The current state of encryption law
The way we use and access telecommunications has changed much over the last 30 years. Mobile phones, GPS, wi-fi, internet banking, social media and secure online shopping represent a few of the technologies and services we now take for granted. The future promises more changes to come and in ways we can scarcely imagine. The enabler which underpins these modern communications technologies is encryption: the encoding of a message or information so that only authorised parties can access it. Encryption protects personal, commercial and government information, provides economic benefits, and promotes confidence in a secure cyberspace.
However, many are concerned that these rapid advances in encryption technology have provided the ready means for terrorists and criminals to evade detection by law enforcement and national security agencies. Many will recall the angst faced by the FBI in trying to gain the assistance of Apple in unlocking an iPhone suspected of containing incriminating evidence used by a shooter in 2015’s San Bernardino attacks. A US Federal Judge asked Apple to provide “reasonable technical assistance” to the U.S. authorities, which would require the technology giant to overhaul the system that disables the phone after 10 unsuccessful password attempts. Once this feature kicks in, all the data on the phone is inaccessible. Apple declined to help the FBI.
In response to this new law enforcement dilemma, Australia has progressively introduced legislation since at least 1979 to partially address the changing landscape, starting with section 313 of the Telecommunications Act 1997 (Telecommunications Act), requiring telecommunications service providers to provide ‘such help as is reasonably necessary’ to agencies.
Since then, in response to a number of perceived threats to national security, legislation amending the Telecommunications (Interception and Access) Act 1979 (TIA Act) has introduced new requirements for telecommunications service providers to retain certain data becoming effective on 13 October 2015. From that date, licensed carriers, carriage service providers and internet service providers that use communications infrastructure in Australia to provide any of their services may be required to retain and secure specific telecommunications data for two years. This retained meta-data is deemed to be ‘personal information’ for purposes of the Privacy Act 1988 and is also required to be encrypted.
The new Act
On 6 December 2018, a more radical shift in the legal landscape has been made with the passing of the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018. The Explanatory Memorandum to this Bill states that “the increasing use of encryption has significantly degraded law enforcement and intelligence agencies’ ability to access communications and collect intelligence, conduct investigations into organised crime, terrorism, smuggling, sexual exploitation of children and other crimes, and detect intrusions into Australian computer networks”. Encryption can conceal the content of communications and data held on devices, as well as the identity of users.
The new Act when passed into law will amend the Telecommunications Act, the TIA Act, the Surveillance Devices Act 2004, and 7 other existing Commonwealth Acts. It is designed to introduce extensive and intricate measures to better deal with the challenges posed by ubiquitous encryption. The new Act aims to enhance cooperation by introducing a new framework for industry assistance, including new powers to secure assistance from key companies in the communications supply chain both within and outside Australia.
The new Act creates a framework relating to encryption providing a legal basis in which a Designated Communications Provider:
- may provide voluntary assistance under a ‘technical assistance request’ to the selected government officials in the performance of their functions relating to Australia’s national interests, the safeguarding of national security and the enforcement of the law;
- must provide assistance in response to a ‘technical assistance notice’ from the Director‑General of Security or the head of an interception agency, when the decision maker is satisfied that such a request is reasonable, proportionate, practicable and technically feasible, and
- may be required under a ‘technical capability notice’, to do acts or things to ensure the provider is capable of giving help to ASIO and interception agencies where the Attorney‑General is satisfied that it is reasonable, proportionate, practicable and technically feasible.
Importantly, a Designated Communications Provider includes foreign and domestic communications providers, device manufacturers, and cyber security providers and the developers of underlying operating systems that enable connectivity across platforms.
However, with major technology providers headquartered overseas and communications travelling across national boundaries, many challenges remain in enforcing such provisions.
While this new legislation purports to apply extraterritorially, there are a number of practical difficulties which exist in commencing proceedings against companies outside Australia, namely:
- whether the contravening entity can be compelled to appear in an Australian court;
- whether the relevant enforcement body is able to meet the pre-conditions required to serve validly a foreign company (such as permission from the Federal Attorney-General); and
- the difficulty in having directors or officers extradited to Australia for criminal prosecution (where the prohibited conduct constitutes a criminal offence and liability extends to directors or officers).
As such, it remains to be seen whether the new legislation will prove to be a valuable law enforcement tool or a toothless tiger. Ultimately, the mutual assistance framework between domestic and foreign law enforcement agencies based on the principle of reciprocity may be the determining factor which governs the effectiveness of the new legislation in meeting its stated objectives.
 Australian Security Intelligence Organisation (ASIO), Australian Secret Intelligence Service (ASIS), Australian Signals Directorate (ASD) and interception agencies.
This publication covers legal and technical issues in a general way. It is not designed to express opinions of specific circumstances. It is intended for information purposes only and should not be regarded as legal advice. Further professional advice should be obtained before taking action on any issue dealt with in this publication.
Individual liability limited by a scheme approved under professional standards legislation (personal injury work exempted).