Australia’s sweeping anti-encrypted messaging laws have been in effect for nearly two years but a Senate committee is conducting a review on whether they’re too powerful and still necessary. To help bring you up to speed, let’s take a look at how the Assistance and Access law works and why experts are concerned about it.
What is the Assistance and Access Act?
In September 2018, a new Bill was introduced to Parliament, proposing Australia’s intelligence agencies be granted the power to compel tech companies to de-encrypt communications.
It was called the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 or TOLA and a few short months and an amendment later, it passed both houses and became law.
The Assistance and Access Act allows Australia’s intelligence agencies — ASIO, ASIS and ASD — to request or require tech companies to hand over encrypted data or messages.
It does this through three key features — Technical Assistance Requests (TAR), Technical Assistance Notices (TAN) and Technical Capability Notices (TCN).
The first is fairly simple to understand. A TAR is a voluntary request to companies hosting data to hand it over. Considering how encrypted messaging systems are designed for message contents to only be readable by recipients, this is a complicated request.
The TAN and TCN are a little more vague and the Home Affairs department’s explanation doesn’t make it any clearer. The TAN is a compulsory order to assist the spy agency with their request but “does not require a provider to build a capability or functionality they do not already possess”.
This essentially means a company is required to hand the data over. If the company’s platform doesn’t have decryption capabilities or a ‘backdoor’ built in, it’s not likely it will be able to comply with the request.
Finally, a TCN is a compulsory order. It forces the company to assist the agency to provide the necessary information it requests but it can’t be forced to build a ‘backdoor’ to the service.
“[The company] must provide that assistance, including building a capability or functionality to provide that assistance,” Home Affairs’ explanation reads.
“Importantly, a TCN is expressly prohibited from requiring the building of a capability to decrypt information or remove electronic protection.”
How this could practical work is difficult to comprehend and that’s by design, given the nature of how spy agencies operate. It’s possible, however, a company might be required to allow the agencies to target suspected criminals by inserting spyware that would allow them to read encrypted messages.
This method was used by a European taskforce earlier this year to infiltrate the encrypted communications of an organised crime network, resulting in the arrests of more than 700 suspected criminals.
In February 2020, ASIO’s head, Mike Burgess, delivered a speech at the agency’s Annual Threat Assessment. He said the agency had used the Assistance and Access Act within 10 days of it passing Parliament.
“Technology should not be beyond the rule of law … Encrypted communications damage intelligence coverage in nine out of 10 priority counter terrorism cases, Burgess said in the speech.
“I can confirm that ASIO has used the Assistance and Access Act to protect Australians from serious harm. We needed to take advantage of the new powers within 10 days of the legislation coming into effect — a clear indication of its significance to our mission.
“And I’m happy to report that the internet did not break as a result!”
Given the broad-sweeping nature of the laws targeting sensitive information, TOLA has been intensely criticised by data experts and the tech companies beholden to it. The general Australian public has also not been so keen on ASIO or other agencies being granted the ability to read their encrypted messages.
Why are experts and tech companies critical of it?
The obvious privacy concerns at play here are numerous but some of the strongest arguments focused on how the law could create hacking vulnerabilities in its quest to allow spy agencies to ‘peek’ in.
Robert Merkel, a lecturer at Monash University, wrote at the time of the Bill’s passing that building technical capabilities to allow law enforcement to decrypt messages could pave the way for malicious actors.
“It is extraordinarily difficult to create mechanisms that allow law enforcement to gain access to information about specific people from specific systems, while posing no risk that anyone else can use the same mechanism to gain unauthorised access to other information,” Merkel wrote.
“In other words, a ‘targeted capability’ could easily end up becoming a ‘systemic vulnerability’.”
It’s not just cybersecurity experts that are against the law — the tech companies subject to it aren’t happy, either.
Reform Government Surveillance (RGS), a coalition of the world’s biggest tech companies including Google and Apple, criticised the legislation back in December 2018, calling it deeply flawed, overly broad and lacking in adequate independent oversight.
Australia’s own software management company, Atlassian, has also appeared before a Senate committee to detail the law’s impact on its business, stating it was negatively affecting the technology sector.
“It is my belief that the very rushed nature in which the TOLA bill was passed and then also the nature of the rights granted to government under TOLA have had a negative impact on the reputation of the Australian technology sector,” Patrick Zhang, Atlassian’s head of IP, policy and government affairs, told the committee.
“I think the fear is that by working with an Australian company, whether by using its product or as a vendor, is that company going to be subject to orders by the government to weaken its security, or to build backdoors, that will make the product less secure and expose a weak link, if you will, in the technology supply chain.”
In a podcast appearance in June, ASIO’s Burgess said having private communications was a good thing but when spy agencies needed to investigate, tech companies, both local and foreign, needed to comply.
“In our country under the rule of law, if we have a warrant — so we’ve met a legal threshold and the appropriate person has said, ‘Yes, you can have this access’ — we would expect companies to cooperate and actually ensure that there is lawful access,” Burgess said in the Work With Purpose podcast.
Burgess went on to dismiss critics of the legislation’s lack of oversight, saying the laws were proportionate to ASIO’s needs.
“[Critics] would say ‘You’re the deep state, you want to look at everything, you’ve got no oversight and you keep asking for new laws,’” Burgess said in the podcast.
“Well, all that is just simple nonsense. We ask for laws that are proportionate to the threat we’re dealing with.”
Regardless of Burgess’ personal opinions on the matter, it’s because of these concerns the law is facing a review by a Senate committee. It’s due to deliver its report in September, 2020.
What’s happening with the law’s review?
Once the law was passed, it was referred to the Parliamentary Joint Committee on Intelligence and Security (PJCIS), for further scrutiny. An initial report was delivered in April 2019 by the committee recommending the country’s spy watchdog, Independent National Security Legislation Monitor, be given the time and resources to conduct an independent review of the law.
Fast forward a year and the watchdog, headed by Dr James Renwick, delivered that report in July 2020. Dr Renwick’s findings revealed the legislation lacked the necessary independent oversight given the technical notices or requests are signed off by an agency head or the Attorney-General.
Instead, Dr Renwick’s report recommended a retired judge with a team of legal and technical experts should decide on whether or not to serve a de-encryption request to a company.
“These are powers designed to compel a DCP [Designated Communications Provider] to reveal private information or data of its customers and therefore the usual practice of independent authorisation should apply,” the report read.
“This independence engenders the necessary trust in the minds of members of the public that the powers are being exercised in a manner that is no more than is necessary … the powers under TOLA cannot be exercised, let alone their impact understood, in the absence of independent technical expertise.”
The PJCIS’s review is still underway and is due to finish by 30 September 2020. It is hearing from various affected companies, the law enforcement agencies that benefit from it and relevant advocacy groups.
Figures from the ASIO, AFP, NSW Police Force and the Department of Home Affairs will front another public hearing on August 7. This hearing will discuss how the agencies have used the TOLA Act so far.
The AFP’s supplementary submission revealed eight TARs were issued between December 2018 and July 2020. However, not a single compulsary TAN or TCN was served during that period.
ASIO’s submission was redacted on the basis that it contained classified information.
Either way, we should know about the law’s future by the end of September 2020. Hopefully some of these real and legitimate concerns about the law will be properly addressed rather than swatted away and deemed ‘simple nonsense’.