On 18 March 2019, the VSCL ran a panel event on the current encryption law debate and how Australian businesses and, in particular tech start-ups, are likely to be impacted by the new laws.
Moderated by Robert Ceglia (Lawyer @ Corrs), the panel consisted of Michael Swinson (KWM Partner, TMET – Mergers & Acquisitions) with expertise in IT and telecommunications law; Georg Thomas (Corrs National Security & Risk Manager) a Certified Ethical Hacker, Georg offered our panel a technical and risk management insight on encryption issues; and Michael Pattison (ContractProbe Founder) who offered insight both from a start-up perspective, and from his strong foundations in the technology and legal fields.
The panel provided a brief overview of what encryption is, before moving on to the content and effects of the new encryption laws. The new encryption legislation covers “designated communications providers”, a term which the panel explained has an unreasonably broad application, and which could apply to anyone who touches or installs customer equipment in Australia – including the individual sales person selling you a modem in store.
The panel noted how it’s difficult to argue against the original policy objectives behind the encryption legislation (enabling our security agencies to investigate serious crimes and matters of national security). They also flagged the key concerns with the legislation including how it appeared rushed, at times absurd in its potentially unintended consequences given its current reach, lacking in processes to provide oversight and transparency and likely to stifle innovation in applications and technology relying upon encryption in Australia. Finally, the Panel discussed the best options for Australian businesses, outlining that there are advantages to voluntary compliance.
The Panel began by providing a brief overview of the three tiers of requests and notices that can be issued under the new laws:
Technical assistance requests (TARs) (voluntary)
These requests are problematic, even if voluntary, as many small companies and start-ups will comply due to the perceived pressure that comes from the request being made by a government agency and being unsure what else they are within their rights to do.
The requests are “voluntary”, however if businesses do not comply, the government agency may then elect to issue a notice (TAN) (which is compulsory to comply with).
Technical assistance notices (TANs) (mandatory)
These notices require you to give ASIO (or other government entities) assistance, and it is an offence not to comply; this introduces an element of compulsion not present in the TAR.
This notice is restricted to the current state of your network – if you do not have the capability to do what is requested (for example, decrypt, hand over encrypted data etc) then the government entity cannot use this type of notice to make you build such a capability in.
Technical capability notices (TCNs) (mandatory)
This notice is compulsory, like the TAN.
Unlike the TAN however, this notice may require you to build a capability or feature into your network or hardware.
This capability or feature may be required to render assistance to the government entity in the present moment, or at any later date.
The panel then moved into a discussion of some of the problems and undesirable effects the legislation as likely to have.
Many have argued, and the panel agreed, that the legislation is an overreach when compared against the objectives it was sold as seeking to achieve – preventing major crimes like child pornography and terrorism being the major two. As currently drafted, more minor crimes attracting minimum prison terms of 3+ years will also be caught in the ambit of the new encryption laws.
The legislation also lists as an exclusion any information you would usually need a warrant in order to access; so, these laws can’t be used to subvert that system. However, the laws could still realistically allow government agencies to require companies to comply with TANs and TCNs to provide information in relation to crimes carrying a punishable term of 3+ years, which is a very broad departure from the original aims of the legislation.
The requirement to keep notices secret also attracted criticism and is of particular concern for small businesses, start-ups, and other smaller actors for whom seeking legal assistance and advice is a more onerous burden. The inability to information share with others in a similar situation increases the likelihood of these actors simply complying with requests to avoid the costs of advice, even if they only received a TAR and are not compulsorily required to comply or could have negotiated the terms of their compliance.
Lack of oversight and transparency
Many hold privacy concerns regarding the new encryption laws providing Government with access to encrypted records when it remains unclear what that information may come to be used for. The panel also espoused the view that the legislation provided the executive arm of government with a largely unfettered power with the Attorney General acting as the “technical gatekeeper”. Members of the audience raised that typically the judiciary would be involved in providing oversight and determining when it is appropriate for such access to personal records to be granted. But this is not case with Australia’s new encryption laws.
Also concerning is that the Attorney General, as the ultimate decision maker, can override the opinions of technical experts. Companies who are concerned about the effect a request or notice may have on their systems may request that a technical expert provide an assessment of whether complying with the request or notice would introduce a vulnerability or systemic weakness into their product. This assessment is then provided to the Attorney General. Whilst this has the potential to be a useful safeguard for businesses, the assessment is non-binding on the Attorney General, who may override it.
Whilst government agencies can’t require you to introduce a systemic weakness/vulnerability into your system, the decision about what a systemic weakness/vulnerability is ultimately rests with the executive arm of Government, as we’ve discussed above. Further, concerns were also discussed surrounding the introduction of non-systemic vulnerabilities, especially about what this means, and whether such vulnerabilities are likely to open a can of worms where these vulnerabilities could be used in unforeseen ways and leveraged by malicious actors.
The panel also considered the problematic application of the law to apps – where you cannot target individual app holders and the required feature or capability must be added to the app store/play store app – meaning that everyone who uses that app will subsequently be affected by the feature or vulnerability (depending on how you view it) without this functionality being allowed to be disclosed. This gives the legislation an incredibly broad reach and carries the risk that it could be abused as a back-door information gathering mechanism.
Take homes – what can businesses do right now?
The panel suggested that there are advantages to complying on a voluntary basis, such as being able to negotiate terms rather than refusing to comply with a voluntary TAR and then being issued with a mandatory TAN. Not only should businesses seek to understand their rights upon being issued a request or notice – including being allowed to disclose to their lawyer that they’ve received a notice or request – but they should also make sure that they have the policies and procedures already in place, in case they do receive one.