This article is written by our South Australia President Barbara Vrettos and South Australia Executive Member Reid Honan!
The Federal Government has recently passed controversial legislation that may have broader impacts for Australia’s tech industry and professional services. The Legal Forecast believes in creating awareness of these potential issues to prevent the law stifling service delivery.
Encryption affects all parties in the same way. Increases in encryption has combated criminal endeavours but also hindered police investigations. Police and other law enforcement agencies have intercepted masses of data only to be baffled by increasingly standard encryptions.
In response to this Australia recently passed a new piece of legislation, the “Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018” or the AA Act. This legislation aims to address the use of encryption and require companies to build a work around.
This legislation addresses a very real problem. However, the practical implementation of, and compliance with, the legislation is problematic. This blog provides an overview of some key issues raised in the drafting of the legislation and also a perspective from Angus Murray co-founder and Director of The Legal Forecast as to the challenges we may see as this legislation is put into practice.
PART 1: Exploring the Legislation
The AA Act came into effect on the 8th of December 2018 and allows law enforcement agencies to issue a range of notices or requests requiring companies to modify their software and services to allow access to information that would not otherwise be accessible.
This legislation applies to “communication services providers,” a broad term practically capturing almost anyone providing services or products involving the internet. There are steep financial penalties for those who do not comply.
Despite 105 submissions from various entities and individuals the legislation was passed with no amendments. A few themes have emerged from the critique of the Act which are explored below.
1) Broad Powers Weakening Cybersecurity
The legislation was approved with remarkable speed but encompasses many vague concepts. The current government has hinted as to how these should be interpreted but these suggestions have no legislative standing, opening the door to wide or narrow interpretations by future courts or governments.
Specifically, the definitions of “Systemic weakness” and “Systemic vulnerabilities” have come under critique. These terms are used to describe the limits of the Act, as notices delivered cannot expect companies to weaken their systems. Apple submits that “despite this encouraging language, the bill grants extraordinarily broad and vague powers that, the government may argue, allow them to force companies to build tools that ultimately weaken the security of their products.”
Additionally, if the encryption is tampered with to target a single individual the law’s ambition prevent the creation of systemic vulnerabilities may be short sighted. Even though the act focuses on targeted capabilities to identify individuals – it is a very real possibility that methods to decrypt data for certain circumstances may become a systemic vulnerability as bad actors use those same methods.
It is impossible to guarantee that malicious actors will not find a way to use these alternate means if they are built in to all systems. The Internet Engineering Task Force, a global body responsible for internet standards, echos this in stating that “any method used to compel an infrastructure provider to break encryption … creates a systemic weakness”.
2) Infringing Personal Rights
The protection of human rights have also come under scrutiny. In the Australian Human Rights Commission’s submission a key concern was how the bill would “authorise intrusive and covert powers that could significantly limit an individual’s right to privacy and freedom of expression amongst other rights.”
The commission furthered that these infringements would not only be felt by persons of interest but the public at large due to the nature of the communication being intercepted.
3) Lack of Judicial Oversight
The AA Act borrows heavily from a recent piece of British legislation, with one key component missing: Judicial Oversight. Currently the legislation does not need to have judicial approval or a warrant in order to put in a legally binding request. These requests are made at the discretion of the investigating body, therefore challenging the separation of powers.
4) Stifling Secrecy Mandates
Developers all across the country are concerned due to the secrecy mandates on the requests. Currently the legislation forces the receiver of the request to either comply or face jail time. Should the receiver attempt to talk to anyone about the request, it is a minimum 5 year jail sentence. This is regardless of whether it was another employee, a reporter or a lawyer.
These secrecy mandates are especially difficult to maintain when working in software where multiple people oversee and review the code on a daily basis. Additionally, this stifles any legitimate conversation of legal or ethical concerns in complying with a notice.
5) Extraterritoriality and Global Impact
Another effect of this legislation is that Australian software products may be considered ‘potentially compromised’. Meaning they can become unattractive to critical markets. Why would a company take the risk that the Australian Government has placed a ‘side door’ into the program when they can buy a different one instead? Due to the secrecy requirements, the company would also be unaware that they had a ‘side door’ in their product.
Technology service provider, Senetas, stated that this bill could lead to the potential “loss of trust in Australian cyber security R&D and products” and that could lead to a “decline in the current value of exports”, and “the loss of jobs and technical expertise in this industry as companies look to relocate offshore.”
There is also concern that interacting with broader European countries could become an issue as the AA Act may stand in conflict with the General Data Protection Regulations (GDPR).
PART 2: The ‘AA Act’ in Action
Much speculation around how the enforcement of this legislation will occur in practice remains. We are lucky to have Angus Murray co-founder and Director of The Legal Forecast share his expertise in the area to forecast how this legislation may impact the legal profession.
1) What do you find most problematic about this legislation?
Firstly, I have deep concerns about the manner and speed of the introduction of the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018. This was an extremely complex piece of legislation that amends telecommunications and surveillance legislation and there was very little time for proper and fulsome consultation with industry and civil society. I gave evidence before the Parliamentary Joint Committee on Intelligence and Security (“PJCIS”) on 19 October 2019 to this effect and the video recording of this evidence is located here. It is disappointing that the Assistance and Access Bill passed in December 2018 without amendment.
This Act has the real potential to alter this country and affect future generations. This includes those who are not yet aware of the serious impact that this Act presents to the fundamental rights that Australians ought to expect and enjoy and be able to enforce. In my view, the Act requires further consideration (noting that it remains before the PJCIS with final submissions being accepted by 22 February 2019). Most operatively, the Act requires greater judicial oversight, a reduction in scope and clearer reporting obligations.
2) How do you think the AA Act will impact legal practice?
It is likely easiest to reference a joint submission that I co-authored that was made to the PJCIS to cover the full ambit of 38 recommendations made in relation to the Bill and that submission can be located here.
More generally, the Act creates extremely broad powers with almost no oversight and without any substantive justification. The possibility that such powers might be needed in future is not a proper basis for the making of law. The most profound potential impact on legal practice is the definition of “designated communications provider” pursuant to section 317C of the Telecommunications Act 1997 (“the Act”). This definition covers an extremely broad range of providers including websites pursuant to s. 317D(2) of the Act and would include law tech providers, law practice websites and practice management systems. The Act enables a Technical Assistance Notice, Technical Capability Notice and/or Technical Assistance Request to issue to a “designated communications provider” and this could fundamentally undermine confidence in the legal profession.
3) What changes would be necessary to ensure the legislation achieves its aims without compromising professional integrity and human rights?
I again recommend that proposals made in the above mentioned submission; however, the best safeguard would, in my view, be the introduction of enforceable Federal human rights legislation that includes the right to privacy and greater judicial oversight of the operation of the Assistance and Access amendments.
The Legal Forecast sees this act as raising a variety of concerns creating significant issues for many communication service providers. A broader review of the legislation will occur in April 2019 and it is our hope that many of these impacts will be considered to ensure that this legislation does not discourage technological development, innovation and the provision of professional services in Australia.
If you would like to be interviewed or offer your thoughts on a recent event, book or article, please contact our Editor In Chief, Michael Bidwell.