Home Affairs says no problems with encryption laws even though local companies suffer

The department said it is however 'focused' on addressing the negative perception of Australia's encryption laws, saying companies actually lack a clear understanding of the obligations within legislation.

The Department of Home Affairs (DHA) has finally conceded that the perception of Australia's encryption laws has had a "material impact on the Australian market" and the ability for Australian companies to compete globally, after hearing many tell it such for months. 

In a submission [PDF] to the Parliamentary Joint Committee on Intelligence and Security (PJCIS), instead of continuing to water down concerns about how the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 has impacted Australian businesses, DHA said it is focussing on engaging with all involved to "clarify and reiterate the intent and operation" of the Bill that was rammed through Parliament in December 2018.

"Consumers, international companies, and investors are concerned domestically produced or located products and services have been undermined by the legislation, and that the industry assistance framework increases the costs of doing business in Australia," the department wrote.

Free PDF

Australia’s encryption laws: An insider’s guide

Australia now has world-first encryption laws. This guide explains what the laws can do, what they cannot do, and how Australia ended up here.

Read More

The Peter Dutton-led department said it has been, and will continue to, meet with "impacted stakeholders", which it said includes members of the technology and communications industry to "work through their concerns".

Such concerns were highlighted in a submission to the PJCIS from Australian cloud provider Vault Systems that said it is being "materially and detrimentally impacted" by the encryption laws, even if it is just a result of the perception of them.

"As foreign governments and customers are assessing against a 'media headline test', we are in an unfortunate position where logical persuasion is not sufficient to counter perception," Vault wrote.

"We are currently seeing an exodus of data from Australia including physical, operational, and legal sovereignty."

The cloud provider said based on the size of the Australian market, and its "perceived compliance burden", it has seen multinationals blacklist the nation, even when the same company operates in China and Russia.

See also: Australia isn't buying local cyber and the rest of the world might soon follow

Former Shadow Minister Ed Husic also used his media rounds in the lead up to the federal election to say the Bill was having a "devastating" impact locally.

The department in its submission however, called such concerns with the legislation "misconceptions regarding the intent and operation of the industry assistance framework".

"According to advice received from industry, companies lack a clear understanding of the obligations in the legislation, and have concerns regarding the potential impact the industry assistance framework may have on product development and their current operating procedures," the department's submission continued.

"Some industry providers are reporting that these concerns have also caused investors to re-evaluate engaging with the domestic communications and technology markets."

The department thinks fact sheets, an FAQ section, and practical examples of the Act in use will fix these "misconceptions".

Some guidance has been made available as it is produced via the Home Affairs website -- DHA said in both March and April a draft version of the guidance was circulated to agencies and the industry consultation group for scrutiny and comment.

It followed the distribution of interim guidelines to law enforcement, national security, and intelligence agencies over the Christmas/New Year period that it labelled as a short-term solution while more formalised administrative guidance could be developed.

DHA had also provided training material to law enforcement agencies that use the industry assistance framework and the other key powers in the legislation.

DHA expanded a little bit on what that industry assistance framework actually requires of companies, saying it does not require them to fundamentally change the way they conduct their business operations in Australia.

"Consumers, and international providers and investors should have confidence that no provisions in the legislation will lead to significant changes to how services and products are developed in Australia," DHA wrote.

"To the extent that the provisions do interact with Australian products or operations, requirements are bounded by security guarantees in the laws, consultation requirements and core decision-making criteria which reinforces the need for decision-makers to hold impact on businesses at the forefront of their mind."

DHA also used its submission to hold firm that the passage of the Act was a critical step towards ensuring Australia's law enforcement, national security, and intelligence agencies can operate effectively in the evolving technological environment.

"Key measures in the legislation, including the industry assistance framework in Schedule 1, have been used by agencies to overcome technological impediments to legitimate investigations," it wrote.

"International companies and investors looking to engage in the domestic market should have confidence that the legislation establishes no standing obligations on industry, and does not, or indeed cannot, undermine the security of products and devices."

Australia's encryption laws create three kinds of notices that a so-called "interception agency" can serve on what are called "designated communications providers":

  • Technical Assistance Requests (TAR), which are "voluntary" requests for the designated communications providers to use their existing capabilities to access user communications;
  • Technical Assistance Notices (TAN), which are compulsory notices to use an existing capability; and
  • Technical Capability Notices (TCN), which are compulsory notices for a designated communication provider to build a new interception capability, so that it can meet subsequent Technical Assistance Notices.

"The department and the AFP have delivered training to operational agencies, and are leading on the development of administrative guidance material to ensure the powers in the Assistance and Access Act are used consistently," DHA reiterated in its submission.

DHA also said it is important that a central coordinator is established for maintaining consistency, avoiding duplication, and enabling the exchange of information across jurisdictions.Such amendment is expected to come before Parliament before the end of the year.

RELATED COVERAGE