Myths about the Assistance and Access Act
The Assistance and Access Act creates a pathway for industry to deliver assistance to law enforcement and intelligence agencies where necessary. It does not allow for mass surveillance, the creation of decryption capabilities, the implementation of so-called ‘backdoors’ or the issuing of ‘secret notices’ on employees of communications providers. The Assistance and Access Act is focused on seeking help from corporate entities that are critical to the supply of communications services and devices in Australia. It does not discriminate between foreign and Australian companies conducting business offshore or place obligations on persons by virtue of their Australian citizenship.
Some common myths about the Assistance and Access Act are identified and corrected below.
This law will create backdoors and undermine information security
The Assistance and Access Act contains an express prohibition against building or implementing any weakness or vulnerability in software or physical devices that would jeopardise the security of innocent users. This is found in
section 317ZG of the Act which also makes clear that any assistance that makes a system's encryption or authentication less effective for general users is strictly prohibited. This same section prohibits the construction of new decryption capabilities and rules out any requirements that would prevent a company from patching existing security flaws in their systems.
All proposed requirements to build a new capability can be referred to an independent assessment panel consisting of a technical expert and a retired judge. This panel must consider whether the proposed requirements contravene the explicit prohibition against 'backdoors'.
In fact, the Act has no ability to compel a company to build any type of capability that removes a form of electronic protection, like encryption. That is, if the company is not already capable of decrypting something, nothing in the Act can require them to build a capability to do it.
This law does not have adequate oversight
All requests and requirements on industry are subject to extensive independent oversight by either the Inspector-General of Intelligence and Security, the Commonwealth Ombudsman or State and Territory oversight bodies. The relevant Commonwealth body is notified whenever a notice for assistance is issued, varied, extended or revoked. When an agency issues a notice, they must notify the company of their right to complain to the relevant body. Both the Commonwealth Ombudsman and the Inspector-General of Intelligence and Security have the authority to inspect agency use of these powers by relevant agencies at any time. These bodies may make reports to Parliament on the outcome of their inspections.
Compulsory powers carry additional oversight measures to ensure they are used appropriately. For example, where a State or Territory law enforcement agency issues a notice to compel technical assistance, it must first be reviewed by the Australian Federal Police Commissioner.
Strict oversight also applies before a company can be compelled to build a new capability. Technical capability notices may only be issued by the Attorney-General. The Attorney-General’s decision must also be reviewed and approved by the Minister for Communications. This creates a double-lock approval process to ensure the assistance sought has been thoroughly scrutinised and is reasonable, proportionate, practicable and technically feasible.
A company may also refer any requirement to build a capability to an independent assessment panel consisting of a retired senior judge and a technical expert. This panel must consider whether proposed requirements will inadvertently create a backdoor. Further, any decision to compel assistance may be challenged through judicial review proceedings.
Public transparency is insufficient
Given the sensitive work done by law enforcement, security and intelligence agencies and the need to protect commercially sensitive information, it will not always be possible to disclose sensitive details of how assistance has been provided. This principle is consistent with the current protections given to operational intelligence held by Australia’s law enforcement and intelligence community.
Visibility over the use of the industry assistance powers is possible through mandated annual reporting requirements which require law enforcement agencies to record the number of times each power is used within a 12-month period and also disclose the type of offences the powers were used to investigate. This data will be included in the annual report required to be prepared under
subsection 186(2) of the
Telecommunications (Interception and Access) Act 1979 alongside data concerning the use of related warrants and authorisations.
Companies and their specified personnel are also authorised to make statistical disclosures to reveal the number of requests and notices received over the course of a six-month period and reveal whether that assistance was voluntary or compulsory. Additionally, where a company provides assistance they may seek authorisation from the issuing agency to disclose information about this assistance. This process will ensure operational details are protected, while giving companies the possibility to inform interested parties about the help they are giving to authorities. Provision for these disclosures appears in
subsections 317ZF(13) and
317ZF(14) – (17).
Police will use this law to prosecute minor offences
The industry assistance powers are only available to agencies in limited circumstances. There is an express requirement that the industry assistance powers can only be used by police to enforce the criminal law for serious offences, being offences that involve a penalty of at least three years imprisonment.
To access communications content and data an underlying warrant or authorisation is still required. For example, the legislation does not replace the need for police to seek a warrant from an independent authority to intercept communications. Generally these warrants are available for offences punishable by a maximum of seven years imprisonment or more.
The availability of these powers may expand due to scope creep
The list of agencies with access to industry assistance powers can only be expanded through legislative amendment, which would include further parliamentary scrutiny. Only Australia’s core law enforcement, security and intelligence agencies are able to utilise the industry assistance powers.
