Commonwealth releases long-awaited encryption assistance bill for public comment
The Commonwealth Government has released a new framework under which agencies can seek industry assistance in relation to accessing encrypted communications.
The Commonwealth’s Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 (the Bill) sets out a new framework under which agencies can seek or compel industry assistance in relation to accessing encrypted communications.
Scope of the Bill
The Bill will potentially have a broad application, applying not only to telecommunications providers (carriers and carriage service providers for example) but also to the manufacturers of equipment (think the Ciscos and NetComms and their ilk) and to other players providing services or equipment that facilitates, or is ancillary or incidental to, relevant communications services.
Entities falling within the scope of the Bill are referred to as “Designated Communications Providers” (DCPs).
Notices and requests for assistance under the Bill
The Bill establishes three regimes under which industry assistance can be sought.
The first is voluntary. By means of a “Technical Assistance Request” (TAR), the head of an interception agency (as defined) can request assistance on a voluntary basis.
However if voluntary assistance is not forthcoming or does not fit the scenario at hand, there are two compulsory notification regimes. They are:
- Technical Assistance Notice (TAN): the Director-General of Security or the chief officer of an interception agency can issue a TAN requiring a DCP to give assistance that they are already capable of providing. A TAN cannot require a DCP to build a capability or function that it does not already possess. The operational impact on recipients of a TAN should therefore be limited.
- Technical Capability Notice (TCN): a TCN may be issued by the Attorney-General at the request of the Director-General of Security or the chief officer of an interception agency or ASIO. A TCN can require a DCP to build a new capability that will enable them to assist either ASIO or other relevant agencies. The TCN cannot be used to engineer a weakness in a device or remove its electronic protection (such as a password or encryption). The Attorney-General must consult with the affected DCP prior to issuing the notice to ascertain appropriate procedures and arrangements as part of the request.
The Bill includes (or is subject to) constraints on its excessive or arbitrary use. For example:
A notice (whether a TAR, a TAN or a TCN) must pass a four-pronged test - it must be reasonable, proportionate, practicable and technically feasible.
The proposed new regime of notices would not subvert existing requirements for a warrant or authorisation prior to the interception or collection of communication data. These remain intact under the Telecommunications (Interception and Access) Act 1979 including the statutory thresholds and standards under which a judge or member of the Administrative Appeals Tribunal (AAT) would issue a warrant to intercept or collect communications.
Notices must be issued by an appropriately senior officer and depending on the type of notice, require consultation with the DCP.
The telecommunications industry is well practised in cooperating with agencies in these areas and so no particular problems are to be anticipated here provided agencies remain sensitive to natural private sector constraints such as cost and the availability of resources (including human resources and time).
However some of the “facilitators” and “ancillary or incidental” players will be new to this regime. Accordingly agencies will need to be sensitive to this in order to foster cooperative relationships with these new players along the lines of the relationships that currently exist with the telcos.
TCNs will have the greatest impact on DCPs. Assistance under a TCN is expected to be provided on a no-profit, no-loss basis but nevertheless, DCPs and agencies will need to be able to openly and frankly discuss what is realistic and achievable, both technologically and commercially, to ensure that the TCN regime is operated co-operatively rather than coercively. Excellent working relationships with industry will be vital to the success of the TCN regime.
 For example see Chapter 2, Part 25, Div 3. cl 39 ‘Application for warrants’ of the Telecommunications (Interception and Access) Act 1979 (Cth).
 See Chapter 2 ‘Interception of Communications’ of the Telecommunications (Interception and Access) Act 1979 (Cth).
ACCC updates advertising and selling guide
By Laura Cantillon
The ACCC has updated its guidance to Australian businesses on what is required to ensure compliance with the ACL
Managing climate change-related risks in the financial system
By Patrick Ibbotson & Jessica Dorricott
Risks posed by climate change to the stability of the US financial system.
Franchisors, it’s time to update your disclosure documents
Key considerations when updating the franchising disclosure documents as per the Franchising Code of Conduct (Code).
GDPR decision slaps down Privacy Shield and imposes strict conditions on Standard Contractual Clauses – implications for Australian organisations
Impacts for Australian entities who are either directly subject to the GDPR or receiving personal data from the EEA.