In July 2020, the Independent National Security Legislation Monitor (INSLM) issued a report recommending changes to the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (Cth) (Encryption Act).
The Encryption Act was introduced in response to the Australian government’s concern about people using encrypted messages for terrorist related and other illegal activities.
The Act expanded the law enforcement powers of Australian Security Intelligence Organisation (ASIO), Federal, and State authorities, by enabling them to direct ‘designated communication providers’ (DCP) (such as Telcos and providers of secure messaging applications) to provide law enforcement with ways to intercept and decrypt encrypted messages.
For example, under the Act, law enforcement can (in certain circumstances) direct Facebook as owner of WhatsApp to provide access to the otherwise encrypted massages of customers that have been exchanged through the app.
Concerns about the Act
The introduction of the Encryption Act was controversial for several reasons, including its hurried enactment with a short period of consultation, the breadth of its application to DCPs, and concerns about how the powers under the Act compromise the privacy of individuals who believe their communications to be secure.
The Encryption Act sets out specific types of help that an agency can ask a DCP to provide under a voluntarily Technical Assistance Request (Request) or a mandatory Technical Assistance Notice (Notice). Actions required by DCPs under these Notices and Requests can include removing technical protections from decrypted messages, providing technical information such as source code, deployment of agency software, or notifying an agency of changes to the DCP’s service.
The safeguards under the Act have been widely criticised by industry and commentators. The Act seeks to prohibit the introduction of a ‘systemic weakness’ or ‘systemic vulnerability’ into DCP’s products or services. However, the definitions of these concepts lack clarity. In addition, the Notices and Requests are not currently subject to independent judicial authorisation, with very limited availability for judicial review regarding any subsequent disputes or objections as to their application.
The INSLM made several recommendations including clarifying the problematic definitions in the Act and seeking to introduce a new oversight mechanism, based on aspects of the UK’s model, to approve the Notices. The oversight would be achieved through the establishment of a new division of the Administrative Appeals Tribunal.
The Attorney-General stated that the government would not make any response to the INSLM report until the current Parliamentary Joint Committee on Intelligence and Security’s (PJCIS) review is complete. We expect this report to be completed and available in coming weeks.