Law Library Stacks

Back to Government Access to Encrypted Communications

Summary

Various federal statutes in Australia relate to the ability of government agencies to intercept and access communications and other data for law enforcement and national security purposes. In terms of requirements for persons to assist in decrypting information, under the Crimes Act 1914 (Cth) federal and state police may obtain an order for certain persons to provide “any information and assistance” necessary to enable an officer to access data in a computer or digital storage device that is subject to a warrant and to make that data intelligible. Such orders can only be made with respect to a “person under investigation, an owner of the device, an employee of the owner, a relevant contractor, a person who has used the device, or a systems administrator.”

The Telecommunications (Interception and Access) Act 1979 (Cth) (TIA Act), which provides a warrant system for intercepting communications and accessing stored communications, does not include a specific requirement for service providers to assist in making encrypted communications or other data intelligible. Under that Act and the Telecommunications Act 1997 (Cth), carriers and carriage service providers are required to provide assistance to officials, including by giving effect to stored communications warrants, providing interception services, and providing “relevant information” about communications.

There have been multiple reviews of the TIA Act and related legislation over the years. Following a report by the Australian Law Reform Commission on privacy issues and recommendations by a parliamentary committee on reforming national security legislation, another parliamentary committee examined the need for a comprehensive revision of the TIA Act. The government has indicated that it will consider possible changes to the Act, including consulting with the telecommunications industry and relevant agencies on the development of appropriate legislative provisions to address issues related to accessing encrypted information.

Introduction

There are several federal statutes relevant to the ability of Australian law enforcement and intelligence agencies to access and intercept electronic communications and other data:[1]

  • Telecommunications (Interception and Access) Act 1979 (Cth) (TIA Act):[2] This Act provides for various federal and state agencies to obtain interception warrants and stored communications warrants for law enforcement and national security purposes.

  • Surveillance Devices Act 2004 (Cth):[3] This Act provides for eligible federal agencies to obtain warrants to install and use surveillance devices, including data surveillance devices.

  • Telecommunications Act 1997 (Cth):[4] This Act requires that carriers and carriage service providers provide assistance to relevant agencies for the purposes of law enforcement and safeguarding national security.

  • Australian Security Intelligence Organisation Act 1979 (Cth) (ASIO Act): This Act provides the Australian Security Intelligence Organisation (ASIO) with various powers, including the ability to obtain computer access warrants and surveillance device warrants.

  • Crimes Act 1914 (Cth):[5] This Act includes various search and information-gathering powers of law enforcement officers, including the ability to access data held in a computer or other data storage device.

The powers and procedures in these laws related to electronic communications and data have been the subject of several reviews, with the discussion encompassing the impact of new technologies (including encryption technologies) and the need to balance privacy considerations with national security and law enforcement interests.[6] The most recent change that has resulted from these reviews was the amendment of the TIA Act in 2015 to put in place a data retention system that requires service providers to retain certain data related to communications (i.e., “metadata” rather than content) for a set period of time.[7]

Back to Top

II. Access to Information Held in a Computer

A. Order to Assist Law Enforcement Officer to Access Data

Section 3LA of the Crimes Act 1914 enables a member of the Australian Federal Police (AFP) or a state police force [8] to apply to a magistrate “for an order requiring a specified person to provide any information or assistance that is reasonable and necessary” to allow the member to

  • “access data held in, or accessible from, a computer or data storage device”[9] that is on the premises subject to a warrant or has been moved elsewhere for examination or processing, or that has otherwise been seized in accordance with the Act;

  • “copy data held in, or accessible from, a computer, or data storage device, . . . to another data storage device”; and/or

  • “convert into documentary form or another form intelligible to a constable” data held in, accessible from, or copied from a computer or device. [10]

Therefore, it appears that a person may be ordered to provide information related to (1) unlocking a computer or digital storage device that is subject to a warrant, and (2) the decryption of data on such a computer or digital storage device in order to make it accessible and intelligible to the police.

The magistrate may grant the order if he or she is satisfied that there are “reasonable grounds for suspecting that evidential material is held in, or accessible from, the computer or data storage device.”[11] In addition, the magistrate must be satisfied that the person specified in the application is either “reasonably suspected of having committed the offense stated in the relevant warrant,” or is the owner or lessee of the computer or device, an employee of or engaged under a contract of service by the owner or lessee, a person who uses or has used the computer or device, or a person who is or was a system administrator for the relevant system that includes the computer or device. [12] The specified person must also have relevant knowledge of the computer or device or the relevant computer network, or of the “measures applied to protect data held in, or accessible from, the computer or device.” [13] Thus, if a technology company, or employee of such a company, does not fall within these categories it cannot be subject to an order requiring it to provide access to the data on a device.

