On December 6, 2018, the Australian Parliament passed a bill that aims to address concerns raised by national security and law enforcement agencies regarding encrypted communications.
Introduced in September, the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (the Act) may affect technology companies around the globe. As discussed in our previous post, the Act requires “designated communications providers” (a definition that includes foreign and domestic communications providers) to provide support to Australian government agencies under new legal bases provided by the Act’s framework. A Technical Assistance Notice (TAN), for example, will permit certain government entities to require assistance that a designated communications provider is already capable of giving. If the provider lacks the capability to assist, a Technical Capability Notice (TCN) may require the provider to build such capability.
As described in greater detail in the Act’s accompanying Explanatory Memorandum, the ability to issue TANs and TCNs is not without limitation. Importantly, neither forms of Notice may require providers to implement or build a “systemic weakness or systemic vulnerability” into their electronic protections, or prevent providers from patching such weaknesses or vulnerabilities. Recent additions to the Act took this prohibition even further—requiring that in any case where a weakness is selectively introduced to a “target” technology connected with a particular person, the prohibition against systemic weaknesses or vulnerabilities extends to anything that would “jeopardize the security of information held by any other person” aside from the intended target. The phrase “jeopardize the security of information” is defined by the Act as any “act or thing that creates a material risk that otherwise secure information can be accessed by an unauthorized party.”