Decrypting the Decryption Bill
October, 2018 - Paul Kallenbach, John Fairbairn, Lisa Jarrett
Following a short period of public consultation, the Telecommunications and Other Amendments (Assistance and Access) Bill 2018 (Cth) (Bill) has been introduced into Parliament. Despite the extensive public concerns raised with the Exposure Draft version, only a small number of amendments have been made to the Bill.
Following extensive submissions and much debate, the 'decryption Bill' has now been introduced into Parliament. The Bill introduces a package of amendments to assist law enforcement agencies to overcome the challenges of accessing data under warrants at a time when (according to Mr Dutton in his second reading speech of the Bill) 'criminal syndicates and terrorists are increasingly misusing and, indeed, exploiting [encryption] technologies'. Specifically, the Bill introduces amendments to:
- the Telecommunications Act 1997 (Cth) by establishing new mechanisms for providers of communications services and devices in Australia (referred to as 'designated communications providers' (DCPs)) to assist security and law enforcement agencies to access encrypted data. The Bill establishes three tiers of assistance that law enforcement agencies can issue:
- Technical Assistance Requests: voluntary assistance requests that may be issued by the head of an interception agency (Federal, State and Territory law enforcement or anti-corruption agencies), the Australian Security Intelligence Organisation (ASIO), the Australian Secret Intelligence Agency or the Australian Signals Directorate.
- Technical Assistance Notices: mandatory notices that can be issued by the head of ASIO or an interception agency that require the DCP to give assistance, utilising the provider's current capabilities.
- Technical Capability Notices: mandatory notices issued by the Attorney-General (at the request of the head of ASIO or an interception agency) requiring a DCP to build capability or functionality to enable it to provide the requested assistance.
The Bill sets out a range of acts or things that these notices may require of DCPs, including providing technical information, removing one or more forms of electronic protection that are or were applied by (or on behalf of) the provider, notifying agencies of a change to a service, and installing, maintaining, testing or using software or equipment or assisting with those activities.
- a range of other legislation, including the Commonwealth ASIO Act, Surveillance Devices Act, Telecommunications (Interception and Access) Act, Crimes Act and Customs Act. These amendments:
- introduce new computer access warrants for law enforcement agencies that enable them to covertly obtain evidence from a device; and
- strengthen and streamline the ability of law enforcement and national security authorities to overtly access data via existing search and seizure warrants.
What is the Bill's impact?
Regulated organisations
The range of providers that could be subject to a request or notice is broad. The Bill extends the scope of the Telecommunications Act to Australian and foreign communications services and device providers, to the extent the service or device has an Australian user. It is not only telcos that are impacted. Equipment vendors, smartphone and other device manufacturers and software and services vendors (whether local or global) could also be the subject of a request or notice. Many of these would have varying resources and capabilities to respond.
Costs of compliance
DCPs who will potentially be affected have expressed concern that the cost of responding to requests or notices could be substantial, particularly if the provider is required to build new capability. The Bill provides that costs of compliance are recoverable on a no-profit-no-loss basis. Providers may also be able to enter into commercial terms for the provision of assistance. However, those with more limited resources may well find the cost of providing services in Australia is not viable, particularly if they are caught simply because they offer an app on a global store.
Media sources
An unintended consequence of the Bill is that confidential and encrypted communications between journalists and their sources could be revealed to law enforcement agencies. However, unlike the Telecommunications (Interception and Access) Act 1979 (Cth) (Interception and Access Act), the Bill does not build in any protections for journalists' sources to scrutinise requests or notices which could result in revealing their sources. Following numerous submissions on the draft Interception and Access Act on this issue, the concept of a 'journalist information warrant' was introduced preventing the Attorney General from issuing a journalist information warrant unless satisfied that (amongst other things) the public interest in issuing the warrant outweighs the public interest in protecting the confidentiality of the identity of the source in connection with whom the authorisation is sought. By contrast, the Bill does not provide for a similar mechanism to protect confidential sources.
What has happened so far?
The history of the Bill has been short, particularly in light of what it seeks to achieve. After releasing the exposure draft Bill for public comment on 14 August 2018, submissions were due by 10 September. Just ten days later, the Bill was introduced into Parliament, without significant amendment. The Department has now published the submissions it received - almost 350 in total.
Concerns raised
There are shared themes within the submissions. Whilst there is broad support for the objectives of the Bill, there are serious concerns about the effect of the Bill, if passed in its current form, on both the DCPs, those organisations whose data may be affected, and individual consumers.