If a person does not comply with an order made under section 3LA, he or she may be charged with an offense that is subject to a penalty of two years’ imprisonment.[14]

B. ASIO Powers

There is no similar provision in the ASIO Act requiring a person to provide assistance to ASIO in order for it to access or read data on a computer. A computer access warrant issued by the relevant government Minister under the ASIO Act may authorize the agency to do certain things, including using the target computer, a telecommunications facility, any other electronic equipment, a data storage device, another computer, or a communication in transit for the purpose of obtaining access to the relevant data held in the target computer. If necessary, this can include “adding, copying, deleting or altering other data in the target computer” or in the other computer, or the communication in transit.[15]

Back to Top

III. Interception of Communications and Access to Stored Communications

A. Warrant System

1. Interception Warrants

Under the TIA Act, the Director-General of Security may request an interception warrant, issued by the Attorney-General, with respect to a telecommunications service,[16] where the interception of communications made to or from that service will assist ASIO in carrying out its function of obtaining intelligence relating to national security.[17] “Named person warrants” can also be issued that allow the interception of communications made to or from any telecommunications service that the particular person uses or those made using a device identified in the warrant.[18]

In the course of investigating serious offenses, federal law-enforcement agencies and anticorruption agencies, as well as designated state police forces and other agencies, can apply for similar warrants with respect to a telecommunications service or person.[19] These are issued by an eligible judge or nominated Administrative Appeals Tribunal (AAT) member. [20]

2. Stored Communications Warrants

The TIA Act “establishes a system of preserving certain stored communications that are held by a carrier” in order to prevent them from being destroyed before they can be accessed under certain warrants.[21] It also authorizes the issuance of stored communications warrants to criminal law enforcement agencies in the course of investigating a “serious contravention.” [22] Such warrants can be issued by a judge, magistrate, or certain Administrative Appeals Tribunal members.[23] They authorize access to a stored communication that was made by the person named in the warrant, or by another person with the person named in the warrant being the intended recipient.[24]

Interception warrants issued to ASIO, outlined above, are taken to authorize access to a stored communication where “the warrant would have authorised interception of the communication if it were still passing over a telecommunications system.”[25]

B. Requirement for Carriers and Service Providers to Assist Agencies

Carriers and carriage service providers[26] (including Internet service providers) are required to provide certain assistance to ASIO and law enforcement agencies under the Telecommunications Act 1997 (Cth).[27] However, there is no specific requirement for carriers and service providers to assist agencies by making intercepted or stored encrypted communications intelligible.

Part 14 of the TIA Act, titled “National Interest Matters,” establishes obligations for such entities to

  • “do their best to prevent telecommunications networks and facilities from being used to commit offenses”; and

  • “give authorities such help as is reasonably necessary” for the purposes of “enforcing the criminal law and laws imposing pecuniary penalties,” “protecting the public revenue,” and “safeguarding national security.”[28]

Such help includes giving assistance by way of

  1. (a) the provision of interception services, including services in executing an interception warrant under the Telecommunications   (Interception and Access) Act 1979; or

  2. (b) giving effect to a stored communications warrant under that Act; or

  3. (c) providing relevant information about:
  1. (i) any communication that is lawfully intercepted under such an interception warrant; or

  2. (ii) any communication that is lawfully accessed under such a stored communications warrant; or

  1. (ca) complying with a domestic preservation notice or a foreign preservation notice that is in force under Part 3-1A of that Act; or

  2. (d) giving effect to authorisations under Division 3 or 4 of Part 4-1 of that Act [related to accessing telecommunications data]; or


  3. (e) disclosing information or a document in accordance with section 280 of this Act [related to disclosures of certain information in compliance with a warrant or as required or authorized by or under law].[29]

Additional obligations are contained in Chapter 5 of the TIA Act. These primarily relate to data retention requirements [30] and interception capability.[31] This includes a requirement to comply with any determinations regarding the interception capabilities that a carrier must develop, install, and maintain. [32] Carriers and nominated carriage service providers must also develop interception capability plans and submit these annually to the Communications Access Coordinator in the Attorney-General’s Department for consideration.[33] Approval of such plans may be granted following consultation with interception agencies. [34]

Back to Top

IV. Reviews of the Relevant Laws

The following three reviews or inquiries, conducted in the past ten years, include discussions of the impact of new technologies and privacy considerations in relation to intercepting or accessing electronic communications:

  • Australian Law Reform Commission (ALRC) inquiry into Australian privacy law and practice (completed 2008) [35]

  • Parliamentary Joint Committee on Intelligence and Security (PJCIS) inquiry into potential reforms of national security legislation (completed May 2013) [36]

  • Senate Legal and Constitutional Affairs References Committee inquiry regarding the comprehensive revision of the TIA Act (completed March 2015). [37]

Prior reviews relevant to the TIA Act were also carried out in 1994, 1999, 2000, 2003, and 2005.[38] Various amendments have been enacted implementing some of the recommendations that resulted from these reviews.

