The Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (referred to as the Encryption Act) was passed by the Australian Parliament on 6 December 2018 and received Royal Assent on 8 December 2018.
The new law affects a wide range of suppliers across the IT industry including equipment and device manufacturers, infrastructure providers, cloud-based storage services, software developers and web-and-app based communications services including social media.
Final Amendments to the Encryption Bill
The Parliamentary Joint Committee on Intelligence and Security issued an Advisory Report on the Encryption Bill on the evening of 5 December making 17 recommendations. At 9:30 am on the following day, the Government tabled the 50 pages of draft amendments intended to implement the recommendations. It appears that all of the recommendations were adopted except for the inclusion of "defences for IGIS officials" in Recommendation 5, and Recommendations 10, and 12. It is also unclear at this stage if Recommendation 16 will be affected.
Some of the key last minute changes made by the government that are now in the Encryption Act include:
- Removing police integrity agencies from Investigatory Agencies able issue Requests and Notices.
- Better linking the right of an agency to issue Requests or Notices to its statutory responsibilities.
- Introducing a tiered approval process and a duty to consult before issuing a Technical Assistance Notice.
- Limiting the ability to issue Requests or Notices to national security purposes and where use of the powers relates to serious offences (defined to mean any offence punishable by term of 3 years or more imprisonment).
- Adding improved oversight by the Inspector-General of Intelligence and Security for national security agencies and information gathering powers for the Commonwealth Ombudsman.
- Preventing Requests and Notices from being used to obtain meta-data.
- Introducing definitions of "systemic vulnerability" and "systemic weakness" that appear to substantially narrow the meaning of these terms and thereby limit the impact of the associated limitations:
- "Systemic vulnerability means a vulnerability that affects a whole class of technology, but does not include a vulnerability that is selectively introduced to one or more target technologies that are connected with a particular person. For this purpose, it is immaterial whether the person can be identified"; and
- "Systemic weakness means a weakness that affects a whole class of technology, but does not include a weakness that is selectively introduced to one or more target technologies that are connected with a particular person. For this purpose, it is immaterial whether the person can be identified."
- Provisions inserted into a new section 317ZG which provide that, for cases where a weakness is selectively introduced to one or more target technologies that are connected with a particular person, intelligence and interception agencies must not create a material risk that otherwise secure information can be accessed by an unauthorised third party.
The changes to "systemic vulnerability" and "systemic weakness" combined with the amendments to section 317ZG would appear to mean that relevant companies cannot be required to weaken security and/or insert backdoors with broad impact on their products or security of customers only if:
- the issuing agency decides to both "selectively introduce" a weakness to one or more target technologies and the target technologies are connected with an identified or unidentified particular person; or
- The impact would be on a "whole class of technology."
There would appear to be a very large number of cases where a notice or request would not satisfy these criteria.
What this means for IT businesses operating in or connected to Australia
Intelligence and interception agencies now have power to issue Requests and Notices to require regulated businesses render a wide range of assistance. The list of acts or things that may be required includes: removing one or more forms of electronic protection, providing technical information, facilitating access to services and equipment, installing software, modifying technology, and concealing that the company has done any of the above. An intelligence or interception agency could, for example, send a criminal suspect a notification to update messaging software that in fact allows the intelligence or interception agency access to their messages. Regulated businesses that provide cloud based email could be required to generate unsecure webmail or customer instances. Device manufacturers and/or related suppliers may be required to modify a device to publish its location, record or transmit audio or to install key logging software.
The new powers cannot be used to access content or meta-data that would otherwise only be accessible by warrant or authorisation under the Telecommunications (Interception and Access) Act 1979. Service providers are entitled to compensation for their costs of compliance but may not make a profit from compliance.
Requests and notices are issued at the discretion of the agency if considered "reasonable and proportionate" and where compliance is practicable and technically feasible.
What happens next?
The opposition Labor party did not put its proposed amendments to the Encryption Bill in the Senate on 6 December 2018 after the Finance Minister Mathias Cormann gave an undertaking to consider further changes on the first sitting day of 2019.
Attorney-General Christian Porter subsequently announced that the Government had agreed to "consider" Labor's amendments "if any genuinely reflect the recommendations of the Parliamentary Joint Committee on Intelligence and Security."
The opposition Labor party has announced that they would review criticisms to the Encryption Act next year with the intention of raising any further issues in the first quarter 2019.
Thanks to Associate Ann-Maree Harnett for her assistance in preparing this alert.