This article was written by Michael Swinson and James Patto.
Despite a flurry of political posturing by the major political parties on the final day of Parliament for 2018 and substantial industry criticism, the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (Cth) (also commonly referred to as the Assistance and Access Act or Encryption Act) has passed both Houses of Parliament with bipartisan support. The Act came into effect when it received Royal Assent on 8 December 2018, but that is not the end of the story for this Act …
Amongst the chaos of the final day, the Australian Labor Party had requested a number of amendments to the Act in exchange for support in passing it. The ALP ultimately conceded on these amendments and allowed the Act to pass unamended from the Government’s proposed version, but has indicated that it will seek to reintroduce these amendments (and possibly others) when Parliament resumes in early 2019. In addition, the Act is still being scrutinised by the Parliamentary Joint Committee on Intelligence and Security, which is due to provide another report in April 2019, and this may also give rise to calls for further amendments. With a Federal election slated for May, a potential change in government could also have an impact on what the final form of this law looks like.
On 17 August 2018, we provided this insight on the exposure draft of this legislation. In this article we provide an updated summary of the Act as it was passed. As with our initial summary, we have focussed on the industry assistance obligations imposed under the Act, though the Act also makes changes to laws dealing with use of computer access and search and seizure warrants.
Who does the Act apply to?
The Act has a very broad scope and will apply to a wide range of “designated communication providers” (DCPs) including:
- carriers (effectively owners of telecommunications network infrastructure in Australia) and carriage service providers (effectively entities that sell telecommunications services delivered over a carrier’s network in Australia);
- entities that manufacture, supply, operate or maintain telecommunications network infrastructure in Australia (or any components used in that infrastructure);
- entities that manufacture or supply customer equipment (e.g. device handsets) for use, or likely to be used, in Australia;
- entities that supply electronic services to end-users in Australia, where an “electronic service” includes any service that allows end-users to access material using a carriage service. The Explanatory Memorandum for the Act indicates that this will cover “websites” and “secure messaging applications”; and
- entities that provide services or software for use in connection with a carriage service or an electronic service.
What type of assistance can be required under the Act?
The Act sets out a list of specified types of help that an agency can ask a DCP to provide under a Technical Assistance Request (on a voluntary basis) or a Technical Assistance Notice (on a mandatory basis). Examples include:
- Removing electronic protections – this could extend to decrypting messages where possible to do so using an existing decryption capability (i.e. where the DCP has an encryption key);
- Providing technical information – the Explanatory Memorandum indicates that this is intended to be very broad and could include provision of source code, network or service design plans, configuration of network equipment and encryption schemes as well as demonstrating these technologies;
- Installing, maintaining, testing or using software or equipment nominated by an agency – the Explanatory Memorandum indicates that this may require deployment of agency software within an existing network operated by the DCP; and
- Notifying an agency of changes to, or developments of, the DCP’s service that may be relevant to a warrant – the Explanatory Memorandum indicates that these could include notice of new and improved products, notice of new outsourcing arrangements or offshoring arrangements.
Under a Technical Capability Notice, a DCP may be required to build a capability to provide a type of help listed in the Act (other than for removing a form of electronic protection). A Technical Capability Notice may also be used to require assistance within the same scope as a Technical Assistance Notice (i.e. so that there is no need for two separate notices).
Do any general limitations apply?
A Technical Assistance Request, Technical Assistance Notice or Technical Capability Notice:
- must not require a DCP to build in a systemic weakness or systemic vulnerability into a form of electronic protection that will render methods of authentication or encryption ineffective;
- must not prevent a DCP from rectifying a systemic weakness or vulnerability of the type mentioned above; or
- will be of no effect to the extent that it would require an act for which a warrant is required under existing legislation (e.g. legislation dealing with interception and surveillance warrants). This means that the Act will not provide agencies with a means of avoiding the need to obtain warrants to access communications data.
The Act expressly states that the prohibition on building a systemic weakness or systemic vulnerability means that a DCP cannot be required to build a new decryption capability in relation to an existing form electronic protection, or to do anything that would render existing systemic methods of authentication or encryption less effective. In addition, the Act explains that a “systemic weakness” or “systemic vulnerability”:
- means a weakness or vulnerability that affects a whole class of technology but does not include a weakness or vulnerability that is selectively introduced to one or more target technologies connected with a particular person. For these purposes, a “target technology” may include a particular electronic service so far as the service is likely to be used by a particular person; and
- where a weakness or vulnerability is to be selectively introduced into a particular target technology, includes any act or thing that will, or is likely to, jeopardise the security of any information held by any other person (which includes where otherwise secure information can be accessed by an unauthorised third party).
