New encryption bill: Why the rush and what is all the fuss about?

On 20 September (less than a week after consultation submissions closed), the Home Affairs Minister Peter Dutton introduced the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018. The bill has been referred to the Parliamentary Joint Committee on Intelligence and Security for review, with submissions closing 12 October and hearings will be held the following week.

In a nutshell, the proposed legislation will establish a framework for law enforcement and agencies to compel tech companies to assist with capability to enable the accessing of communications on end point devices.

Why the change in law?

The government has cited difficulties currently faced by law enforcement and intelligence agencies in preventing and investigating crime and terrorism where encryption methods are used in modern forms of communications technology. The bill (and the rush to push it through) is also likely driven by the government’s desire to contribute to the ‘Five Eyes’ nation’s crackdown on encryption.

What are the changes?

The new legislation will amend the Telecommunications Act 1997 (Cth) allowing the Australian Security Intelligence Organisation (ASIO), the Australian Secret Intelligence Service and certain ‘Interception Agencies’ to issue:

  • Technical Assistance Notices – these are compulsory notices for a relevant tech company to use an existing interception capability to provide assistance;
  • Technical Capability Notices – these are compulsory notices for a relevant tech company to build a new interception capability; and
  • Technical Assistance Requests – these are voluntary requests to a relevant tech company for assistance with capability to enable accessing of communications on end point devices in order to enforce Australian or foreign criminal laws and for national interest purposes.

The request and notices are limited in scope in that they cannot: (a) be issued to do an act or thing in the absence of a warrant where a warrant is required; or (b) require the building of a systematic weakness or systematic vulnerability into a form of electronic protection (or prevent the fixing of such weaknesses or vulnerabilities).

The proposed legislation will also expand powers in respect of computer access warrants by amending various existing pieces of legislation. It will also arm ASIO with new and expanded powers including an ability to seek an order for assistance to access information on a device on foreign intelligence or national security grounds.

Which types of tech companies will be impacted?

The legislation if passed will have significant impact across the tech sector. The new powers apply in respect of ‘designated communications providers’ which is defined broadly and will include certain software developers, manufacturers of devices and other equipment, infrastructure providers, cloud service providers, App (or web-based) communications companies.

Which parts of this bill have everyone talking?

Some of the main areas of debate and criticism are:

  • Lack of definitions – one recurring criticism is that terms such as ‘systematic weakness’ and ‘systematic vulnerability’ which appear in the proposed legislation are not clearly defined and that this could lead to confusion in compliance with inevitable legal challenges ending up in the courts.
  • Going around encryption – The government is stressing that the legislation cannot be used to require tech companies to build ‘back doors’ to encryption and there is current drafting aimed at clarifying that both requests and notices are ineffective where actions would implement decryption capability or render systemic methods of authentication or encryption less effective. However, many commentators argue that the new legislative powers could still be used to effectively circumvent encryption altogether by requiring tech companies to deploy government software (essentially active or dormant spyware) on servers and/or end devices which allows for the interception of messages pre-encryption (i.e. before sending) and/or post-decryption (i.e. after a message has been received). While this method may not break encryption or introduce weakness or vulnerability in the encryption itself, building capability to circumvent arguably has the same practical effect and would likely affect public trust in modern technologies.
  • Voluntary requests – The concept of voluntary requests being issued to tech companies has also raised concerns, not only in relation to how the power might be exercised in practice but also around how responses and approach (including transparency) might differ across the tech companies that receive those requests.

What next?

The Parliamentary Joint Committee on Intelligence and Security submission window is still open until Friday 12 October at 12pm. Whether or not putting in a submission, impacted companies should still be watching the space closely over the coming weeks.

It will be interesting to see what amendments are conceded in attempts to pass this significant piece of legislation. Similar attempts in other countries (including the UK in 2016) were met with strong resistance followed by substantial concessions.

 

For further information contact: 

Daniel Gleeson

Principal | Head of ICT legal services

danielg@lexvoco.com

0432 636 541