Employees not the target of encryption laws: Home Affairs

Australian developers really do need to relax. Cops and spooks are being told very clearly that the Assistance and Access Act isn't for dragooning you into deceiving your bosses.
Written by Stilgherrian , Contributor

Software developers have been fearing that Australia's controversial new encryption laws could force them to secretly add malware and backdoors to their employers' products and services.

A newly-obtained briefing document from the Department of Home Affairs (DHA) makes it clear that this isn't the intent.

This reinforces expert views that the laws are "highly unlikely" to force employees to deceive their bosses, while also stating the intention of the DHA staffer who drafted the laws.

Prior to an interception agency seeking assistance from a "designated communications provider" -- the broad and somewhat vague definition of that term has certainly led to some of the fears -- a key question has been whether they're approaching the "relevant entity".

"Importantly, the notices are not intended to be issued to persons within an organisation. Rather, notices will be served on the provider as an entity (although this could be a sole trader)," the briefing document says. [Emphasis in original.]

"It is important to note outright that these new measures cannot be used in a manner that would jeopardise the cybersecurity of innocent parties for the sake of facilitating greater government access to communications content and data."

The new laws are the controversial Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 [PDF], passed in December 2018.

The Act defines three kinds of notices that a so-called "interception agency" can serve on what are called "designated communications providers" as part of the Industry Assistance Process:

  • Technical Assistance Requests (TAR), which are "voluntary" requests for the designated communications providers to use their existing capabilities to access user communications;
  • Technical Assistance Notices (TAN), which are compulsory notices to use an existing capability; and
  • Technical Capability Notices (TCN), which are compulsory notices for a designated communication provider to build a new interception capability, so that it can meet subsequent Technical Assistance Notices.

High-level flowchart of the Industry Assistance Process

(Image: Department of Home Affairs)

Much of the controversy has been triggered by the Act's vague definitions, and not just that "designated communications provider" is a three-page list of everyone from a major telco down to the operator of a personal website.

How can a communications provider create a way to access specific encrypted communications without also creating a banned "systemic weakness" that could be used to access any of these communications more widely?

A systemic weakness is defined as one that "affects a whole class of technology, but does not include a weakness that is selectively introduced to one or more target technologies that are connected with a particular person". But that just creates a new conundrum: What counts as a "whole class" of technology?

The "listed acts or things" that can be asked for is also broadly defined. It includes removing encryption or authentication controls; providing technical information; installing, maintaining, testing, or using software or equipment; even "modifying, or facilitating the modification of, any of the characteristics of a service provided by the designated communications provider" among other things.

Attempting to clarify the unclear definitions

The undated report The Assistance and Access Act: An Interim Guide for Security, Intelligence and Law Enforcement, obtained by The Guardian under freedom of information laws, is meant to clarify all this for the cops and spooks who will be using it.

The guide does say that people accessing the internet at McDonald's, Westfield in Australia, and other free wi-fi providers could be targeted for surveillance by police for example.

It also gives examples illustrating the reach of "designated communications provider": Facilities such as Amazon Web Services (AWS) or a content distribution network (CDN); systems integrators like DimensionData; device manufacturers; or even any Australian retailer who offers a mobile shopping app.

But the guide also spends a lot of time explaining the limitations.

Read also: Amendments to Australia's encryption laws stranded before election

There must already be an underlying judicial warrant to access the communications in question, for example, and the decision-maker approving the action must take into account a range of factors.

  • the interests of national security;
  • the interest of law enforcement;
  • the legitimate interests of the relevant provider;
  • the objectives of the request or notice;
  • the availability of other means to achieve these objectives;
  • whether the requirements are the least intrusive form of industry assistance insofar as it might impact innocent third parties;
  • whether the requirements are necessary;
  • the legitimate expectations of the Australian community relating to privacy and cybersecurity; and
  • such other matters the decision-maker considers relevant.

It's concerning that the decision-maker is generally the head of the agency taking the action. This writer's view is that there should be independent judicial oversight before action is taken.

However agencies must justify their actions to the independent Inspector-General of Intelligence and Security (IGIS). ZDNet understands that this can sometimes be a daunting prospect.

The guide says that it's an "interim step while more comprehensive guidance" is developed.

"The Department will shortly commence consultation with Government and industry stakeholders in the development of comprehensive guidance on the use of the industry assistance measures, including standard forms and contracts that will underpin industry assistance."

Meanwhile, Labor pledged that if they'd won the recent federal election, they would review the encryption laws. The party had raised specific concerns that it would damage Australia's IT industry.

Scott Morrison's Coalition government has been returned, however. While there's an ongoing inquiry by the Parliamentary Joint Committee on Intelligence and Security (PJCIS), it's not yet clear whether the government will prioritise any debate in parliament.

Related Coverage

Amendments to Australia's encryption laws stranded before election

Once again, Labor has been Charlie Brown to the Coalition's Lucy with the football.

Husic says Labor is committed to reforming Australia's encryption laws

Shadow Minister for the Digital Economy Ed Husic has reminded voters of his party's tech-related plans, including its commitment to tweaking Australia's encryption laws.

AFP concerned about approving state police usage of Australia's encryption laws

Concerns over a federal body overseeing the operations of state and territory authorities.

Australia's cybersecurity chief Alastair MacGibbon resigns

MacGibbon's decision to resign at the "end of the electoral cycle" makes sense both organisationally and personally, especially given the potential for uncertainty ahead.

Fifield out as Communications Minister as Fletcher fills role and gains cyber

Fletcher to take on expanded role that will include Cyber Safety.

Editorial standards