These explanations are somewhat confusing, and there is some doubt as to when a particular weakness or vulnerability may be considered to affect a “whole class of technology” rather than only a particular “target technology”. Unless further clarifications are made, this appears to be an area where there will be significant lingering doubt for the communications industry as to how the Act will work in practice.
When can assistance be required?
A Technical Assistance Request, Technical Assistance Notice or Technical Capability Notice must not be issued unless the issuing authority is satisfied that:
- the request is reasonable and proportionate; and
- compliance with the request is practicable and technically feasible.
The Explanatory Memorandum states that this is designed to ensure that DCPs are not required to comply with “excessively burdensome or impossible assistance measures” and provides the example that a DCP cannot be required to remove a form of electronic protection (such as a form of encryption) if that is not technically feasible due to the way that the protection has been deployed.
In considering whether the relevant requirements are reasonable and proportionate, the Act specifies that a range of factors must be taken into account, including:
- the interests of law enforcement and national security;
- the legitimate interests of the DCP;
- the availability of other means to achieve the objectives of the relevant notice;
- whether the requirements specified in the notice are the least intrusive form of industry assistance so far as the interests of other people not the target of the relevant law enforcement or national security investigation are concerned;
- whether the requirements of the notice are necessary; and
- the legitimate expectations of the Australian community as to privacy and cybersecurity.
In addition, unless the matter is considered urgent, the relevant DCP must be consulted before a Technical Assistance Notice or Technical Capability Notice is issued. A number of other procedural protections apply for Technical Capability Notices:
- the Attorney General may not issue a Technical Capability Notice unless it has been approved by the Minister for Communications – in considering whether or not to approve a proposed Technical Capability Notice, the Minister must take into account the legitimate interests of the DCP and also the impact on the efficiency and international competitiveness of the Australian telecommunications industry (though, notably, website operators and software developers may not be considered to be part of the “telecommunications industry” as defined in the relevant legislation); and
- as part of the consultation process, the DCP may request an independent assessment as to whether the Technical Capability Notice should be given – in this case, two independent assessors (comprising a technical expert and a former judge) must be appointed to review and prepare a report as to whether the Technical Capability Notice should be given. The Attorney General must consider the recommendation given by the assessors, but will not be bound to comply with the recommendation.
What are the cost and liability implications for the DCP?
A DCP will be immune from any civil liability for or in relation to anything done by the DCP in good faith to comply with a Technical Assistance Request, Technical Assistance Notice or Technical Capability Notice.
Compliance with a Technical Assistance Request is voluntary, though the Act contemplates that the DCP may enter into a contract with the relevant requesting agency in order to set out terms on which it will comply with their request, which could include terms relating to cost recovery. For Technical Assistance Notices and Technical Capability Notices, the terms and conditions on which the relevant assistance will be given may be agreed with the relevant requesting agency or a nominated cost assessor or, failing agreement, may be set by an appointed arbitrator. The default position is that the DCP should neither profit from complying or bear the reasonable costs of complying.
If the DCP doesn’t comply with a Technical Assistance Notice or Technical Capability Notice, then the Government can apply for enforcement remedies like civil penalties, injunctions and enforceable undertakings. The maximum civil penalty for non-compliance is 47,619 penalty units (approx. AU$10mil). In proceedings for a civil penalty order, it will be a defence that a requirement under a Technical Assistance Notice or Technical Capability Notice to do something in a foreign country would contravene a law of that foreign country. Accordingly, this mechanism cannot be used to compel companies to do something outside Australia that would result in an offence under a foreign country.
So what’s next?
As mentioned above, prior to passing the Act, the ALP proposed a number of additional amendments. These included a number of changes that the ALP argued were necessary in order to reflect the intent of the Joint Committee’s report (such as to oblige the Attorney-General to comply with the recommendation made by the assessors appointed to assess a proposed technical capability notice, and to prohibit the Attorney-General from refusing a request to disclose information about a technical capability notice unless it would prejudice a particular investigation or prosecution or have other operational impacts). The ALP also proposed that technical assistance and capability notices should not be issued unless they had been approved by a judge. This requirement for judicial oversight is something that many technology companies and civil rights bodies have been agitating for throughout the process.
While the ALP has indicated it intends to raise these amendments, and possibly others, when Parliament resumes in 2019, it remains to be seen whether there is the political will and capital available to do so. In the meantime, the communications industry is preparing itself to deal with the first assistance and capability notices as and when they may arrive.
This saga is far from over …