What is the purpose of the Assistance & Access Bill?
The explanatory document that accompanies the Bill describes the challenge facing law enforcement :
"While the use of computers and smartphones is not new, encryption is increasingly enabled on devices and applications by default. More than 93 per cent of Google's services and data are encrypted, as are more than 84 per cent of the web pages loaded via their Chrome browser. This is a great outcome for cyber security. However, encrypted devices and applications are eroding the ability of our law enforcement and security agencies to access the intelligible data necessary to conduct investigations and gather evidence. 95 per cent of the Australian Security Intelligence Organisation's (ASIO) most dangerous counter-terrorism targets actively use encrypted messages to conceal their communications."
The purpose of the Bill is to enhance the ability of law enforcement agencies to access communications content and data through three key reforms:
- requiring domestic providers to give reasonable assistance to Australia's key law enforcement and security agencies and extending assistance obligations to offshore providers supplying telecommunications services and devices in Australia.
- introducing new computer access warrants for law enforcement that will enable them to covertly obtain evidence directly from a device.
- enhancing the ability of law enforcement agencies to overtly access data through the existing search and seizure warrants.
The proposed new powers and changes to the Telecommunications Act
The Bill inserts a new Part 15 into the Telecommunications Act, which:
- provides a legal basis on which a "designated communications provider" can provide voluntary assistance under a technical assistance request to assist ASIO, the Australian Secret Intelligence Service and the Australian Signals Directorate and interception agencies in the performance of their functions relating to Australia's national interests, the safeguarding of national security and the enforcement of the law;
- allows the Director-General of Security, or the head of an interception agency, to issue a technical assistance notice requiring a designated communications provider to give assistance it is already capable of providing that is reasonable, proportionate, practicable and technically feasible.This will give agencies the flexibility to seek decryption in appropriate circumstances where provider have existing means to decrypt; and
- allows the Attorney-General to issue a technical capability notice, requiring a designated communications provider to build a new capability that will enable it to give assistance as specified in the legislation to ASIO and interception agencies.A technical capability notice cannot require a provider to build or implement a capability to remove electronic protection, such as encryption.
Designated Communications Providers include foreign and domestic communications providers, device manufacturers, component manufacturers, application providers, and traditional carriers and carriage service providers. The measures of the Bill apply to the functions of the designated communications provider which have a nexus to Australia.
The types of assistance that designated communications providers may be required to provide are:
- removing a form of electronic protection applied by the provider, if the provider has an existing capability to remove this protection;
- providing technical information like the design specifications of a device or the characteristics of a service;
- installing, maintaining, testing or using software or equipment given to a provider by an agency;
- formatting information obtained under a warrant;
- facilitating access to devices or services;
- helping agencies test or develop their own systems and capabilities;
- notifying agencies of major changes to their systems, productions or services that are relevant to the effective execution of a warrant or authorisation;
- modifying or substituting a target service; and
- concealing the fact that agencies have undertaken a covert operation.
The Government expects that designated communications providers will provide assistance on a no-profit, no-loss basis. Immunities from civil liability are available in respect of assistance provided.
The Bill includes various limitations and safeguards on the use of the new powers by law enforcement agencies, including:
- the decision-maker must be satisfied that the requirements of a technical assistance notice or technical capability notice are reasonable and proportionate and compliance with the notice is practicable and technically feasible;
- agencies still need an underlying warrant or authorisation – new technical assistance notices and technical capability notices cannot require providers to deliver telecommunications and data without an underlying warrant or authorisation;
- notices cannot:
- prevent a provider from fixing a security flaw in its products or services that may be exploited by law enforcement and security agencies; or
- require a provider to build or implement a systemic weakness or systemic vulnerability into a form of electronic protection;
- the powers cannot be used to impose data retention capability or interception capability obligations. These will remain subject to the Telecommunications (Interception and Access) Act 1979; and
- the powers are reserved to senior decision-makers, including the Attorney-General in the case of technical capability notices.
Next step for the telecommunications industry: making a submission
The Assistance & Access Bill will have far-reaching implications for the telecommunications industry and extends beyond the domain of carriers and carriage service providers. It will require the industry to provide its expertise and assistance to law enforcement and security agencies on a no-profit basis.
Industry participants should review a copy of the Bill and the accompanying explanatory document and provide submissions by 10 September 2018 to [email protected].
If you would like any help in understanding how the Bill would affect your business, please contact us.