18 August, 2018
Australian Government releases for public comment a Bill requiring the rendering of assistance and provision of capability to overcome the routine encryption of data making it inaccessible in intelligible form.
What you need to know
On 14 August 2018, the Australian Government announced the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 (the Bill). The Government intends that the Bill will strengthen the investigatory powers of government agencies by forcing companies and individuals to enable the government to access communications in an intelligible form.
Under the Bill, government agencies can request or require a 'designated communications provider' (DCP) to assist the agency including to access, modify or decrypt electronic communications. A DCP is very widely defined and includes a person who provides access to material to end users in Australia, including access by a website.
If a DCP is not capable of providing the assistance requested, the Bill also gives agencies powers to compel the DCP to build the capability.
What you need to do
If you believe you or your organisation would be a DCP, ensure you keep up to date with debate around the Bill and its development.
If you have any views or concerns, lodge a public comment before 10 September 2018 via the Department of Home Affairs website.
Where did the Bill come from?
The Government first raised the prospect of a Bill dealing with encryption back in July 2017, seeking to improve the ability of intelligence and enforcement agencies to access key data and communications for terrorism and criminal investigations. In the 18 months since, lawmakers have consulted with both intelligence agencies and the tech industry to develop a framework palatable to all parties. Civil liberties groups have also warned against weakening security measures without reasonable justification.
The Bill's development has been preceded by similar moves in other jurisdictions, most notably the UK.
The UK's Investigatory Powers Act 2016 introduced wide-ranging interception and access powers that share many characteristics of those contained in the Bill, as well as additional powers that allow for agencies to collect data and communications in bulk. The Investigatory Powers Act has since hit several roadblocks, most notably in the European Court of Justice and UK Court of Appeal, and a process of amendment is ongoing.
Who does the Bill apply to?
The scope of the Bill is very broad and extends much further than telecommunications service providers.
The Bill applies to persons who provide access to material to end users in Australia, including access by a website. This would seem to apply to most businesses. The Bill also applies to most organisations operating in the technology and telecommunications supply chain. The parties which may be the subject of the Bill's provisions are designated service providers.
What powers can agencies exercise under the Bill?
The Bill sets out three levels of assistance that certain government agencies can seek from DCPs:
- Technical assistance request: this allows agencies to request assistance from a DCP, but the DCP cannot be forced to comply, even if they are able to.
- Technical assistance notice: this allows agencies to compel a DCP provide assistance, unless the DCP lacks the capability to do what is asked.
- Technical capability notice: an agency can apply to the Attorney-General for a technical capability notice to be issued. Under this notice, a DCP must build a new capability that allows the assistance requested by the agency to be provided. A notice is invalid if it builds a weakness or vulnerability into a service, or decrypting communications. Relying on its invalidity may prove difficult.
At each level, the types of assistance that agencies can seek include:
- Removing electronic protections, if the provider has an existing capability to remove this protection;
- Providing technical information like the design specifications of a device or the characteristics of a service;
- Installing, maintaining, testing or using software or equipment given to a provider by an agency;
- Facilitating access to devices or services;
- Helping agencies test or develop their own systems and capabilities; and/or
- Concealing the fact that agencies have undertaken a covert operation.
DCPs that comply with an agency's request for assistance receive an immunity from civil liability for any assistance they provide in compliance (or in good faith in purported compliance) with a technical assistance request, technical assistance notice or technical capability notice. DCPs that comply with an agency's request will also receive compensation on a no-profit, no-loss basis.
The Bill also creates a new criminal offence where information about or obtained in accordance with a request or notice is disclosed without authorisation. The penalty for such a disclosure is 5 years' imprisonment.
What limitations and safeguards are in place?
The Bill sets out a number of limitations and safeguards, including:
No "systemic weaknesses or vulnerabilities": a technical assistance notice or technical capability notice must not have the effect of requiring a DCP to implement or build a systemic weakness or vulnerability, or preventing a DCP from fixing a systemic weakness or vulnerability.
Reasonable, proportionate, practicable and technically feasible: in each case, the decision-maker must be satisfied that each of these requirements is met before issuing a notice. This includes wider public interests such as privacy and cyber security concerns, and the technical expertise of the particular DCP.
Exemption from civil liability: as mentioned above, the Bill grants an immunity from civil liability for a DCP who acts in compliance (or in good faith in purported compliance) with a request or notice.
What next?
The exposure draft of the Bill will be open for public comment until 10 September 2018, at which point it will be considered by Parliament. Further consultation between government, industry and the wider public is expected.
The Government intends for the Bill to become law before the end of the year.
For further information, please contact:
Tim Brookes, Partner, Ashurst
tim.brookes@ashurst.com
