In 2018 the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 amended the Telecommunications Act 1997 to create encryption laws. These gave broad powers to law enforcement and intelligence agencies to access encrypted communications. The change allowed those bodies to compel technology companies and communication providers to provide technical help, and was in response to the use of encrypted technologies by terrorists, sex offenders and criminal organisations.
Who do encryption laws apply to?
The laws apply to “designated communications providers” (DCPs) and their “eligible activities”. The definition of DCP is broad, and includes major telecommunication companies; companies that make, supply, operate or maintain telecommunication infrastructure and customer goods; and electronic service providers such as website builders and app developers.
A DCP can be asked to provide help via a:
- Technical Assistance Request – a voluntary request for a DCP to use a decryption or other data access capability they have;
- Technical Assistance Notice – a compulsory request for a DCP to use a decryption or other data access capability they have;
- Technical Capability Notice – a compulsory request for a DCP to build a decryption or other data access capability so it can fulfil technical assistance notices and requests.
Technical assistance requests or notices
Assistance can include:
- removing electronic protections;
- providing technical information such as source code or network designs;
- installing, maintaining, testing and using software or equipment;
- facilitating or helping access to a facility, customer equipment, electronic service, listed carriage service or other entity.
Requests can be made by law enforcement and intelligence agencies including the Australian Security Intelligence Organisation, Australian Secret Intelligence Service, Australian Federal Police and Australian Criminal Intelligence Commission.
When issuing a request or notice, an entity must consider factors such as:
- the interests of national security;
- the interests of law enforcement;
- the interests of the DCP;
- the objectives of the request;
- whether the assistance requested is the least intrusive form of assistance to people who are not the subject of the request;
- the expectations of the Australian community relating to privacy and cybersecurity.
A request or notice is valid until its stated expiry date or otherwise, 90 days.
Technical capability notices
This notices requires a DCP to do one of more “specified acts or things” to ensure the DCP can help law enforcement and intelligence agencies. Factors which must be considered include the interests of law enforcement and national security; and the likely impact of the notice on the DCP.
A notice is valid until its stated expiry date or otherwise, 180 days.
A DCP must comply with a technical assistance notice or technical capability notice to the extent it can. A company that does not comply faces a maximum fine of 47,619 penalty units ($10,571,418).
If a person at a DCP, law enforcement or intelligence agency discloses information related to a technical assistance request or notice, or to a technical capability notice, without authorisation, they face a maximum penalty of imprisonment for 5 years.
There have been many concerns raised about encryption laws. They relate mainly to an imbalance between national security and individual privacy, a lack of oversight, and the scope of the laws. Government oversight agencies, civil society groups, and political parties have recommended significant changes. Specific concerns about encryption laws include:
- permissions to access the data of targeted individuals could be exploited, with entities accessing the data of any person;
- powers given to law enforcement and intelligence agencies could inadvertently lead to the weakening of encryption that protects critical infrastructure;
- a lack of transparency and judicial oversight in the approval of notices, including that many decisions made under the Act are not subject to judicial review;
- the laws could compromise the reputation of bodies covered by the Act who sell purportedly secure products and services;
- the laws could be used to identify journalists’ confidential sources, jeopardising free speech and freedom of the press.
Up to August 2020, no compulsory notices had been issued and fewer than 20 voluntary technical assistance requests had been made
For advice or representation in any legal matter, please contact Armstrong Legal.