On December 6, 2018, the Australian Parliament passed a bill that aims to address concerns raised by national security and law enforcement agencies regarding encrypted communications.
Introduced in September, the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (the Act) may affect technology companies around the globe. As discussed in our previous post, the Act requires “designated communications providers” (a definition that includes foreign and domestic communications providers) to provide support to Australian government agencies under new legal bases provided by the Act’s framework. A Technical Assistance Notice (TAN), for example, will permit certain government entities to require assistance that a designated communications provider is already capable of giving. If the provider lacks the capability to assist, a Technical Capability Notice (TCN) may require the provider to build such capability.
As described in greater detail in the Act’s accompanying Explanatory Memorandum, the ability to issue TANs and TCNs is not without limitation. Importantly, neither forms of Notice may require providers to implement or build a “systemic weakness or systemic vulnerability” into their electronic protections, or prevent providers from patching such weaknesses or vulnerabilities. Recent additions to the Act took this prohibition even further—requiring that in any case where a weakness is selectively introduced to a “target” technology connected with a particular person, the prohibition against systemic weaknesses or vulnerabilities extends to anything that would “jeopardize the security of information held by any other person” aside from the intended target. The phrase “jeopardize the security of information” is defined by the Act as any “act or thing that creates a material risk that otherwise secure information can be accessed by an unauthorized party.”
In addition, when issuing either Notice, the government must consider whether the assistance requested is “reasonable and proportionate” and whether compliance is “practicable and technically feasible.” The Act specifies that factors for the government to consider include “the legitimate interests of the designated communications provider,” and “the availability of other means” to achieve the objectives of the Notice (this could mean, for example, that if data sought belongs to an enterprise, the government may consider obtaining the data directly from the enterprise itself rather than by requiring indirect assistance from the enterprise’s communications provider). Moreover, although the Act does state that providers may be required to “conceal the fact that any thing has been done covertly” in relation to various purposes, such as enforcing criminal laws, the Act also states that providers cannot be required to make “false or misleading statements” or engage in “dishonest conduct.”
The Act was passed against the backdrop of a growing interest among the Five Eyes—an intelligence alliance between the United States, Britain, Australia, Canada, and New Zealand—in encryption technologies. In late November, two high-ranking officials in the United Kingdom’s Government Communications Headquarters (the U.K.’s equivalent of the NSA) endorsed commercially-available encryption but underscored the U.K. government’s need to access critical data in exceptional cases. They proposed a number of means by which companies could build technologies to address their concerns. That same day, Rod Rosenstein, the United States Deputy Attorney General, encouraged technology companies “to develop ‘responsible encryption’—effective, secure encryption that resists criminal intrusion but allows lawful access with judicial authorization.”
The Act received Royal Assent on December 8th and is now in force. However, Australia’s opposition Labor Party hopes to make additional amendments to the law next year.