The Five Eyes alliance may take advantage of this law
The Assistance and Access Act is an Australian solution to an Australian problem – it was not requested by, or designed for, Australia’s Five Eyes partner countries. While the Five Eyes share intelligence for security purposes, foreign assistance in connection with information obtained under this legislation will be undertaken consistent within the established mutual legal assistance process or through existing, and bounded, channels of cooperation. Foreign partnerships are critical to the detection and disruption of transnational crime and attacks that are coordinated through several countries.
The industry assistance powers for intelligence gathering are limited to collecting intelligence connected with Australia. This is because the Act requires a geographical nexus between the activities of a company and Australia. Further, access to content or non-content data through industry assistance powers requires a valid warrant or authorisation.
Capabilities built by the Government will leak
Both industry and law enforcement and security agencies have robust procedures in place to protect sensitive information and have made significant investments in the development of strong cyber security protocols that will be used to secure information relating to any form of assistance. Additionally, Australia’s law enforcement and security agencies are experienced in managing operational sensitivities and will take steps to minimise risks or exposure of information.
This law will lead to mass surveillance
The Assistance and Access Act does not authorise mass surveillance. The Act expressly prohibits the Government from requiring a company to build an interception capability or a data retention capability. Any requirements must be reasonable, proportionate, practicable and technically feasible and are subject to independent oversight and judicial review.
If conducted, digital surveillance must be consistent with existing legal regimes, like the warrant process for intercepting telecommunications in the Telecommunications (Interception and Access) Act 1979.
The powers available under these laws are inherently targeted.
This law can compel employees to work in secret without the knowledge of their organisation
Media reporting that has proposed this scenario is incorrect and misleading. The industry assistance framework is concerned with getting help from companies not people acting in their capacity as an employee of a company. Requests for assistance will be served on the corporate entity itself in line with the deeming service provisions in
section 317ZL. A notice may be served on an individual if that individual is a sole-trader and their own corporate entity.
A company issued a notice can disclose information about it under
paragraph 317ZF(3)(a) in connection with the administration or execution of that notice. This allows an employer to disclose information to their employee and vice versa in the normal course of their duty.
Additionally, a company may disclose statistical information about the fact that they have received a notice consistent with
subsection 317ZF(13). Further, companies and their specified personnel may disclose notice information for the purposes of legal proceedings, in accordance with any requirements of law or for the purpose of obtaining legal advice. The notices themselves are therefore not ‘secret’ but information about their substance is controlled to protect sensitive operational and commercial information.
This law will harm Australia’s tech sector
The Assistance and Access Act and, specifically, the industry assistance powers are not unique to Australia. This legislation comes after the passage of the UK’s
Investigatory Powers Act 2016 and New Zealand’s
Telecommunications (Interception Capability and Security) Act 2013, both of which deal with similar subject matter and provide powers to compel assistance from private companies.
During the development of the Australian legislation, the Government recognised concerns that the possibility of undisclosed changes to a company’s services could harm products’ competiveness at market. To answer these concerns, the legislation includes provisions for companies to publish statistics regarding the number of requests or notices they have received in a six month period under subsection 317ZF(13) – including where this number is zero – and make conditional disclosures to interested parties about assistance given under subsections 317ZF(14)-(17). In practice, this will leave most companies unaffected, as they will be able to disclose that they have not been asked to provide assistance, while companies who do assist can demonstrate that their systems are not compromised by the assistance they have provided, consistent with the law’s explicit protections against the creation of backdoors or the degradation of security features.
Australian companies and their employees will be hardest hit by this law
Companies that supply communications services and devices in Australia, regardless of whether they are incorporated in Australia or not, may be the subject of technical assistance obligations under the Assistance and Access Act. The measures do not place a greater burden on Australian companies nor do they allow authorities to compel Australian citizens working for communications companies offshore. Additionally, if issued a notice, Australian companies who primarily conduct business overseas are only obliged to assist Australian authorities to the extent that their activities relate to products and services being used within Australia. Services provided by Australian companies to persons offshore that relate to activities offshore are not classified as ‘eligible activities’ for the purposes of the legislation and are thus not captured by these laws.
The Act’s provision for penalties against individuals is not intended to apply to employees of a non-compliant company. If a company does not comply with their assistance obligations, any enforcement action that may be undertaken will apply to the enterprise. Penalties for individuals in the legislation are for the purpose of potential enforcement proceedings against sole-traders and individuals acting as businesses.
Criminal offences for the disclosure of sensitive and protected information (including sensitive commercial information) apply equally to Government officials and agency personnel and are consistent with secrecy provisions in other Commonwealth laws. Importantly, a suite of exceptions to the offence of unauthorised disclosure applicable to providers and specified personnel are listed in
subsections 317ZF(3), (12B), (13), (15) and (16).