vulnerabilities that can eventually be exploited by criminals or other nefarious parties that will impact the privacy and security of all users. The act attempts to account for these criticism by including a provision stating, “Designated communications provider must not be requested or required to implement or build a systemic weakness or systemic vulnerability.” However, the definition of a systemic vulnerability is limited to a “vulnerability that affects a whole class of technology,” and includes a carve-out for “a vulnerability that is selectively introduced to one or more target technologies that are connected with a particular person.”
In addition to the broader security issues implicated, the act has also been blasted for its vague and overbroad applications. While the bill was ostensibly introduced to assist in combatting terrorism and “safeguarding national security,” it also concerns standard law enforcement activity as it relates to “serious Australian offences,” which are defined as any crimes “punishable by a maximum term of imprisonment of 3 years or more or for life.” What’s more, the act does not include language requiring an individual to be suspected of a crime, but merely “involved in inquiries pertaining to” a crime. Further, under the act a “designated communication provider” can be read to apply to anyone who provides any kind of online service or communications equipment to anyone in Australia, including anyone who provides installation or maintenance services. The categories include the obvious parties, such as the telecommunications providers, but also extend to nearly anyone who maintains a website in Australia.
Many opponents of the act fear that it will prove detrimental to Australia’s technology industry. Further, critics point to the global nature of the technologies that fall under the new act and note that the act’s effects in potentially weakening security will be felt globally. The Assistance and Access Act could embolden other governments to pass similar laws at the behest of law enforcement and intelligence agencies. The intelligence alliance known as the Five Eyes, which includes Australia, the United States, the United Kingdom, Canada and New Zealand, has long been lobbying for these sorts of assistance mechanisms, along with calls for technology providers to recognize their “mutual responsibility” to offer “further assistance” to law enforcement. The Australian Parliament will consider amendments to the act next year. For now the fallout remains uncertain.