The Australian Assistance and Access Bill is now an Act. It passed — and without any of the amendments proposed by Opposition Leader Bill Shorten, which backed down completely in its resistance againstthe new laws.
Being the first such encryption law worldwide, it is still uncertain whether the law is eventechnically feasible. Let alone effective in fighting terrorism and crime. It’s also complex and confusing, so we’ll guide you through it.
After all, what exactly does the Australian Assistance and Access Bill being enacted entail?
What is the Assistance and Access Bill ?
The governmentcalls it Telecommunications and Other Legislation Amendment(Assistance and Access) Bill 2018. Fancier, and also more informational: it amends the TelecommunicationsAct 1997, expanding the responsibilities of the government overcommunications and intelligence obtained on the internet.
It seeks to “establish frameworks for voluntary and mandatory industry assistance to lawenforcement and intelligence agencies in relation to encryption technologies”. In short, it helps the government access encrypted communication.
The idea is to combat child predators, terrorist networks and organised crime moreeffectively. According to the explanatory memorandum, “the increasing use of encryption has significantly degraded law enforcement and intelligence agencies’ ability to access communications and collect intelligence”.
Australian Government powers
It basically enables government agencies to issue notices requesting access to the content of any encrypted communication within a “designated communication providers”’ reach. There are three types of notices:
- TechnicalCapability Notice (TCN) — A compulsory notice, requesting that a designated communication provider builds new interception capabilities. Mainly used sothat the provider can comply to the next notice.
- TechnicalAssistance Notice (TAN) — A compulsory notice, requesting that a designated communication provider uses its interception capabilities to track downcommunication.
- TechnicalAssistance Requests (TAR) — A voluntary notice (in a certain measure of“voluntary”). More or less the same as the TAN, but with much less oversight.
A “designated communication provider” is basically anyone who offers online service — from ablog with a newsletter to Google — to the Australian people. Also, anyone who provides communications equipment in Australia. So almost anyone, full stop.
What the Assistance and Access Bill doesn’t, or tries not to do, is to allow agencies to request backdoors into security systems. A notice can’t request that a designated communications provider implements a “systemic weakness, or a systemic vulnerability, into a form of electronic protection”.
That, and agencies can’t prevent a provider from fixing systemic weaknesses or vulnerabilities, if there are any.
Just about everything is strictly defined for the laws’ purposes, including “systemic weaknesses”, “systemic vulnerabilities” and “electronic protection”. The law does intend to be as categorical as possible.
Who the Bill empowers
Only the Australian Attorney-General can issue a TCN, with the approval of the Minister for Communications and following a request from the Australian Security and Intelligence Organisation (ASIO).
A TAN can onlybe issued by the ASIO, via its director-general, or by Australian interception agencies, via their chief officers.
Interception agencies include the Australian Federal Police (AFP) and the Australian CrimeCommission (ACC). State or territory forces can issue notices if they have theapproval of the Federal Police Commissioner.
TAR, however, can be issued by all these and the directors-general of the Australian Secret Intelligence Service (ASIS) and the Australian Signals Directorate (ASD). Anti-corruption agencies are conspicuously absent.
The agencies canask to remove “one or more forms of electronic protection that are or were applied by, or on behalf of, the provider”. They can also ask for technical information regarding any software or equipment, including information about “modifying […]any of the characteristics of a service”.
The issuing of anotice needs an underlying warrant, but doesn’t need to be approved independently by a judge or another agency. Any notice or modification to anotice has to be written and notified to the Inspector-General of Intelligenceand Security (IGIS).
However, in “matters of urgency” — when “an imminent risk of serious harm to a person orsubstantial damage to property exists” — an oral notice can be issued, provided they are confirmed in writing up to 48 hours later.
Sure enough, issuing a notice has to follow the principles of proportionality, feasibility and reasonability. But who decides the applicability of the notice, single-handedly, is the one issuing the notice.
This is only not true in the case of TCNs, which demand a written notice of intention to beexamined and responded by the designated communications provider.
What the Bill intends to fight
The Assistance and Access Bill is more or less aimed at “safeguarding national security” and punishing “serious Australian offences”. That’s anything that’s punishable by 3or more years in jail.
Besides, it seeks to “assist the enforcement of the criminal laws in force in a foreigncountry, so far as those laws relate to serious foreign offences”. Meaning, the legislators are well aware of the global impact of the new law.
Other aspects ofthe law deal with how exactly the devices and services can be analysed. Anyone “with knowledge of a computer or a computer system” can be asked by the ASIO to“provide assistance that is reasonable and necessary to gain access to data ona device that is subject to an ASIO warrant”.
So it is not quite an anti-terrorism law or an anti-organised crime law. It’s a framework for how Australia will deal with anykind of serious offence related to the cyberspace.
A communication provider can only report the number of notices they have received in periods of six months or longer, and agencies will report each year only the number ofnotices they issued.
When will the Bill take effect
There are two answers to this — “right now” and “we’ll see in one year and a half”. “Rightnow”, because agencies can already issue notices. “We’ll see”, because the Independent National Security Legislation Monitor will review the consequences of the law around June 2020.
We might see reverberations of the world’s first encryption laws in the Five Eyes securityalliance. Civil liberties groups and tech companies have already voiced their concerns about the applicability, the effectiveness and the legitimacy of the laws.
Other than that, amendments should be considered next year as the Committee on Intelligence and Security reviews it until April. It still remains to be seen how much of thelaw can be applied, and how much of it will.