This article was written by Michael Swinson, Luke Pallaras and Rebecca Searle.
On 14 August 2018, the federal government, through the Department of Home Affairs, published an exposure draft of a Bill designed to help national security and law enforcement agencies address challenges that the increasing use of encrypted communications and devices presents to their investigatory capabilities.
The proposed legislation, which was foreshadowed in an announcement in July 2017 (see our previous insight here), will have a broad reach and may impact significantly not only on providers of communications services (including suppliers of "over-the-top" messaging applications) but also companies that supply software or devices used for those services in the Australian market, regardless of whether the provider is located in Australia or overseas.
What does the legislation do?
The proposed legislation involves three sets of amendments:
- new requirements (and rights) for technology service providers to provide assistance to Australia's key enforcement and security agencies (Industry Assistance Requirements);
- new powers for law enforcement agencies to search electronic devices and access content on those devices covertly (including accessing premises, temporarily removing the device and adding deleting, copying or altering data); and
- enhanced powers for law enforcement agencies, Australian Border Force and ASIO to collect data under warrants (including the ability to collect data remotely).
This insight focuses on the Industry Assistance Requirements, which have so far prompted the most concern and comment from those in the communications and technology industries.
Who do the Industry Assistance Requirements apply to?
The Industry Assistance Requirements will apply to "designated communications providers" (DCP). According to the Department of Home Affairs, a DCP includes "any provider of communications services and devices in Australia, irrespective of where they base their corporation, servers or manufacturing." The intention is to capture communications providers regardless of the network layer at which they operate. This will include:
- carriers (owners of network units);
- carriage service providers (providers of carriage services over network units);
- providers of electronic services to end-users in Australia (which the Explanatory Document accompanying the Bill indicates is intended to capture providers of "websites and chat fora, secure messaging applications, hosting services including cloud and web hosting, peer-to-peer sharing platforms and email distribution lists");
- entities that provide services or software for use in connection with an electronic service (which the Explanatory Document describes as including "persons involved in designing trust infrastructure used in encrypted communications or software utilised in secure messaging applications"); and
- entities that manufacture or supply customer equipment or telecommunications facilities for use in Australia.
This gives the Bill an extremely broad scope, extending to offshore providers supplying communications services and devices in Australia, or with a nexus to Australia.
Facilitating voluntary technical assistance
The proposed legislation contemplates that DCPs may be asked to provide assistance on a voluntary basis in response to a "technical assistance request". These requests can be given by a broad range of law enforcement and intelligence agencies for purposes related to law enforcement and national security, as well as the protection of national revenue and Australia's national economic wellbeing.
The Bill sets out a non-exhaustive list of specified types of help that an agency can ask a DCP to provide under a technical assistance request. Examples include:
- Removing electronic protections – e.g. decrypting messages (where it is possible) using an existing decryption capability (i.e. an encryption key)
- Providing technical information – the Explanatory Document indicates that this is intended to be very broad and could include provision of source code, network or service design plans, configuration of network equipment and encryption schemes as well as demonstration of these technologies
- Installing, maintaining, testing or using software or equipment nominated by an agency – the Explanatory Document indicates that this may require deployment of agency software within an existing network operated by the DCP (some commentators have suggested this could allow agencies to request installation of government "spyware" on communications devices or communications networks)
- Notifying an agency of changes to, or developments of, the DCP's service that may be relevant to a warrant – the Explanatory Document indicates that this could include notice of new and improved products, or notice of new outsourcing arrangements or offshoring arrangements
Compliance with technical assistance requests is voluntary and no mechanism has been proposed to allow DCPs to recover compliance costs. However, the legislation seeks to encourage DCPs to respond by granting them with immunity from civil liability for acts or things done in accordance (or in good faith purportedly in accordance) with a technical assistance request. It also empowers law enforcement and intelligence agencies to enter into contracts for acts or things done by DCPs in responding to their requests, which could include a contractual right to cost recovery.
Obligation to provide technical assistance and establish technical capability
The proposed legislation also grants powers to:
- heads of law enforcement and intelligence agencies to issue a mandatory technical assistance notice requiring DCPs to provide assistance to those agencies; and
- the Attorney-General (on request of heads of law enforcement and intelligence agencies) to issue a mandatory technical capability notice requiring a provider to establish and maintain a new functionality/capability to provide assistance to relevant agencies.
