Home Affairs pushes back against encryption law proposals

Both Labor and Australia's Independent National Security Legislation Monitor have proposed judicial approvals before cops and spooks can access encrypted communications, but the Department of Home Affairs isn't keen.
Written by Stilgherrian , Contributor

The Department of Home Affairs has rejected criticisms of Australia's controversial encryption laws, including the often-cited need for external judicial oversight and the impact of the laws on the tech industry.

The department also rejected claims that the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018, generally known as the TOLA Act or AA Act, would be incompatible with the US Clarifying Lawful Overseas Use of Data Act (the CLOUD Act).

Under the laws as currently written, agencies can issue:

  • Technical Assistance Notices (TANs), which are compulsory notices for a "designated communication provider" (DCP) to use an interception capability they already have;
  • Technical Assistance Requests (TARs), which are "voluntary" requests, but really, how could you refuse?
  • Technical Capability Notices (TCNs), which are compulsory notices for a CCP to build a new interception capability, so that it can meet subsequent Technical Assistance Notices; and

TANs and TARs can currently be approved by the head of the requesting law enforcement or intelligence agency. TCNs must be approved jointly by the Attorney-General and the Minister for Communications.

Under Labor's proposal, contained in their Telecommunications Amendment (Repairing Assistance and Access) Bill 2019, a TAN, TAR, or TCN would have to be approved by a judge.

The Independent National Security Legislation Monitor (INSLM), Dr James Renwick, went further during public hearings in Canberra this week.

Not only did he propose tougher independent oversight of TOLA actions, he repeatedly expressed his concern that the Attorney and the Minister didn't constitute an independent "double lock" for authorising TCNs.

Such a double lock is required in the UK, where the equivalent to a TCN must be approved by both the Secretary of State for Home Affairs and the independent Investigatory Powers Commissioner's Office (IPCO).

"Leaving aside the personalities and the people who might fill those offices from time to time, nevertheless the Attorney and the Minister for Communications are both members of the same government and the same cabinet," Renwick said on Friday.

"There's at least some administrative law which suggests that in those circumstances, they might both be bound by a cabinet decision."

Hamish Hansford, DHA's Acting Deputy Secretary for Policy, rejected that view.

"Notwithstanding both an Attorney and Minister for Communications are members of a cabinet, they are also independent decision-makers under statute, and they need to exercise those responsibilities independently, if you like," he said.

"[The] Attorney-General and other ministers have access to more intrusive powers, to make decisions about more intrusive powers, and this would be an aberration in the overall framework."

Hansford suggested that a DCP might even request that they be served a TCN.

"We envisage ... that companies may well request a TCN, and may well say, so they can defend to their own internal business processes and own business model, 'We would like a TCN so that you [are] compelling us to provide a new capability that we have the ability to develop'," he said.

"And the government would pay for it, potentially, and through a contract negotiation."

DHA wants specific examples of harm to the tech industry

Tech companies have repeatedly said that the TOLA Act is harming their international business, with one cloud provider claiming an exodus of data from Australia.

"It is difficult to read about or grapple with anecdotal reports of lost business that have appeared in some submissions from industry without having an understanding of the specific facts," Hansford said.

"We'd encourage specific examples to be tabled to your inquiry, or separately to the parliamentary joint committee [the PJCIS] or the department."

Hansford also rejected once more the fears that employees would be dragooned in secret to create backdoors without their boss' knowledge.

"It is not now and it has never been intended that individual employees would be asked or required to provide assistance without informing or consulting their employer," Hansford said.

While an individual employee might receive a Notice or Request, perhaps because they're the organisation's law enforcement liaison officer, the recipient is the corporate entity, not the individual.

"That individual can and should discuss their request or notice with their employer as required to consider and provide the requested assistance," he said.

However an individual who operates as a sole-trader business could still receive a notice.

Watchdog asks AFP to justify TCN's existence

Renwick noted that law enforcement agencies used their new TOLA Act powers just seven times in seven months, and all were voluntary TARs. That has continued to be the case.

TARs and TANs cover the same activities. One is voluntary, one is compulsory. But what about the far more intrusive TCNs? They haven't been used yet.

Hypothetically, Renwick asked the Australian Federal Police (AFP), what if three years go by and no one uses a TCN? Would that indicate that TCN powers weren't needed at all?

As Renwick put it, "What am I to conclude, in other words, from the fact that so far it would appear there haven't been any TCNs?"

"I think at this stage it indicates that industry would prefer to cooperate voluntarily against the known scheme than be compelled by something over which they have less control," said Karl Kent, the AFP's Deputy Commissioner for Capability.

"Simply by those tiers being in existence, I think it reflects the nature of the existing relationship between policing and providers of telecommunications."

DHA has no problem with the CLOUD Act

The CLOUD Act allows US law enforcement agencies to obtain data from foreign companies, provided that it doesn't violate privacy rights in that country.

In a submission to the PJCIS in July 2019, the Law Council said the CLOUD Act requires orders to be subject to judicial review at the issuance of a notice, something that many groups critiquing the TOLA Act have been calling for.

"US law does not allow for the mandating of the decryption of data as is now permitted under Australian law," it said.

"Irrespective of the amendments introduced by the Assistance and Access Act in Australia, the provisions of the CLOUD Act will not allow US service providers to provide technical assistance beyond their existing obligations under [the Communications Assistance for Law Enforcement Act]."

Australia's mandatory telecommunications data retention regime would also cause the CLOUD Act problems, according to the Law Council.

Home Affairs rejects that view.

"We've been in intense discussions with the Department of Justice in the United States," said Hansford.

"They have not identified any issues with the Assistance And Access Act that would prevent Australia from successfully negotiating a bilateral agreement with the United States under the CLOUD Act."

The INSLM's encryption laws inquiry is due to report by June 30. His analysis will feed into the ongoing review by the PJCIS, which is due to report by September 30.

The PJCIS is also due to report somewhat sooner, on the effectiveness of the mandatory telecommunications data retention regime, by April 30.


Editorial standards