A. ALRC Report

Chapter 73 of the ALRC report examined the TIA Act, including its interaction with the Privacy Act 1988 (Cth), and made several recommendations for particular legislative and procedural changes.[39] It also recommended that the government “should initiate a review to consider whether the Telecommunications Act 1997 (Cth) and the Telecommunications (Interception and Access) Act 1979 (Cth) continue to be effective in light of technological developments (including technological convergence), changes in the structure of communication industries and changing community perceptions and expectations about communication technologies.”[40]

B. PJCIS Inquiry

Chapter 2 of the 2013 PJCIS report on its inquiry into a package of potential reforms to national security legislation relates to telecommunications interception.[41] The committee recommended various changes to the TIA Act, including in relation to privacy protections.[42] It also recommended that the Attorney-General’s Department conduct a review of the legislation and that the TIA Act should be “substantially revised,” with a new interception system designed that is underpinned by clear protection for the privacy of communications, provisions that are technology neutral, maintenance of investigative capabilities, clearly articulated and enforceable industry obligations, and robust oversight and accountability.[43]

As part of the inquiry, the Attorney-General’s Department proposed that an offense should be introduced for failure by telecommunications providers to assist in the decryption of communications. The Department stated that

Section 3LA of the Crimes Act 1914 (the Crimes Act) sets out provisions concerning decryption regarding information obtained under search warrants; however this does not extend to communications intercepted pursuant to a warrant under the TIA Act.

In summary, section 3LA of the Crimes Act allows a police officer to apply to a magistrate for a warrant to require a person to provide in accessible form (i.e. in decrypted form) data held on a computer or data storage device, where the computer or data storage device had been seized under a warrant. A warrant may be applied to the person under investigation, an owner of the device, an employee of the owner, a relevant contractor, a person who has used the device, or a systems administrator. There is a penalty of up to two years imprisonment for failing to comply with an order.

A consistent approach to that contained in the Crimes Act would ensure that information lawfully accessed for national security or law enforcement purposes under the TIA Act was intelligible.[44]

The PJCIS report noted support for the proposal from certain law enforcement agencies and also reflected the objections of different groups.[45] It considered that there was some lack of clarity and specificity in what was being proposed [46] and recommended that, should the government decide to develop an offense of failing to provide decryption assistance, it should do so in consultation with the telecommunications industry and relevant government agencies. [47]

C. TIA Act Revision Inquiry

The Senate committee’s inquiry regarding the comprehensive revision of the TIA Act was carried out over a fifteen-month period, with the report being issued in March 2015.[48] The committee was asked by the Senate to have regard to both the ALRC report and the PJCIS report.[49]

The committee noted that “all law enforcement and national security agencies agreed that the current TIA Act was at risk of becoming ineffective without reform.”[50] Of particular concern was that the TIA Act should be modernized in order to keep pace with changes in technology, including the view, expressed by the Australian Crime Commission, that the TIA Act “must be capable of overcoming technical advances which are deliberately used to prevent law enforcement from lawfully intercepting and accessing communications.” [51]

The chair of the committee recommended that the TIA Act be “substantially redrafted” to enact a single attribute-based warrant system, and that a Public Interest Monitor should be established to have oversight of the warrant system.[52] Other members agreed with the recommendation for a substantial revision of the Act and the establishment of a single warrant, although some did not think a Public Interest Monitor was necessary.[53]

D. Government Response

In July 2015 the government released its response to recommendations related to the TIA Act that were included in the PJCIS report on national security legislation.[54] It indicated support for nearly all of the recommendations, including the recommendation related to the potential establishment of an offense for failure to assist in decrypting communications. The response stated that

[t]he Australian government supports strong encryption, which underpins modern, secure communications technologies. These technologies are fundamental to a digital economy, and provide an unparalleled opportunity for exercise of the fundamental freedoms of expression, peaceful assembly and association.

