Potential legislative reforms in Australia could see telecommunications and other similar companies forced to help Australian authorities obtain access to encrypted communications.

The prospective reforms are outlined in the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 (Cth) (“the Bill”), which was introduced into parliament by Minister for Home Affairs Peter Dutton on 20 September 2018.

The Industry Assistance Provisions Explained

The key reform proposed by the Bill is the insertion of an “industry assistance regime” into the existing Telecommunications Act 1997 (Cth), with the Explanatory Memorandum stating that the “communications industry is in a unique position to assist law enforcement and security agencies in dealing with the challenges posed by encryption.”[1]

If implemented, the industry assistance provisions will apply to “designated communications providers” (“DCPs”) that engage in “eligible activities”. These terms are defined broadly to include companies who provide electronic services (including websites, secure messaging applications and hosting services including cloud and peer-to-peer sharing platforms) that have one or more end-users in Australia. They also extend to companies that develop, supply or update software that is used or likely to be used in connection with such electronic services.

The proposed provisions will therefore capture a large number of companies that are based outside Australia (including UK companies) but nevertheless provide electronic and other related services to end-users in Australia. These include Apple, Facebook, WhatsApp and WeChat.

Crucially, the potential assistance that such overseas companies may be asked or forced to provide is tremendously wide, and includes the following “listed acts or things”:

removing one or more forms of electronic protection that are or were applied by or on behalf of the DCP which is “intended to include decrypting encrypted communications”[2]

providing technical information, with specific examples including “source code” and “network or service design plans”[3];

installing, maintaining, testing or using software or equipment including software or equipment given to a DCP by an agency[4];

facilitating access to things such as DCP facilities, customer equipment, data processing devices, listed carriage services, electronic services and software, which could particularly useful where DCPs are able to “modify their systems (without creating a systemic weakness) to assist the execution of a warrant or authorisation to access information”[5]; and

doing acts or things to ensure that targets of government investigations do not “become aware they are the subject of an investigation.”[6]

The legislation then proposes a graduated approach for seeking the above assistance, comprising voluntary technical assistance requests (“TARs”), compulsory technical assistance notices (“TANs) and compulsory technical capability notices (“TCNs”).

TARs

A TAR requesting voluntary assistance from a DCP may be issued by the Australian Security Intelligence Organisation (“ASIO”), the Australian Secret Intelligence Service (“ASIS”), the Australian Signals Directorate (“ASD”) and interception agencies. The assistance sought in the TAR can include but is not limited to the “listed acts or things”, as long as they are part of the activities of a DCP and are directed to helping the relevant agency in performing its national security and criminal law enforcement functions.

TANs

A TAN requiring compulsory assistance from a DCP may be issued by ASIO and interception agencies, with the forms of assistance again including but not being limited to the prescribed “listed acts or things”. The key difference here is that TANs are compulsory in nature, and DCPs and their employees face potentially significant financial penalties for failing to comply with them to the extent they are capable of doing so. These penalties are currently capped at just under AUD$10,000,000 (approximately £5,540,000 or €6,225,000) for a company and AUD$50,000 (approximately £27700 or €31,125) for a person.[7] There is a specific limitation that a TAN (and a TCN) cannot have the effect of requiring a DCP to build a systemic weakness or vulnerability into a form of electronic protection.

TCNs

A TCN can be issued by the Australian Attorney-General for the purpose of ensuring that a DCP makes itself “capable” of giving help and assistance to ASIO and/or an interception agency. The relevant help includes the “listed acts or things” above, other removing forms of protection applied by a DCP (i.e building a decryption capability). The TCN can also include other acts or things that are determined by the Attorney-General, who must take into account the objects of the legislation, the relevant law enforcement and national security interests and the likely impact of any determination on a DCP. The same penalties outlined above apply to DCPs who fail to comply with a TCN where they are capable of doing so.

Immunity

The Bill makes clear that DCPs and their employees will receive immunity for complying, or acting in good faith in purported compliance, with a TAN, TAR and/or TCN. However, such compliance may nevertheless place DCPs and employees in breach of laws in other jurisdictions.

Conclusion

In his second reading speech, Minister Dutton justified the reforms on the basis that the “uptake of encrypted communications platforms by criminal and terrorist groups has been sudden” and “represents a seismic shift in the operational environment” for Australia’s law enforcement and protection agencies. At the same time, Minister Dutton maintained that the “legislation will not weaken encryption or mandate backdoors into encryption[8].

Despite these assurances, the Bill will presumably trigger the strong interest of companies such as Apple, Facebook, Google and Microsoft, particularly in light of the statement released earlier this year by the Reform Government Surveillance coalition (“RGS”) that “requiring technology companies to engineer vulnerabilities into their products and services would undermine the security and privacy of our users, as well as the world’s information technology infrastructure.”[9]

There has also been speculation that the Attorney-General may be able to allow a TCN to include the ability to remove forms of protection applied by a DCP such as building a decryption capability.

As the government does not have the balance of power in the Australian Senate (the upper house), it is likely that the Bill will be subjected to considerable scrutiny and review. Indeed, the Bill has been subject to heavy political criticism including by the opposition Australian Labor Party, with key members releasing a statement condemning the government for acting so quickly.[10]

Although it is not certain that the Bill will become law, its contents are nevertheless likely to give companies that would be affected considerable cause for concern.