Legal Insights

Commonwealth releases long-awaited encryption assistance bill for public comment

By Russell Wilson

• 10 September 2018 • 4 min read

The Commonwealth Government has released a new framework under which agencies can seek industry assistance in relation to accessing encrypted communications.

The Commonwealth’s Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 (the Bill) sets out a new framework under which agencies can seek or compel industry assistance in relation to accessing encrypted communications.

Scope of the Bill

The Bill will potentially have a broad application, applying not only to telecommunications providers (carriers and carriage service providers for example) but also to the manufacturers of equipment (think the Ciscos and NetComms and their ilk) and to other players providing services or equipment that facilitates, or is ancillary or incidental to, relevant communications services.

Entities falling within the scope of the Bill are referred to as “Designated Communications Providers” (DCPs).

Notices and requests for assistance under the Bill

The Bill establishes three regimes under which industry assistance can be sought.

The first is voluntary. By means of a “Technical Assistance Request” (TAR), the head of an interception agency (as defined) can request assistance on a voluntary basis.

However if voluntary assistance is not forthcoming or does not fit the scenario at hand, there are two compulsory notification regimes. They are:

  • Technical Assistance Notice (TAN): the Director-General of Security or the chief officer of an interception agency can issue a TAN requiring a DCP to give assistance that they are already capable of providing. A TAN cannot require a DCP to build a capability or function that it does not already possess. The operational impact on recipients of a TAN should therefore be limited.
  • Technical Capability Notice (TCN): a TCN may be issued by the Attorney-General at the request of the Director-General of Security or the chief officer of an interception agency or ASIO. A TCN can require a DCP to build a new capability that will enable them to assist either ASIO or other relevant agencies. The TCN cannot be used to engineer a weakness in a device or remove its electronic protection (such as a password or encryption). The Attorney-General must consult with the affected DCP prior to issuing the notice to ascertain appropriate procedures and arrangements as part of the request.

Safeguards

The Bill includes (or is subject to) constraints on its excessive or arbitrary use. For example:

Reasonableness

A notice (whether a TAR, a TAN or a TCN) must pass a four-pronged test - it must be reasonable, proportionate, practicable and technically feasible.

Warrants

The proposed new regime of notices would not subvert existing requirements for a warrant or authorisation[1] prior to the interception or collection of communication data. These remain intact under the Telecommunications (Interception and Access) Act 1979 including the statutory thresholds and standards under which a judge or member of the Administrative Appeals Tribunal (AAT) would issue a warrant to intercept or collect communications.[2]

Issuing authority

Notices must be issued by an appropriately senior officer and depending on the type of notice, require consultation with the DCP.

Conclusion

The telecommunications industry is well practised in cooperating with agencies in these areas and so no particular problems are to be anticipated here provided agencies remain sensitive to natural private sector constraints such as cost and the availability of resources (including human resources and time).

However some of the “facilitators” and “ancillary or incidental” players will be new to this regime. Accordingly agencies will need to be sensitive to this in order to foster cooperative relationships with these new players along the lines of the relationships that currently exist with the telcos.

TCNs will have the greatest impact on DCPs. Assistance under a TCN is expected to be provided on a no-profit, no-loss basis but nevertheless, DCPs and agencies will need to be able to openly and frankly discuss what is realistic and achievable, both technologically and commercially, to ensure that the TCN regime is operated co-operatively rather than coercively. Excellent working relationships with industry will be vital to the success of the TCN regime.

[1] For example see Chapter 2, Part 25, Div 3. cl 39 ‘Application for warrants’ of the Telecommunications (Interception and Access) Act 1979 (Cth).

[2] See Chapter 2 ‘Interception of Communications’ of the Telecommunications (Interception and Access) Act 1979 (Cth).


Need advice on legal issues surrounding encryption?

Contact the Cyber & Data Resilience team.

By Russell Wilson

  • Share

Related articles

Online Access