2 May 2019

In this article, we provide a general overview of Australia’s highly controversial data encryption legislation which was passed through Parliament at the end of last year, making it the first legislation of its kind in the world.

1. When did the new data encryption laws come into play?

On 9 December 2018 the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (Cth) came into force.

This legislation provides national security and law enforcement agencies with broader powers to access communications and data for the purpose of investigating criminal activity and threats to national security.

The legislation achieves this purpose by enabling:

1) lawful access via decryption (Schedule 1 of the legislation); and

2) lawful access where data is not encrypted (Schedules 2-5 of the legislation).

It’s fair to say that this new legislation has far-reaching consequences for individuals and companies alike and as is often the case, the devil is in the detail.

2. Why are encrypted communications and devices an issue?

In recent years, services such as WhatsApp, Facebook Messenger and Apple’s iMessage, have added a layer of security known as end-to-end encryption. End-to-end encryption allows only the sender and recipient to view a message, preventing it from being unscrambled by the service provider.

Australia (and other countries) have said that terrorists and criminals exploit this technology to avoid surveillance.

3. How can security and law enforcement agencies access encrypted communications?

Schedule 1 of the legislation introduces a new framework for industry assistance - it gives the Director-General of Security, the Director-General of the Australian Secret Intelligence Service, the Director-General of the Australian Signals Directorate or the chief officer of an ‘interception agency’ the power to issue an order to ‘designated communication providers’ requiring them to provide law enforcement and intelligence agencies with assistance to do ‘listed acts or things.’

The reason for the introduction of the above new powers was so that Australia’s law enforcement and intelligence agencies could get assistance from industry to deal with matters relating to Australia’s national interests, safeguarding of national security and enforcement of the law.

Importantly, schedule 1 of the legislation:

a) Introduces this new term ‘interception agencies’ – basically, it makes the above powers (as well as other powers explained below) also now available to State and Territory police (not just ASIO or the Australian Secret Intelligence Service)

b) Introduces this term ‘designated communication provider’ – this could be anyone (i.e. an individual or a company) in the communication supply chain. Law enforcement and intelligence agencies can directly approach specific individuals such as IT administrators or engineers within companies, rather than the company itself, to provide assistance. Penalties for non-compliance are severe

c) Requires ‘designated communication providers’ to do ‘listed acts or things’ – this term is quite broad and includes removing a device, facilitating access to a device, testing software, removing electronic protection, providing technical information, formatting information and other things. This can quite easily extend to compelling individuals and/or companies to grant access to information on their encrypted platforms.

4. Are there any safeguards to protect individuals and/or companies from having to assist with providing access to encrypted communications?

Schedule 1 introduces safeguards however there are issues with these:

a) Requests or notices must be given in relation to ‘enforcing the criminal law so far as it relates to serious offences’ or ‘safeguarding national security’ - however, note that ‘serious offence’ is a fairly low threshold as it means anything attracting imprisonment of 3 years or more (e.g. theft, breaches of the Corporations Act, tax issues). This covers a much broader range of offences than terrorism or the distribution of child abuse material. The term ‘safeguarding national security’ is not defined, vague and could potentially be open to a very wide remit.

b) A decryption cannot go ahead if it creates a ‘systemic weakness or systemic vulnerability’. The definitions of ‘systemic weakness’ and ‘systemic vulnerability’ are vague and it is not clear how they would be applied. Whilst the intent of the Act is to get to the data of a specific person or entity, quite a few tech companies and cyber security experts have criticised the legislation voicing that it’s not possible to create a ‘back door’ decryption tool that would safely target just one suspect without weakening the entire existing encryption scheme to the detriment of innocent users.

c) Requests for assistance can only be given by the Director-General of Security or the head of an interception agency or otherwise the Attorney-General. The designated communication provider must be consulted before it is issued with a formal request to provide assistance and the consultation period must run for at least 28 days. Arbitration is available if there is a disagreement or dispute between the government and designated communication provider regarding the terms and conditions of a request. One of the key issues with this is that even after this avenue is exhausted, the designated communication provider may still be required to follow the request.

d) Any request from the Director-General of Security, the head of an interception agency or the Attorney General must be ‘reasonable, proportionate, practicable and technically feasible’. Again, none of these terms are defined and decisions on what these terms mean are not open to merits review so it will be down to judicial review and interpretation.

