Australia - Encryption Bill Published For Comment
Legal News & Analysis - Asia Pacific - Australia - Cybersecurity
27 August, 2018
Powers designed to enable access by law enforcement and national security agencies to information and messages held in electronic devices and online services have been created in a proposed new federal law which has come to be known as the "Encryption Bill". The Australian Government has just published an exposure draft of the legislation for comment.
The proposed law targets a wide range of suppliers across the IT industry including equipment and device manufacturers, software developers, infrastructure providers, cloud-based storage services and web-and-app based communications services including social media. You can find a copy of the exposure draft and explanatory document here.
Voluntary and compulsory requests and notices
A new Part 15 is to be inserted into the Telecommunications Act 1997 (Cth) whereby the Australian Security Intelligence Organisation (ASIO), the Australian Secret Intelligence Service and eleven specified "Interception Agencies" (Agencies) may issue:
a Technical Assistance Request, seeking voluntary assistance for the purposes of:
- enforcing the criminal law and other laws imposing a pecuniary penalty;
- assisting the enforcement of criminal laws of a foreign country; or
- protecting the public revenue or the interests of Australia's national security foreign relations or national economic well-being; and/or
- a Technical Assistance Notice, requiring the delivery to the relevant agency of information and/or assistance for law enforcement and national interest purposes.
ASIO or Agencies may also issue a Technical Capability Notice directing that the recipient ensure that it is capable of giving help in relation to a matter that facilitates or is ancillary or incidental to the performance of a function, or the exercise of a power of the issuing agency.
A Technical Assistance Request (Request) or a Technical Assistance Notice and Technical Capability Notice (Notices) can be issued to a "designated communications provider" (Provider), defined to include a very wide range of organisations involved in the delivery of IT related facilities and services (Provider). A Request or a Notices must be issued in relation to "eligible activities", a wide term that extends to acts and practices that relate to carriage and electronic services and facilities.
Limitations of the Notices
Notices are limited in scope to the extent that:
- The Notices may not be issued to do an act or thing for which a warrant is required; and
- The Notices must not have the effect of:
- requiring a designated communications provider to build a systemic weakness, or a systemic vulnerability, into a form of electronic protection; or
- preventing a designated communications provider from rectifying a systemic weakness, or a systemic vulnerability, in a form of electronic protection.
How might a Request or Notices be used?
The Bill proceeds on the assumption that messages carried or held by Providers can be accessed without taking steps that will damage any form of electronic protection. A Request or a Technical Assistance Notice might be issued in order to discover how a system works and explore the Provider's ability to satisfy a warrant. A Technical Capability Notice might be issued to require the construction of an interception or access mechanism that satisfies this requirement.
Providers are not subject to civil liability if they provide voluntary or compulsory assistance under any of the three new measures. However, failure to comply with the Notices may result in a fine of up to $10 million for a body corporate and $50,000 for an individual.
Computer access warrant powers
The Bill expands powers under the Australian Security Intelligence Organisation Act 1979 (Cth) (the ASIO Act), and introduces changes to the Surveillance Devices Act 2004 (Cth), the Crimes Act 1914 (Cth), the Customs Act 1901 (Cth) and the Telecommunications (Interception and Access) Act 1979 (Cth) in respect of computer access warrants for the benefit of ASIO and law enforcement agencies.
The new provisions in the Bill insert extensive language dealing with computer access warrants and the various circumstances in which they may be sought, including amendments which allow for the following:
- the use of a computer device, communications facility, electronic equipment, or data storage device in order to determine whether a relevant computer or device is a thing that may be seized under a warrant;
- to add, copy, delete or alter other data in a computer or a communication in transit;
- remove a computer temporarily from premises;
- to intercept a communication for the purpose of doing something specified in a warrant;
- allows for the ability to intercept in transit a communication passing over a telecommunications network; and
- record fingerprints from computers or data storage devices and take samples for forensic purposes from computers or data storage devices.
A computer access warrant may also authorise the use of force and the use of steps necessary to conceal access to devices under the warrant.
Mutual foreign assistance for computer access warrants
The Bill recognises that a computer access warrant issued pursuant to the amended legislation may relate to a computer in a foreign country, a vessel, or an aircraft that is registered under the law of a foreign country. As a result, computer access warrants may be issued for devices outside of Australia.
Before issuing a warrant that may have extraterritorial effect, a relevant judge or nominated Administrative Appeals Tribunal member may consider whether they are satisfied that the access has been agreed to by an appropriate consenting official of the foreign country. "Appropriate consenting official" is defined in the Bill as an official of that country having authority in that country to give consent to access to data held in computers in that country or on a vessel or aircraft registered under the laws of that country.
Similarly, adjustments to the Mutual Assistance in Criminal Matters Act 1987 (Cth) under the Bill allows for the Attorney-General to authorise access to data held in a computer by eligible law enforcement officers under the Surveillance Devices Act 2004 (Cth) if requested to do so by a foreign country, and where the request relates to an investigation or investigative proceeding relating to a criminal matter involving an offence against the law of the foreign country.
Power to conceal activities and decrypt devices
In addition to the expansion of ASIO's powers regarding computer access warrants, the Bill makes the following amendments to the ASIO Act:
- adjusts ASIO's power in relation to foreign intelligence and identified person warrants;
- introduces provisions expanding ASIO's powers to enter premises to remove computers, intercept messages, and to take steps to conceal activity as part of the execution of foreign intelligence gathering warrants and identified person warrants; and
- introduces new powers to give access to devices (including computers and mobile phones) which includes the requirement of decryption. A new provision in the Bill gives ASIO a wide power to seek an order to obtain assistance in accessing information contained on computers and other devices. The power can be exercised where there are reasonable grounds that the information is necessary for obtaining foreign intelligence, is in the interests of national security, or if obtaining the information will "substantially assist in the collection of intelligence."
Comments are requested by 10 September 2018. If you would like to discuss how this Bill may impact your business or obtain assistance with preparation of a submission, please contact us.
For further information, please contact:
Patrick Fair, Partner, Baker & McKenzie