Technical assistance and technical capability notices may be issued to enforce criminal law, safeguard national security or protect public revenue.
The same list of types of assistance that applies to technical assistance requests also applies to these notices. In the case of technical capability notices, this is an exhaustive list that can be supplemented by determination by the responsible Minister. However, a technical assistance notice may cover other types of assistance not listed in the Bill, as long as the assistance relates to eligible activities carried out by the DCP which are in relation to the performance of the agency's functions.
Before issuing one of these notices, the decision-maker must be satisfied that the requirements imposed are "reasonable and proportionate" and compliance is "practicable" and "technically feasible". In addition, the Attorney-General must consult with the relevant DCP before issuing a technical capability notice.
The Explanatory Document suggests that, in assessing whether the requirements are "reasonable and proportionate", the relevant decision-maker is intended to consider the objectives of the agency, alternative means to meet those objectives, benefits to the investigation, the business impact on the provider, as well as "wider public interests, such as any impact on privacy, cyber security and innocent third parties". However, this is not expressly reflected in the proposed Bill.
There are also a series of limitations that prevents a technical assistance or technical capability notice being used to:
- require a DCP to implement or build in a systemic weakness or vulnerability into a form of electronic protection – this expressly prohibits the creation of a new decryption capability (or "backdoor");
- prevent a DCP from rectifying a systemic weakness or vulnerability of the type mentioned above; or
- require a DCP to undertake an act for which a warrant or authorisation is required under existing legislation (e.g. legislation dealing with interception and surveillance warrants). Accordingly, the guidance published by the Department Of Home Affairs along with the Bill indicates that new framework "does not serve as an independent channel to obtain private communications or undertake surveillance."
As with voluntary technical assistance requests, DCPs will be immune from any civil liability for or in relation to anything done by the DCP in good faith to comply with a technical assistance notice or technical capability notice.
Unless agreed otherwise between the DCP and the relevant agency, or it would be contrary to public interest, a DCP will be expected to comply with a technical assistance notice or technical capability notice on the basis that it neither profits from, nor is expected to bear the reasonable costs of, doing so. Costs and other terms on which the assistance is to be provided will be negotiated between the DCP and a nominated costs negotiator identified in the legislation acting on behalf of the agency, and in the absence of agreement will be determined through an arbitration process.
If the DCP doesn't comply, then the Australian Government can apply for enforcement remedies like civil penalties, injunctions and enforceable undertakings. The maximum civil penalty for non-compliance is 47,619 penalty units (approx. AU$10mil).
Although the exposure draft of the Bill aims to put to rest concerns that the Australian government is seeking to establish a government-mandated backdoor to allow law enforcement agencies to access private communications being carried on encrypted communications services, there are still many questions left unanswered, including:
- How the reasonable costs of compliance will be assessed, including whether the assessment may take into account opportunity costs where a DCP is required to divert resources or make changes to its services in order to comply.
- How will DCPs operating in multiple jurisdictions deal with potential conflict of laws issues (e.g. if something required by the Australian government under a technical assistance or technical capability notice would conflict with a requirement in another jurisdiction)?
- How will the "reasonable and proportionate" and "practicable" and "technically feasible" tests be applied in practice? The legislation leaves much to the discretion of the relevant agency empowered to issue the relevant notice. While the courts will retain their inherent power to review decisions under the new legislation, it is noteworthy that the proposal is that these decisions be excluded from the scope of review permitted under the Administrative Decisions (Judicial Review) Act 1977 (Cth). DCPs may be concerned that a notice may set unreasonable requirements, in terms of timeframes and methods for compliance, which will be difficult for them to challenge.
- Could the new powers contemplated by the legislation be used in a way that has a negative technical impact on communications services offered by DCPs in Australia? As noted above, there is a requirement for the Attorney-General to consult with the relevant DCP before issuing a technical capability notice. However, ultimately the decision about what to require in a notice will rest with the Attorney-General or other relevant agency. The potential technical and service impacts may be hard for these decision-makers to predict. In addition, requirements directed at entities further down the supply chain (e.g. device and software suppliers) could have an impact on the ultimate communications service delivered to end users, potentially even without the service provider's knowledge.
The government is seeking comment on the draft Bill until 10 September 2018.