What's actually in Australia's encryption laws? Everything you need to know
The controversial Assistance and Access Bill was 176 pages long, then 67 pages of amendments were rushed through in the final hours of debate. This is what we've ended up with.
By
Stilgherrian | December 10, 2018 -- 03:00 GMT (14:00 AEDT) | Topic:
Security
Labor
caved in last Thursday. Despite spending hours telling Parliament why the Assistance and Access Bill was dangerous garbage, and complaining about the
rushed process, they dropped all of their proposed amendments and voted in the sitting government's version anyway.
So now it's law.
What is the Assistance and Access Bill?
Its full name is the
Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018, which is now an
Act [PDF]. It makes changes to more than a dozen pieces of legislation in an effort to combat what the government refers to in its
explanatory memorandum [PDF] as "the challenges posed by ubiquitous encryption".
The most controversial part is the "frameworks for voluntary and mandatory industry assistance to law enforcement and intelligence agencies" to help government access the content of encrypted communications.
It is Australia's contribution to the Five Eyes nations'
tougher attitudes to the regulation of online communications. Information and communications technology vendors and service providers have a "mutual responsibility" to offer "further assistance" to law enforcement agencies, they said in August this year.
It's about banning strong encryption, right?
No. Read on.
"Voluntary and mandatory industry assistance" means what?
Under the new laws, Australian government agencies can issue three kinds of notices:
- Technical Assistance Notices (TAN), which are compulsory notices for a "designated communication provider" to use an interception capability they already have;
- Technical Capability Notices (TCN), which are compulsory notices for a designated communication provider to build a new interception capability, so that it can meet subsequent Technical Assistance Notices; and
- Technical Assistance Requests (TAR), which are "voluntary" requests, but which have been described by experts as the most dangerous of the three because there was less oversight, at least in the original version of the law.
From here on, we'll refer to these collectively as "notices".
Who can issue these notices?
A TAN or TAR can be issued by the director-general of the Australian Security and Intelligence Organisation (ASIO), the Australian Secret Intelligence Service (ASIS), or the Australian Signals Directorate (ASD), or by the chief officer of an "interception agency".
That last category includes the Australian Federal Police (AFP), the Australian Crime Commission (ACC), and the state and territory police forces provided they get the approval of the AFP Commissioner.
However the government amendments removed the various anti-corruption bodies from this category. It's not clear why.
There's no requirement for independent approval of a notice by, say, a judge issuing a warrant. However there must be an underlying warrant to access communications under the Telecommunications (Interception and Access) Act or the Surveillance Devices Act or state-level equivalents.
A notice must be in writing, unless there is "an imminent risk of serious harm to a person or substantial damage to property exists", the notice is "necessary for the purpose of dealing with that risk", and "it is not practicable in the circumstances to make the variation in writing". A notice given orally much be confirmed in writing within 48 hours.
The same goes for variations to a notice, extensions, and revocations.
All notices, extensions, and revocations must be notified to the Inspector-General of Intelligence and Security (IGIS) within seven days.
A TCN can only be issued by the Attorney-General following a request from ASIO or an interception agency, and only with the approval of the Minister for Communications.
The Attorney-General must also give written notice of the intention to issue a TCN to the communications provider, inviting them to make a submission, and respond. Except in a "matter of urgency", that process has to run for at least 28 days.
Is this about fighting terrorism and child abuse?
Kinda. "Safeguarding national security" is in there, but so is "enforcing the criminal law, so far as it relates to serious Australian offences". That's defined as any crime "punishable by a maximum term of imprisonment of 3 years or more or for life".
There's also "assisting the enforcement of the criminal laws in force in a foreign country, so far as those laws relate to serious foreign offences".
The ASD can also ask for "material, advice and other assistance on matters relating to the security and integrity of information that is processed, stored or communicated by electronic or similar means".
ASIS can also ask for assistance in relation to "the interests of Australia's foreign relations or the interests of Australia's national economic well-being".
Who counts as a "designated communication provider"?
Pretty much anyone and everyone who provides any kind of online service or communications equipment to anyone in Australia, and anyone who even installs or maintains the kit. Yes, that includes anyone who has a website.
The table listing all the categories runs for three pages.
It includes obvious players like "carrier or carriage service provider" -
that's the telcos.
