Decrypting the Decryption Bill
by Paul Kallenbach, John Fairbairn, Lisa Jarrett, Leah Mooney, Veronica Scott, Christina Graves
Published: October, 2018
Submission: January, 2019
Following a short period of public consultation, the Telecommunications and Other Amendments (Assistance and Access) Bill 2018 (Cth) (Bill) has been introduced into Parliament. Despite the extensive public concerns raised with the Exposure Draft version, only a small number of amendments have been made to the Bill.
Following extensive submissions and much debate, the 'decryption Bill' has now been introduced into Parliament. The Bill introduces a package of amendments to assist law enforcement agencies to overcome the challenges of accessing data under warrants at a time when (according to Mr Dutton in his second reading speech of the Bill) 'criminal syndicates and terrorists are increasingly misusing and, indeed, exploiting [encryption] technologies'. Specifically, the Bill introduces amendments to:
The Bill sets out a range of acts or things that these notices may require of DCPs, including providing technical information, removing one or more forms of electronic protection that are or were applied by (or on behalf of) the provider, notifying agencies of a change to a service, and installing, maintaining, testing or using software or equipment or assisting with those activities.
What is the Bill's impact?
The range of providers that could be subject to a request or notice is broad. The Bill extends the scope of the Telecommunications Act to Australian and foreign communications services and device providers, to the extent the service or device has an Australian user. It is not only telcos that are impacted. Equipment vendors, smartphone and other device manufacturers and software and services vendors (whether local or global) could also be the subject of a request or notice. Many of these would have varying resources and capabilities to respond.
Costs of compliance
DCPs who will potentially be affected have expressed concern that the cost of responding to requests or notices could be substantial, particularly if the provider is required to build new capability. The Bill provides that costs of compliance are recoverable on a no-profit-no-loss basis. Providers may also be able to enter into commercial terms for the provision of assistance. However, those with more limited resources may well find the cost of providing services in Australia is not viable, particularly if they are caught simply because they offer an app on a global store.
An unintended consequence of the Bill is that confidential and encrypted communications between journalists and their sources could be revealed to law enforcement agencies. However, unlike the Telecommunications (Interception and Access) Act 1979 (Cth) (Interception and Access Act), the Bill does not build in any protections for journalists' sources to scrutinise requests or notices which could result in revealing their sources. Following numerous submissions on the draft Interception and Access Act on this issue, the concept of a 'journalist information warrant' was introduced preventing the Attorney General from issuing a journalist information warrant unless satisfied that (amongst other things) the public interest in issuing the warrant outweighs the public interest in protecting the confidentiality of the identity of the source in connection with whom the authorisation is sought. By contrast, the Bill does not provide for a similar mechanism to protect confidential sources.
What has happened so far?
The history of the Bill has been short, particularly in light of what it seeks to achieve. After releasing the exposure draft Bill for public comment on 14 August 2018, submissions were due by 10 September. Just ten days later, the Bill was introduced into Parliament, without significant amendment. The Department has now published the submissions it received - almost 350 in total.
There are shared themes within the submissions. Whilst there is broad support for the objectives of the Bill, there are serious concerns about the effect of the Bill, if passed in its current form, on both the DCPs, those organisations whose data may be affected, and individual consumers.
In addition, as recently reported in The Sunday Age, experts have expressed the view that the benefits the Bill is seeking to achieve may not ultimately eventuate and other options should be considered before resorting to such measures. There is also concern that the Bill could contribute to an overall weakening of digital security, which in turn could discourage personal communications. Similar to the concerns raised about MyHealthRecord, there are also questions about the effectiveness of the government's own cyber security measures and what this means for the protection of the data that law enforcement will collect.
Amendments to the Bill
A handful of amendments were made to the version of the Bill that was introduced into Parliament following the submissions on the Exposure Draft. The most significant of these are:
Organisations that fall within the definition of a DCP, including foreign DCPs who provide goods or services to Australian users, will need to be prepared to comply with a Technical Assist Request, Technical Assistance Notice or Technical Capability Notice, and may need to raise this with their clients and update their terms and conditions. The current scope of providers is broad, and includes telecommunications providers, software and equipment vendors and device manufacturers. Those directly impacted will need to have in place arrangements that allow them to assess and respond to Requests or Notices.
The Bill was referred to the Parliamentary Joint Committee on Intelligence and Security following the second reading speech on 20 September 2018. The Committee invited public submissions on the Bill by 12 October 2018 and received a further 76 submissions. The Committee held a public hearing on 19 October 2018 and further public hearings are due to be scheduled in late October or early November 2018.
Despite the amendments to the Bill, significant concerns remain. At the Committee's public hearing on 19 October, the Law Council of Australia expressed concern about the use of these notices to side-step the requirements for obtaining a warrant, resulting in limitations on 'an individual's right to privacy, freedom of expression and liberty'. In the absence of a nationally recognised individual right to privacy or a common law tort of invasion of privacy, the only limitations that can be placed on the exercise of these powers by relevant agencies are the statutory limitations within the Bill itself.
We now await the Joint Committee's recommendations following the further public hearings.
Link to article
- What the Changes to CFIUS Mean for Foreign Investment
- Resolutions of the Hungarian data protection authority imposing fines under the GDPR (21 June 2019)
- New UAE Regulatory Policy for the Internet of Things
- New York on Verge of Passing Landmark Data Security Legislation
WSG Member: Please login to add your comment.