However, the use of encrypted communications for serious criminal purposes and purposes prejudicial to security represents an increasingly significant barrier to the ability of governments to bring serious offenders to justice. Accordingly, the Government will explore, in consultation with agencies and the telecommunications industry, the development of appropriate legislative provisions, including safeguards, oversight and accountability measures.[55]

More broadly, the government stated that it intends to finalize its detailed response to a number of the recommendations related to the TIA Act following the delivery of a report concerning whether the agencies that may access the content of communications should be standardized, which is to be completed by April 13, 2017.[56]


Back to Top

Prepared by Kelly Buchanan
Chief, Foreign, Comparative, and
International Law Division I
May 2016

[1] See generally Telecommunications Interception and Surveillance: Overview of Legislation , Attorney-General’s Department, https://www.ag.gov.au/NationalSecurity/TelecommunicationsSurveillance/Pages/Overviewof legislation.aspx (last visited Apr. 8, 2016), archived at https://perma.cc/CRE2-EZZF.

[2] Telecommunications (Interception and Access) Act 1979 (Cth) (TIA Act),https://www.legislation.gov.au/Details/ C2016C00102, archived at https://perma.cc/CD3H-SGW7.

[3] Surveillance Devices Act 2004 (Cth),https://www.legislation.gov.au/Details/C2016C00103, archived at https://perma.cc/AA2T-8AM3.

[6] See infra , Part IV.

[7] Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 (Cth),https://www. legislation.gov.au/Details/C2015A00039, archived at https://perma.cc/TP4K-HQGP. See generally Data Retention, Attorney-General’s Department, https://www.ag.gov.au/NationalSecurity/DataRetention/ Pages/Default.aspx (last visited Apr. 8, 2016), archived at https://perma.cc/6UFK-W2NF.

[8] See definition of “constable” in section 3 of the Crimes Act 1914 (Cth).

[9] “Data storage device” is defined in section 3 of the Crimes Act 1914 (Cth) as “a thing containing, or designed to contain, data for use by a computer.”

[10] Crimes Act 1914 (Cth), s 3LA(1).

[11] Id. s 3LA(2)(a).

[12] Id. s 3LA(2)(b).

[13] Id. s 3LA(2)(c).

[14] Id. s 3LA(5).

[15] ASIO Act s 25A(4)(a) & (ab).

[16] “Telecommunications service” is defined in section 5 of the TIA Act as “a service for carrying communications by means of guided or unguided electromagnetic energy or both, being a service the use of which enables communications to be carried over a telecommunications system operated by a carrier but not being a service for carrying communications solely by means of radiocommunication.”

[17] TIA Act s 9(1). Warrants issued to ASIO under chapter 2 of the TIA are also referred to as “Part 2-2 warrants.”

[18] Id. s 9A.

[19] Id. ss 46 & 46A. “Serious offence” is defined in section 5D of the TIA Act.

[20] Id. s 39, 46 & 46A. Such warrants are also referred to as “Part 2-5 warrants.”

[21] Id. s 107G. “Carrier” and “carriage service provider” (included in the definition of “carrier” in section 5 of the TIA Act) are defined in the Telecommunications Act 1997 (Cth). A “carriage service provider” is a person who supplies, or proposes to supply, a listed carriage service using “a network owned by one or more carriers” or “a network unit in relation to which a nominated carrier declaration is in force.” Telecommunications Act 1997 (Cth) s 87. “Carriage service” means “a service for carrying communications by means of guided and/or unguided electromagnetic energy.” Id. s 7. A “carrier” refers to a holder of a carrier license issued under the Act. The Act requires that the owner of a network unit used to supply carriage services to the public must hold a carrier license, unless a declaration or exemption applies. See id. s 41.

[22] TIA Act s 116. “Criminal law enforcement agencies” for the purposes of this part are listed in section 110A of the TIA Act. “Serious contravention” is defined in section 5E of the TIA Act.

[23] Id. ss 110, 116 & 6DB.

[24] Id. s 117.

[25] Id. s 109(a).

[26] See definition of “carriers” and “carriage service providers,” supra note 21.

[27] See generally Law Enforcement (Telecommunications) , Australian Communications and Media Authority (ACMA), http://www.acma.gov.au/theACMA/law-enforcement-telecommunications (last updated Feb. 23, 2016), archived at https://perma.cc/TTR9-YZY4; Licensing – I Want to be an ISP: Carriage Service Provider Rules: Law Enforcement, ACMA, http://www.acma.gov.au/Industry/Internet/Licensing--I-want-to-be-an-ISP/Carriage-service-provider-rules/isps-and-law-enforcement-isp-licensing-i-acma (last updated Mar. 7, 2014), archived at https://perma.cc/GC43-7FLA.

[28] Telecommunications Act 1997 (Cth) s 311. See also id. s 313(1) & (3).

[29] Id. s 313(7).

[30] TIA Act pt 5-1A.