Technology and communications industry groups, the Offices of the Australian and Victorian Information Commissioners and civil liberties groups have all expressed concerns about:
- the lack of clarity and definition in the Bill, particularly in relation to the range of actions that law enforcement agencies may require DCPs to undertake;
- the potential for the Bill to result in unintended weakening of digital security and increase the potential for data breaches;
- the disproportionate impact of the measures on the privacy rights of individuals in the interests of national security;
- the lack of independent or judicial oversight to act as a check and balance, as no judicial warrant is required; and
- the broad powers given to law enforcement agencies and the impact and reach of the Bill.
In addition, as recently reported in The Sunday Age, experts have expressed the view that the benefits the Bill is seeking to achieve may not ultimately eventuate and other options should be considered before resorting to such measures. There is also concern that the Bill could contribute to an overall weakening of digital security, which in turn could discourage personal communications. Similar to the concerns raised about MyHealthRecord, there are also questions about the effectiveness of the government's own cyber security measures and what this means for the protection of the data that law enforcement will collect.
Amendments to the Bill
A handful of amendments were made to the version of the Bill that was introduced into Parliament following the submissions on the Exposure Draft. The most significant of these are:
- scope reduction: removes 'protecting the public revenue' as one of the relevant objectives for issuing a request or notice (sections 317E(1)(j), 317G(5), 317LT(2) and 317T(3));
- request and notice information: requires DCPs to be given certain information at the time of issuing a request or notice, including:
- for Technical Assistance Requests: advising providers that compliance with the request is voluntary (section 317HAA); and
- for Technical Assistance Notices and Capability Notices: advising providers about their obligations to comply with these notices and the penalties for non-compliance (sections 317MAA and 317TAA);
- privacy and cybersecurity considerations: introduces matters that the Director-General of Security or the chief officer of an interception agency should have regard to when considering whether the requirements of a Technical Assistance Notice are reasonable and proportionate (section 317RA) and the equivalent requirement for a Technical Capability Notice (section 317ZAA). These matters specifically include this very vague phrased consideration - 'the legitimate expectations of the Australian community relating to privacy and cybersecurity';
- protect system security: introduces a procedure for the Attorney-General and a designated communications provider to appoint a person to carry out an assessment and provide a report about whether a proposed Technical Capability Notice would require the provider to implement or build a systemic weakness or vulnerability (section 317W(7) – (11));
- defence to civil penalty: for a DCP in a foreign country who does not comply with a notice if doing so would contravene a foreign law (section 317ZB(5)); and
- court powers in relation to disclosures: enables court to enforce and make orders about the provisions of the Bill that prevent disclosure of information in connection with a Technical Assist Request, Technical Assistance Notice or Technical Capability Notice (section 317FA).
Industry implications
Organisations that fall within the definition of a DCP, including foreign DCPs who provide goods or services to Australian users, will need to be prepared to comply with a Technical Assist Request, Technical Assistance Notice or Technical Capability Notice, and may need to raise this with their clients and update their terms and conditions. The current scope of providers is broad, and includes telecommunications providers, software and equipment vendors and device manufacturers. Those directly impacted will need to have in place arrangements that allow them to assess and respond to Requests or Notices.
Journalists may find that confidential communications with their sources may be revealed without notice or prior opportunity to consider or object to this when a Request or Notice is issued to a DCP.
What's next?
The Bill was referred to the Parliamentary Joint Committee on Intelligence and Security following the second reading speech on 20 September 2018. The Committee invited public submissions on the Bill by 12 October 2018 and received a further 76 submissions. The Committee held a public hearing on 19 October 2018 and further public hearings are due to be scheduled in late October or early November 2018.
Despite the amendments to the Bill, significant concerns remain. At the Committee's public hearing on 19 October, the Law Council of Australia expressed concern about the use of these notices to side-step the requirements for obtaining a warrant, resulting in limitations on 'an individual's right to privacy, freedom of expression and liberty'. In the absence of a nationally recognised individual right to privacy or a common law tort of invasion of privacy, the only limitations that can be placed on the exercise of these powers by relevant agencies are the statutory limitations within the Bill itself.
We now await the Joint Committee's recommendations following the further public hearings.
Key takeouts
- Despite a significant number of submissions and concerns raised about the 'decryption Bill', only a small number of amendments were made to the Exposure Draft before the Bill was introduced into Parliament.
- If passed in its current form, the Bill will have wide-ranging impact on 'designated communications providers' who may be subject to technical assistance requests or notices, or technical capability notices issued by an agency or the Attorney-General.
- The Parliamentary Joint Committee on Intelligence and Security is examining the Bill and has received further submissions expressing concerns with the Bill.
Link to article