Australia's new Encryption Act - KPMG Australia
close
Share with your friends

Australia's new Encryption Act

Australia's new Encryption Act

On 6 December 2018, Federal Parliament passed the Telecommunications and Other Legislation (Assistance and Access) Bill 2018 and the legislation is now in force. The legislation has been the subject of considerable debate, both within the houses of Parliament and more broadly by privacy advocates, Big Tech heavyweights and members of the general public who have all had a view.

1000

Also on home.kpmg

Smart phone user next to a telecommunication tower

What's changed?

The legislation gives intelligence and interception agencies (including ASIO, ASIS and the ASD) the ability to monitor the use of encrypted technologies by terrorists, sex offenders and criminal organisations by enlisting support from a broad range of organisations and through increased computer access and search warrants. Explanatory materials state that over 90 percent of telecommunication information being lawfully intercepted by the Australian Federal Police now uses some form of encryption. This is often using the simple messaging applications like WhatsApp the rest of us also use.1

Who does it apply to?

The legislation extends to ‘designated communications providers’ and the eligible activities of those providers. Individuals as well as body corporates, may be designated communications provide and a person may occupy one or more of the categories in the table outlined in section 317C.2

A provider includes any person who provides, or provides a service that facilitates, an electronic service that has one or more end-users in Australia. An electronic service includes a website and the definition is broad enough to capture a provider’s internal network and intranet. Providers include telecommunication companies and over-the-top service providers such as WhatsApp and WeChat but could also extend to most Australian businesses given they will operate websites or other electronic services.

The new powers are expected to extend to devices or services likely to connect to the internet or another network and could also extend to ‘internet of things’ devices and other voice controlled systems.

What does industry assistance involve?

The details of what is required and the time to comply will be set out in each notice. There are 3 types of industry assistance:

  1. Voluntary: a technical assistance request is voluntary. It is anticipated that providers complying with these requests can negotiate an agreement that sets out the terms of this assistance.
  2. Mandatory subject to capability: a technical assistance notice issued by the Director-General of Security or the head of an intelligence or interception agency is mandatory if the provider is currently capable of providing that assistance.
  3. Mandatory: a technical capability notice issued by the Attorney-General is mandatory and may require the provider to do acts or things to ensure it can provide the industry assistance.

Section 317E(1) provides a list of the ‘acts or things’ that may be specified in a technical assistance request or technical assistance notice. Additional forms of assistance may be requested or required, provided they are of a similar kind to those listed.

Technical capability notices may require a provider to do acts or things that ensure the provider is capable of giving the requested assistance. The listed acts or things are contained in section 317E(1) and with the exception of s 317(1)(a), provide an exhaustive list of the types of acts or things that may be required. The explanatory materials acknowledge that this may require significant investment.

Are there any safeguards?

  1. Reasonableness: a precondition of issuing a notice is that the requirements must be reasonable and proportionate, and compliance with the notice must be practicable and technically feasible. Reasonable and proportionate will be considered against a variety of factors set out in section 317T including the interests of national security, the legitimate interests of the provider and the legitimate interests of the Australian community in relation to privacy and cybersecurity. 
  2. Systemic weaknesses: technical assistance notices and technical capability notices cannot require providers to remove protections that create systemic weaknesses or vulnerabilities or prevent providers from fixing identified weakness or vulnerability. A systemic weakness is defined as a weakness that affects a whole class of technology and does not include circumstances where a weakness is selectively introduced to one or more target technologies connected to an individual. This has raised concerns that notices may require actions that create a weakness in a particular service, device or item. 
  3. Additional steps: the Attorney-General may also set out procedures that need to be followed for technical capability notices and certain types of notices may require the approval or agreement of another body or person before the notice is issued. Unless the matter is considered urgent, it is expected that the relevant provider will be consulted before a technical capability notice is issued. As part of this consultation process, a provider may dispute the necessity of a capability notice and request an independent assessment into whether such a notice should be given.

What about the impact of providing that assistance?

  • Cost: the legislation provides a mechanism for financial compensation and a mechanism for the provider to go to arbitration if it considers that the costs of complying with a notice is unreasonable.
  • Third parties: a provider will be immune from civil liability for any acts done in accordance with the formal request. Importantly the legislation specifically prohibits disclosures in the circumstances outlined in s 317ZF ensuring there are strict requirements on the provider not to disclose the information the subject of the notices except as required under the notice. All disclosures not prohibited by new section 317ZF are authorised by law for the purposes of the Privacy Act 1988.

What's next?

The legislation was passed by the ALP on the understanding that amendments would be debated in relation to the Act early in 2019. Proposed ALP amendments include providing further definitional clarity for the terms ‘systemic weakness’, ‘systemic vulnerability’ and ‘target technology’, as well as mandating that technical assistance and capability notices require prior judicial approval.

Home Affairs Minister Peter Dutton has since stated that the government does not intend to accept Labor’s proposed amendments and will only entertain amendments consistent with recommendations suggested by the Parliamentary Joint Committee on Intelligence and Security, which is due to provide a further report on the Act in April 2019. 

References

  1. Telecommunications and Other Legislation Amendment (Access and Assistance) Bill 2018, Explanatory Memorandum [3]
  2. Telecommunications and Other Legislation Amendment (Access and Assistance) Bill 2018 [14] https://parlinfo.aph.gov.au/parlInfo/download/legislation/bills/r6195_aspassed/toc_pdf/18204b01.pdf;fileType=application/pdf (PDF 1.56MB)

Connect with us

 

Want to do business with KPMG?

 

Request for proposal