Library of Congress

Law Library of Congress

The Library of Congress > Law Library > News & Events > Global Legal Monitor

Australia: Bill Enabling Law Enforcement and Intelligence Agencies to Access Encrypted Information Passes

(Dec. 14, 2018) On December 6, 2018, the Australian Parliament passed the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 (Cth) (as enacted; all legislation links are to Federal Register of Legislation website.) The Bill amends the Telecommunications Act 1997 (Cth) to “establish “frameworks for voluntary and mandatory industry assistance to law enforcement and intelligence agencies in relation to encryption technologies via the issuing of technical assistance requests, technical assistance notices and technical capability notices,” and makes changes to other legislation, including to the

Australian Security Intelligence Organisation Act 1979 and four other Acts to: provide an additional power for Commonwealth, state and territory law enforcement agencies investigating certain federal offences to obtain covert computer access warrants under the Surveillance Devices Act 2004; and provide additional powers for law enforcement agencies in relation to the use of existing computer access powers. (Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018, Parliament of Australia website (last visited Dec. 10, 2018) (links to legislation added).)

Background

As stated in the Bills Digest for the Bill,

[t]he Bill contains significant measures that the Government argues are urgent and necessary to address the challenge law enforcement and intelligence agencies face in their investigations when presented with encrypted communications. Maintaining lawful access to telecommunications content and data for national security and law enforcement purposes is a challenge with global dimensions: the common problem faced by many governments and posed by the virtual ubiquity of encryption is known as ‘going dark’.

Telecommunications interception and access to telecommunications and other data are key investigative tools. Going dark refers to the impediment that the increasing prevalence of encrypted data and communications represents to available investigative and interception capabilities. The issue has been understood as an eventual catalyst for legislative action for more than twenty years in Australia. The extent of the challenge appears to be increasing. The proportion of internet communications intercepted by ASIO [Australian Security Intelligence Organisation] that were encrypted increased from three per cent in June 2013 to 55 per cent four years later. Over 90 per cent of data intercepted by the Australian Federal Police (AFP) is now encrypted. (Cat Barker et al., Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 8–9 (Bills Digest No. 49, 2018–19, Australian Parliamentary Library, Dec. 3, 2018) (citations in original removed).)

The Bills Digest also refers to Australia’s membership in the Five Eyes intelligence alliance, which agreed in late-August 2018 to a framework for resolving the “growing dark” problem for discussion with industry. (Id. at 10.) The Bill is the first legislation passed since the Five Eyes’ statement of principles on this issue, with the Bills Digest noting that “[t]he UK and NZ have laws to oblige industry assistance with access to encrypted communications, whereas the United States and Canada have not amended existing provisions to impose comparable requirements on technology providers as yet.” (Id.)

The Australian government had previously consulted industry on the issue and released an exposure draft of the Bill on August 14, 2018, seeking public comments by September 10, 2018. (Id.Consultations: The Assistance and Access Bill 2018, Department of Home Affairs website (last updated Nov. 11, 2018).) The Bill was subsequently introduced in the Parliament on September 20, 2018. The government requested that the Parliamentary Joint Committee on Intelligence and Security (PJCIS) expedite its consideration of the Bill, which was also considered by the Senate Standing Committee for the Scrutiny of Bills. (Barker et al., supra, at 11.) The PJCIS submitted its report to the Parliament on December 5, 2018. (Review of the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018, Parliament of Australia website (last visited Dec. 10,  2018).)

The main opposition party, Labor, originally proposed that an interim bill be passed prior to the end of the parliamentary sitting year to provide federal authorities with enhanced investigative capacities, with the PJCIS being given more time to consider other aspects of the Bill related to the powers of state law-enforcement bodies. (Barker et al., supra, at 13.) The Labor Party had also put forward several amendments. However, it agreed to support the Bill, with some concessions from the government, and raise the amendments again when Parliament resumes in 2019. This followed the government’s accusing the opposition of backing terrorists if it failed to pass the legislation. (Chris Duckett, Coalition and Labor Strike Deal on Encryption Legislation, ZDNET (Dec. 4, 2018).)

