The Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 (Cth) received Royal Assent on 8 December 2018 (the "Act").
Broadly speaking, the Act will extend law enforcement assistance obligations (which previously only applied to Carriers and Carriage Service Providers ("CSPs") under Australia's Telecommunications Act 1997 (Cth) and related legislation) to a much broader range of suppliers of communications services and equipment, software providers and device manufacturers, both within Australia and overseas.
Why was the Act introduced?
The Act was introduced in response to the increasing challenges posed by new technologies, such as encryption, to law enforcement and intelligence agencies when investigating serious criminal acts. It is an attempt to leverage, and mandate, the technical assistance of industry in order to better equip law enforcement and intelligence agencies with the communications and information they require to investigate serious crimes, whilst also balancing the public interest in maintaining strong encrypted communications systems.
The explanatory material accompanying the Act's introduction makes clear that the intended targets of the Act include individuals and organisations misusing and exploiting new communications technologies (including, in particular, secure messaging applications, social media and VoIP services) to engage in 'organised crime, terrorism, smuggling, sexual exploitation of children and other crimes' (Explanatory Memorandum, paragraph 4).
As well as being driven by national security concerns, the introduction of the Act was, in part, driven by geopolitical concerns. The need for a more effective framework for procuring technical assistance from industry has been on the agenda of the Five Eyes nations (which comprises the UK, Canada, New Zealand, the USA and Australia) for some time now – it was a key item of the discussions that took place between the intelligence network at the meetings in Ottawa last year.
With the passage of the Act, Australia becomes the first of the Five Eyes nations to introduce an industry assistance framework of this kind in legislative form.
Who will the Act affect?
The Act extends law enforcement assistance obligations to a new category of regulated entity – 'designated communications providers'. This captures any provider of communications services and devices in Australia, irrespective of where they base their operations. This includes providers of 'electronic services', software/suppliers and equipment and device manufacturers.
By capturing suppliers of 'electronic services' within the new category of 'designated communications providers', the Act will extend the reach of current legislation by capturing services which use the internet for carriage, such as OTT service providers.
How does the Act operate?
New industry assistance framework
The Act will expand the powers of law enforcement and intelligence agencies to regulate Carriers and CSPs, by strengthening the agencies' collection capabilities and introducing a new framework for industry assistance. This will include the following key reforms:
- a technical assistance regime, whereby designated communications providers may voluntarily assist agencies under a "technical assistance request" ("TAR"), or be required to do so pursuant to a technical assistance notice ("TAN") issued by the head of an interception agency or ASIO; and
- a technical capability notice regime, whereby a designated communications provider may be required to do certain 'acts or things', including building a capability in accordance with a technical capability notice ("TCN") issued by the Attorney-General (and approved by the Minister).
Importantly, a TAR, TAN or TCN cannot require a designated communications provider to implement or build a 'systemic weakness' or a 'systemic vulnerability' into a form of electronic protection, or prevent a designated communications provider from rectifying a systemic weakness or a systemic vulnerability, in a form of electronic protection. It also includes rendering systemic methods of authentication or encryption less effective.
There are some additional safeguards built into the Act, including that the notice requirements be 'reasonable and proportionate', compliance be 'technically feasible' and the 'least intrusive form of industry assistance'. Designated communications providers issued with a TCN are also able to seek an assessment of whether the notice complies with the requirements outlined above.
Computer access warrants
The Act also significantly broadens the existing computer access warrants regime by enabling additional agencies to covertly access and modify a device for the purpose of obtaining evidence.
These warrants, which must be issued by a judge or a member of the AAT, allow law enforcement agencies to, amongst other things, remove computers from premises (including servers) and use other computers to access data remotely.
The Act imposes serious penalties for a failure to comply with a notice, or an unauthorised disclosure of certain information.
A failure to comply with a TAN or TCN can attract pecuniary penalties of up to AUD 10 million. An unauthorised disclosure of information by an individual involved can attract a term of imprisonment of up to 5 years, and a failure or refusal to assist with a computer access warrant can, in some instances, attract a term of imprisonment of up to 10 years.
The Act, which was, and continues to be, the subject of much controversy, was rushed through Parliament and was passed on its last sitting day for 2018. This was largely due to concerns on the part of the Government that law enforcement and intelligence agencies would not be equipped with the powers required to effectively address national security risks over the upcoming 2018/2019 holiday break.
In light of this, the Australian Labour Party has suggested that it will seek to make amendments to the Act when Parliament recommences in 2019. The Parliamentary Joint Committee on Intelligence and Security will also be examining the operation of the legislation and completing its review by 3 April 2019. Many industry participants have continued to express strong concerns over the potential operation of the Act.