New law to force tech companies to build features for police

Government releases exposure draft of bill to increase ability of police and intelligence agencies to access communications services

Companies that provide communications services to Australians could be compelled to build new capabilities to help law enforcement agencies access information about how their services are being used, under a draft bill released today by the government.

The government says the bill — Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 — is its attempt to tackle the increased popularity of encrypted communications services among criminals and to update interception and access laws to deal with new forms of electronic communications.

The legislation will apply to “designated communications providers”: Essentially any company that provides electronic communications services and devices in Australia, regardless of whether they or their services are based here.

The proposed legislation will establish three levels of assistance that law enforcement and intelligence agencies can seek from communications providers.

The first level is voluntary assistance in response to a “technical assistance request” issued by an agency. The second level is a “technical assistance notice”, which requires a provider to give assistance to an agency that they are already capable of providing. That could include decryption of data in circumstances where the provider has access to the key.

The third and most extreme level is a “technical capability notice”: A requirement for a company to build new capabilities to assist police. Technical capability notices must be issued by the attorney-general.

The attorney-general must be satisfied that the requirements imposed by the notice are “reasonable and proportionate” and that compliance is “practicable” and “technically feasible”.

There are also limitations on what can be requested: A technical assistance notice or technical capability notice must not have the effect “requiring a designated communications provider to implement or build a systemic weakness, or a systemic vulnerability, into a form of electronic protection”.

The bill states that that limitation includes a bar on building “a new decryption capability in relation to a form of electronic protection” or doing anything that would “render systemic methods of authentication or encryption less effective.”

Providers also cannot be prevented from fixing a systemic weakness or vulnerability.

The powers under the legislation will be available to entities listed as “interception agencies” in the Telecommunications (Interception and Access) Act: The Australian Federal Police, the Australian Commission for Law Enforcement Integrity, the Australian Criminal Intelligence Commission, as well as state and territory police agencies and anti-corruption commissions.

The three levels of notice under the bill may be issued in a wide range of circumstances: Enforcing the criminal law and laws imposing pecuniary penalties; assisting the enforcement of the criminal laws in force in a foreign country; or protecting the public revenue.

Technical assistance notice and technical capability notices may also be issued in relation to “safeguarding national security”, while a technical assistance request may also be issued in relation to “the interests of Australia’s national security, the interests of Australia’s foreign relations or the interests of Australia’s national economic well-being.”

Section 317E of the bill creates an expansive “list of acts of things” covering the range of assistance that law enforcement agencies may be able to request from communications providers. It includes removing “electronic protection”, providing technical information, installing software, facilitating access to devices or facilities, assisting with testing or development of a technology of capability, notifying agencies of changes to a service, “modifying, or facilitating the modification of, any of the characteristics of a service provided by the designated communications provider” or “substituting, or facilitating the substitution of, a service provided by the designated communications provider”.

“We know that more than 90 per cent of data lawfully intercepted by the Australian Federal Police now uses some form of encryption. This has directly impacted around 200 serious criminal and terrorism-related investigations in the last 12 months alone,” law enforcement and cyber security minister Angus Taylor said.

“We must ensure our laws reflect the rapid take-up of secure online communications by those who seek to do us harm.

“These reforms will allow law enforcement and interception agencies to access specific communications without compromising the security of a network. The measures expressly prevent the weakening of encryption or the introduction of so-called backdoors.”

“We have had very productive meetings with industry partners based both in Australia and offshore to discuss these reforms,” the minister said. “This bill reflects those conversations.

“The public now has the opportunity to review the draft legislation and put forward submissions to government.” 

The government is accepting submissions on the exposure draft until 10 September.