Bill Provisions

Schedule 1 of the Bill “introduces a new, graduated approach to industry assistance” for enabling access to communications. (Parliament of Australia, Explanatory Memorandum: Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018, at 3.) The measures will

  • provide a legal basis on which a designated communications provider, including foreign and domestic communications providers and device manufacturers, can provide voluntary assistance under a ‘technical assistance request’ to the Australian Security Intelligence Organisation (ASIO), Australian Secret Intelligence Service (ASIS), Australian Signals Directorate (ASD) and interception agencies in the performance of their functions relating to Australia’s national interests, the safeguarding of national security and the enforcement of the law[,]
  • allow the Director-General of Security or the head of an interception agency to issue a ‘technical assistance notice’ , requiring a designated communications provider to provide assistance that the decision maker is satisfied is reasonable, proportionate, practicable and technically feasible, and
  • allow the Attorney-General to issue a ‘technical capability notice’ , requiring a designated communications provider to do acts or things to ensure the provider is capable of giving help to ASIO and interception agencies where the Attorney-General is satisfied that it is reasonable, proportionate, practicable and technically feasible. The Attorney-General must consult with the affected provider prior to issuing a notice, and may also determine procedures and arrangements relating to requests for technical capability notices. (Id.)

The Bill provides for communications providers to receive financial compensation for assisting agencies, as well as including “appropriate enforcement mechanisms and immunities from civil liability and specific criminal offences.” (Id.) In addition, the Bill “clearly provides that technical assistance notices and technical capability notices must not require providers to implement or build systemic weaknesses in forms of electronic protection (‘backdoors’) nor can they prevent providers from fixing an identified weakness or vulnerability.” (Id. at 4.)

Amendments put forward by the government prior to the passage of the Bill included enhanced oversight and review mechanisms, additional reporting requirements, narrowing the functions for which intelligence agencies can seek voluntary assistance, and limiting “the application of the industry assistance measures to the investigation and prosecution of serious offences (offences with a maximum period of imprisonment of 3 years’ or more),” among others. (Parliament of Australia, Supplementary Explanatory Memorandum: Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018, at 2–3.)

Schedule 2 of the Bill

provides an additional power for Commonwealth, State and Territory law enforcement agencies investigating a federal offence punishable by a maximum of three years imprisonment or more, to obtain covert computer access warrants under the SD Act [Surveillance Devices Act], similar to those already available to ASIO. The provisions have been aligned with those in the ASIO Act. The schedule also provides for a number of new powers for law enforcement agencies and amendments to the ASIO Act designed to address a range of operational challenges associated with the use of existing computer access powers. . . . (Explanatory Memorandum at 4.)

Schedules 3 and 4 of the Bill relate to enhancing the search warrant frameworks under the Crimes Act 1914 (Cth) and Customs Act 1901 (Cth), while schedule 5 provides immunity from civil liability for persons who provide assistance to ASIO and will “enable ASIO to require a person with knowledge of a computer or a computer system to provide assistance that is reasonable and necessary to ASIO in order to gain access to data on a device that is subject to an ASIO warrant.” (Id. at 56.)

Reactions to the Bill

A lobby group representing companies such as Google, Facebook, and Twitter said in a statement that, while technology companies are willing to work with the government to promote public safety, the laws could “potentially jeopardise the security of the apps and systems that millions of Australians use every day.” (Claire Reilly, Google, Apple, Facebook Face World-First Encryption Laws in Australia, CDNET (Dec. 6, 2018).) Apple also stated that “[i]t would be wrong to weaken security for millions of law-abiding customers in order to investigate the very few who pose a threat.” (Id.) The chief executive of the Communications Alliance, a group representing the Australian communications industry, expressed concerns  about “the breadth and range of activities” law enforcement agencies could require companies to do. (Paul Karp, Australia’s War on Encryption: The Sweeping New Powers Rushed into Law, THE GUARDIAN (Dec. 7, 2018).)

The Australian Human Rights Commission raised various concerns about the legislation in its submission to the PJCIS, acknowledging the importance of law enforcement and national security agencies having appropriate powers to perform their functions, but stating that “the Bill would also authorise intrusive and covert powers that could significantly limit an individual’s human rights to privacy and freedom of expression, among other rights.” (Australian Human Rights Commission, Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018: Submission to the Parliamentary Joint Committee on Intelligence and Security 4 (Oct. 12, 2018).)

The Office of the Australian Information Commissioner (OAIC) recommended the inclusion of a sunset clause in the Bill in its submission to the PJCIS, in addition to recommending various amendments. (OAIC, Inquiry into the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 — Submission to the Parliamentary Joint Committee on Intelligence and Security (Oct. 15, 2018).) The Law Council of Australia also recommended amendments related to oversight, transparency, and the scope of application of the provisions. (Law Council of Australia, Submission, Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018: Parliamentary Joint Committee on Intelligence and Security (Oct. 18, 2018).) Both of these entities noted the complexity of the Bill and the limited amount of time for analysis and comment.