But it also includes anyone who "provides an electronic service that has one or more end-users in Australia", anyone who "develops, supplies or updates software used, for use, or likely to be used, in connection with: (a) a listed carriage service; or (b) an electronic service that has one or more end-users in Australia", device manufacturers, and even anyone who "manufactures or supplies components for use, or likely to be used, in the manufacture of customer equipment for use, or likely to be used, in Australia".
Isn't this about forcing companies to put backdoors in their products?
It depends what you mean by "backdoor".
If you mean having any method by which a third party can access the content of a specific communication, that's obviously a "Yes". That's the whole point of a communications intercept.
If you mean a method that allows any communication to be accessed at will, well, the government has been trying very hard to make that a "No".
A notice must not have the effect of "(a) requesting or requiring a designated communications provider to implement or build a systemic weakness, or a systemic vulnerability, into a form of electronic protection; or (b) preventing a designated communications provider from rectifying a systemic weakness, or a systemic vulnerability, in a form of electronic protection".
They cannot ask a provider to "implement or build a new decryption capability", or "render systemic methods of authentication or encryption less effective", or introduce a "selective" vulnerability or weakness that would "jeopardise the security of any information held by any other person", or create "a material risk that otherwise secure information can be accessed by an unauthorised third party".
These two definitions were added to the legislation:
systemic vulnerability means a vulnerability that affects a whole class of technology, but does not include a vulnerability that is selectively introduced to one or more target technologies that are connected with a particular person. For this purpose, it is immaterial whether the person can be identified.
systemic weakness means a weakness that affects a whole class of technology, but does not include a weakness that is selectively introduced to one or more target technologies that are connected with a particular person. For this purpose, it is immaterial whether the person can be identified.
There's now also a lengthy definition of "target technology" that refers to a service, device, piece of software, or "particular update of software" or whatever that "is used, or is likely to be used, (whether directly or indirectly) by a particular person" whether or not the person can be identified.
That's the law's intent anyway. What this might mean in practice is still unknown. Whether any of this is even technically feasible is a question for another time.
What can agencies ask for?
The list of "acts or things" that can be requested runs for two pages. The first is "removing one or more forms of electronic protection that are or were applied by, or on behalf of, the provider". Electronic protection is defined as an authentication system or encryption.
It also includes providing technical information, "installing, maintaining, testing or using software or equipment", "assisting with the testing, modification, development or maintenance of a technology or capability", "modifying, or facilitating the modification of, any of the characteristics of a service", and "substituting, or facilitating the substitution of, a service provided by the designated communications provider" with another service.
And quite a bit more.
Are there any limits on this?
Notices can't be given unless they're "reasonable and proportionate", and the compliance with the request is "practicable" and "technically feasible".
The decision-maker has to take into account things such as the interests of national security; the interests of law enforcement; the legitimate interests of the designated communications provider; the objectives of the request; the availability of other means to achieve the objectives; whether the request is the least intrusive form of assistance with respect to "persons whose activities are not of interest"; and "the legitimate expectations of the Australian community relating to privacy and cybersecurity".
Who decides what's reasonable, etc?
The person issuing the notice.
How much of this will be public?
Almost none of it. There are hefty penalties for revealing any aspect of a notice, except in situations such as referring a complaint to IGIS or the Commonwealth Ombudsman, or in other legal proceedings.
Agencies will report the number of notices issued annually. Communications providers can report the number of notices they've received in periods no shorter than six months.
What else is in the new law?
There's changes to the computer access warrant system, including giving covert computer access powers to "law enforcement agencies investigating certain federal offences".
An electronic device found while executing a warrant can now be moved to another place for analysis for 30 days, up from 14 days. Australian Border Force can now seize and examine an electronic device for 30 days, up from 72 hours.
ASIO can now "require a person with knowledge of a computer or a computer system to provide assistance that is reasonable and necessary to gain access to data on a device that is subject to an ASIO warrant".
It's the law now, so what happens next?
Agencies can start issuing notices as soon as they like.
Labor reckons its amendments to the legislation
will be considered when Parliament resumes sitting in February 2019. The Parliamentary Joint Committee on Intelligence and Security will continue its examination of the legislation through to April.
The Independent National Security Legislation Monitor must "review the operation, effectiveness and implications" of the new laws after 18 months, so around June 2020.