One of the issues overlooked by the new legislation is that once the data is accessed, whilst it might be subject to protections, there is no requirement to destroy the data once it has been accessed. So even if sensitive information is given over to law enforcement agencies, there is still the risk that it can fall into wrong hands.

5. What new powers are granted with respect to accessing communications that are not encrypted?

Computer Access Warrants (Schedule 2 of the new legislation)

The legislation:

a) expands the powers currently available to ASIO under computer access warrants to enable additional agencies (e.g. State and Territory police) to covertly access and modify a device for the purpose of obtaining evidence

b) redefines ‘computer’ – extended scope so it now covers anything you can think of as an IoT device including security and mobile devices

c) extends computer access warrants to access to a person; previously it was associated with access to a premise

d) doesn’t require the law enforcement agency to specify what it is looking for in the warrant application, it just needs to specify that there is information on a person in question that is relevant to an offence that the agency is investigating

e) extends computer access warrants to now cover both access to, and removal of, a device and can also require that force be used against a person ‘as is necessary and reasonable’ to do the things specified in the warrant

f) introduces ‘assistance orders’ – a law enforcement officer can apply for an order to require a person to provide ‘information or assistance’ (e.g. unlock a device or provide assistance to do so). Such assistance order does not necessarily have to apply to a person who is reasonably suspected of committing an offence; it could apply to an innocent person

g) Penalties for non-compliance have increased – 10 years imprisonment or a fine or both

Search Warrants (Schedules 3 and 4 of the new legislation)

a) The new legislation amends the search warrant framework to enhance the ability to access account-based data where the data is stored on the cloud rather than just on a device or computer (e.g. Facebook, Gmail – any electronic service that requires some sort of log-on)

b) Search warrants can now enable law enforcement agencies to collect evidence from electronic devices remotely rather than having to do it in person at a premise

c) Penalties for non-compliance – increased from 2 years imprisonment to 5 years for a ‘simple’ offence and up to 10 years for an ‘aggravated offence’ (i.e. where there is non-compliance with an order related to an investigation of a serious crime)

6. What does the new data encryption legislation mean for individuals and companies?

If companies don’t comply with the laws, they risk being fined up to $10 million, while individuals who refuse could also face fines or jail time.

The new legislation has the potential to effect parts of the IT industry as foreign customers may be concerned that their communications may not be protected from Australian governments. Not only that but there could also be a loss of trust in Australian cyber security and products and large global IT firms may well be deterred from having any sort of base in Australia.

For regular users of devices, in theory, things won’t change too much. On the downside, in relation to access to encrypted communications, it’s unlikely you will know when or whether your encrypted communications are being accessed. With regards to the other aspects of the legislation, if you get caught up in a crime then the new legislation makes it much easier for law enforcement agencies to gain full access to your information, encrypted or not, on your computers and other devices.

7. How does this new legislation compare with other countries?

The legislation in place in Australia is the first of its kind in the world and may trigger other governments to pass similar laws at the behest of law enforcement and intelligence agencies. There have been calls for similar assistance mechanisms in the US, UK, Canada and New Zealand.

In New Zealand, there is the Telecommunications (Interception Capability and Security) Act which was introduced in 2013 and in the UK there is the Investigatory Powers Act (2016) (nicknamed the Snooper’s Charter) but on comparison, Australia’s new legislation is far more overreaching than those Acts.

In China, Russia and Turkey, services offering end-to-end encryption are banned.

8. Does the new legislation achieve its purpose?

The new legislation was a response to concerns on the part of the Australian Government that law enforcement and intelligence agencies were not equipped with the powers required to effectively address national security risks. However, arguably the new legislation introduces broad powers that go beyond this original premise – and these broad powers are neither necessary nor proportionate and have potential scope for abuse.

A lot of attention (and criticism) has been given by industry players to the decryption powers in schedule 1 and consequently, some of the other powers introduced by this new legislation have been overlooked. Some of the other powers – for example, the ability for a law enforcement officer to compel individuals to unlock their device or provide access to a server – are quite onerous and attract 5-10-years imprisonment for non-compliance. Arguably, these powers go beyond what the Act was supposed to do.

At the present time, the new legislation remains controversial, vague and untested.