[31] Id. pts 5-3 to 5-6.

[32] Id. ss 189 & 190.

[33] Id. ss 195(2) & 198(1); Interception Capability Plans, Attorney-General’s Department, https://www.ag.gov. au/NationalSecurity/TelecommunicationsSurveillance/Pages/InterceptionCapabilityPlans.aspx (last visited Apr. 11, 2016), archived at https://perma.cc/WA3B-YJNG. The Communication Access Coordinator “liaises between law enforcement agencies and the telecommunications industry.” Id.

[34] TIA Act s 198(2).

[35] For Your Information: Australian Privacy Law and Practice (ALRC Report 108) , Australian Law Reform Commission (ALRC), http://www.alrc.gov.au/publications/report-108 (last visited Apr. 11, 2016), archived at https://perma.cc/497T-FNQM.

[36] Inquiry into Potential Reforms of National Security Legislation , Parliament of Australia, http://www.aph. gov.au/Parliamentary_Business/Committees/House_of_Representatives_Committees?url=pjcis/nsl2012/index.htm (last visited Apr. 11, 2016), archived at https://perma.cc/XY8C-MC52.

[37] Comprehensive Revision of Telecommunications (Interception and Access) Act 1979 , Parliament of Australia, http://www.aph.gov.au/Parliamentary_Business/Committees/Senate/Legal_and_Constitutional_Affairs/ Comprehensive_revision_of_TIA_Act (last visited Apr. 11, 2016), archived at https://perma.cc/A39M-S6RV.

[38] Telecommunications Interception Reviews , Attorney-General’s Department, https://www.ag.gov.au/ NationalSecurity/TelecommunicationsSurveillance/Pages/TIReviews.aspx (last visited Apr. 11, 2016), archived at https://perma.cc/7GGD-T6GV; see also ALRC, 3 For Your Information: Australian Privacy Law and Practice 2530–32 (ALRC Report 108, 2008) (ALRC Report), http://www.alrc.gov.au/sites/default/files/pdfs/ publications/108_vol3.pdf , archived at https://perma.cc/2W6C-LHLV.

[39] ALRC Report at 2478.

[40] Id. at 2395.

[41] Parliamentary Joint Committee on Intelligence and Security (PJCIS), Report of the Inquiry into Potential Reforms of Australia’s National Security Legislation (May 2013) (PJCIS Report), http://www. aph.gov.au/Parliamentary_Business/Committees/House_of_Representatives_Committees?url=pjcis/nsl2012/report/full.pdf , archived at https://perma.cc/XXX8-YJAQ.

[42] See id. at xxiii–xxv (recommendations 1–4, 6 & 8).

[43] Id. at xxviii (recommendation 18).

[44] Id. at 59–60; Attorney-General’s Department, Submission to PJCIS, Inquiry into Potential Reforms of National Security Legislation (submission 218), at 7, http://www.aph.gov.au/Parliamentary_Business/Committees/House_of_ Representatives_Committees?url=pjcis/nsl2012/subs/sub%20218.pdf , archived at https://perma.cc/NXE8-KC62.

[45] PJCIS Report, supra note 41, at 60–63.

[46] Id. at 63 & 64.

[47] Id. at 64 (recommendation 16).

[48] Senate Legal and Constitutional Affairs References Committee, Comprehensive Revision of the Telecommunications (Interception and Access) Act 1979, at 1 (Mar. 2015), http://www.aph.gov.au/~/media/ Committees/Senate/committee/legcon_ctte/tia_act/report/report.pdf?la=en , archived at https://perma.cc/KN7S-NLC9.

[49] Id. at 3.

[50] Id. at 10.

[51] Id.

[52] Id. at 41.

[53] Id. at 82–87.

[54] Australian Government Response to Chapters 2 and 3 of the Parliamentary Joint Committee on Intelligence and Security’s Report of the Inquiry into Potential Reforms of Australia’s National Security Legislation (July 1, 2015) (Government Response), http://www.aph.gov.au/parliamentary_business/ committees/house_of_representatives_committees?url=pjcis/nsl2012/govresponse.pdf , archived at https://perma.cc/ S9XA-CEX4; PJCIS Committee Activities (Inquiries and Reports), 43rd Parliament (September 2010–August 2013), Parliament of Australia, http://www.aph.gov.au/parliamentary_business/committees/house_of_ representatives_committees?url=pjcis/reports.htm (last visited Apr. 12, 2016), archived at https://perma.cc/69ZZ-SMWT.

[55] Government Response, supra note 54, at 11–12.

[56] See id . at 2–3, 4 & 8.

Back to Top

Last Updated: 10/01/2016