Encryption laws are creating an exodus of data from Australia: Vault

Detrimental effects are both real and perceived, according to Australian cloud provider.
Written by Chris Duckett, Contributor

Australian cloud provider Vault Systems has said it is being "materially and detrimentally impacted" by Australia's encryption laws, even if it is just the perception of them.

"As foreign governments and customers are assessing against a 'media headline test', we are in an unfortunate position where logical persuasion is not sufficient to counter perception," Vault said in a submission to a review of the laws.

"We are currently seeing an exodus of data from Australia including physical, operational, and legal sovereignty."

The cloud provider said based on the size of the Australian market, and its "perceived compliance burden", it has seen multinationals blacklist the nation, even when the same company operates in China and Russia.

Vault called upon the government to create a Data Sovereignty Policy that mandates all sensitive data hosted in the cloud be sovereign and for all staff to undergo Australian clearance vetting, where needed.

"As multinational companies move physical, operational, and legal jurisdiction offshore, they easily side step the AA Act -- in effect thwarting the AA Act," Vault said.

"Current legislation does not prevent these companies continuing to provide services to Australia citizens, companies or government. In effect, these companies are eluding the law and attaining revenue while every day Australian citizens are suffering the consequences."

A submission by the Australian Civil Society Coalition -- consisting of Digital Rights Watch, Blueprint for Free Speech, Human Rights Law Centre, NSW Council for Civil Liberties, Queensland Council for Civil Liberties, Liberty Victoria, Access Now, Electronic Frontiers Australia, and Future Wise -- reiterated prior calls for the laws to be entirely repealed.

The coalition called for an "enforceable federal human rights framework" to prevent Australia being the weakest link in the Five Eyes network, as well as for protection for whistleblowers in relation to the encryption laws, and the use of warrants and judicial content for notices issued.

It also pointed out that the encryption laws create a loophole that allows law enforcement to bypass a requirement that for a warrant to access a journalist's metadata to track down a source.

In November 2017, a Commonwealth Ombudsman report into how the Australian Federal Police managed to trip over that one caveat in Australia's metadata retention system -- needing a journalist warrant -- found AFP officers did not "fully appreciate their responsibilities" when using metadata powers.

The Australian Civil Society Coalition also said legislation should be in place to require any tooling developed by companies to comply with a notice can only be used in ways specified by a warrant.

"When that warrant is no longer in force, the recipient of the TAR, TAN, or TCN should be notified appropriately and permitted to take any steps to address the impacts of the TAR, TAN, or TCN as they see fit," the coalition said.

Australia's encryption laws -- as defined in the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 passed in December 2018 -- create three kinds of notices that a so-called "interception agency" can serve on what are called "designated communications providers":

  • Technical Assistance Requests (TAR), which are "voluntary" requests for the designated communications providers to use their existing capabilities to access user communications;
  • Technical Assistance Notices (TAN), which are compulsory notices to use an existing capability; and
  • Technical Capability Notices (TCN), which are compulsory notices for a designated communication provider to build a new interception capability, so that it can meet subsequent Technical Assistance Notices.

In May, a briefing document from the Department of Home Affairs that appeared, showed agencies were being informed not to target employees within organisations, however StartupAUS said in its submission it did not believe this was enough.

"It must be explicitly stated within the legislation that where a company is providing a digital product or service, the company itself must be defined as the Designated Communications Provider, and individual employees may only be engaged internally at the direction of management to assist with a TCN."

The startup group also wanted the laws restriction to offences with 3 years imprisonment or more lifted to a higher threshold.

"The result of such a broad definition of serious offence is that rather than the powers under this Act being reserved as a critical measure in times of great need, they will simply fall into regular use as part of the daily toolkit of law enforcement, at significant cost to Australian technology companies, their customers and their products," it said.

"Indeed - even the penalty for unauthorised disclosure of information pertaining to this Act is set at a maximum of 5 years, and therefore would qualify as a serious offence."

On the reporting front, the Commonwealth Ombudsman took issue with the Minister of Home Affairs being able to remove content from its reports.

"We believe the minister's power to redact the Ombudsman's reports should be reconsidered," it said.

"Specifically, this power is not available to a minister in any other legislation under which the Ombudsman may issue a report and, in our view, is inconsistent with the Ombudsman's role as an independent and impartial office."

Speaking in Parliament yesterday, Home Affairs Minister Peter Dutton said the laws directly saved lives.

"We have introduced multiple pieces of legislation, including the encryption laws last year which were questioned by some of those opposite on the front bench but which have directly resulted in Australian lives being saved," he said.

"That's the reality. This government, in this term, will make sure that we do whatever we can to keep Australians safe."

Related Coverage

Amendments to Australia's encryption laws stranded before election

Once again, Labor has been Charlie Brown to the Coalition's Lucy with the football.

Employees not the target of encryption laws: Home Affairs

Australian developers really do need to relax. Cops and spooks are being told very clearly that the Assistance and Access Act isn't for dragooning you into deceiving your bosses.

Huge scope of Australia's new national security laws reveals itself

The Australian Federal Police's hunt for journalists' working files highlights more of the wide-ranging powers granted by the controversial Assistance and Access Act.

Biometrics, CDR, broadband tax: All the Bills Canberra wants to reheat in 2019

The federal government hopes to have its identity-matching framework, the Consumer Data Right, and a handful of other legislation passed by the end of the year.

ASD Director-General hits out at encryption Bill fake news

Claims that the new laws will drive tech companies offshore are flawed, according to ASD Director-General Mike Burgess.

Editorial standards