The Australian Assistance and Access Bill - An In Depth GuideWhat It Means, How It Applies and What You Can Do
Early in December, while most people were rushing to finalise everything in time for the holiday season, Australia’s elected representatives were busy squeezing a large piece of legislation through Parliament. They did this with a minimum of fuss and publicity, taking care to avoid as much media attention as possible. The legislation was the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 (the Bill).
I’ve spent the last month reviewing, reflecting on and (often) ranting about this Bill. I shared a shorter version of my thoughts on a recent podcast episode. My conclusion is that this Bill represents one of the greatest setbacks to digital privacy and security in the internet age.
That’s a big claim, especially for something that’s slipped by largely unnoticed – but the legislation represents such a significant (and invasive) shift in government policy and digital rights that, as you’ll soon see, its potential consequences can’t be understated.
My goal in this piece is threefold. First, we’ll look at the Bill in detail. We’ll investigate what it says, what powers it gives Government agencies and how they may exert those powers on businesses and individuals. Second, we’ll investigate the limitations and exceptions which regulate when and how agencies are able to force people to comply with their orders. We’ll also review the various methods of appeals and disputes available under the legislation.
Finally, I’ll detail what this all means for businesses and professionals, both here in Australia and elsewhere in the world. This will include some tips for minimising the chance a notice can be enforced on you and how to mitigate the risks should you be forced to comply.
A (short) History of the Bill
The Bill was first introduced to Parliament on 20 September 2018. It’s purpose was to give intelligence agencies and Federal Police the power to compel individuals and companies to provide them with sensitive data, build deliberate ‘back doors‘ in their software and even decrypt secure data. Portions of the Bill were motivated, at least in part, by the continued inability of law enforcement to compel international companies like Facebook and Snapchat to turn over relevant chat logs in the investigation of serious crimes.
In prior public discussions, there was wide support for an increased ability to request chat logs from multinational corporations – even from the technology community. However, the scope of the proposed legislation significantly widened as the Bill was drafted, most likely through the influence of the Five Eyes intelligence network (which I’ll cover below). What resulted was a Bill with a far broader mandate than requests to social networks for chat logs of suspected paedophiles. It was a wide ranging, 1984-esque blueprint for an enforced digital spy network hidden on corporate servers and software.
After the Bill’s introduction, a (quiet) request was put out to the technology community for feedback. Given feedback was only accepted for a few weeks after its introduction, the majority of the tech community either didn’t find out about the Bill or were unable to get sensible feedback together in time.
Several organisations did however, including RMIT, the Electronics Frontiers Foundation and Apple. To say the feedback was negative would be an understatement. Given the level of criticism and concern from the technology community, it was assumed that the Bill would be significantly redrafted and a new version tabled in the New Year.
However in early December it was announced that the Bill (with some further expansions to agency powers) would be pressing on, and that the Government was aiming to have it passed prior to the holiday break. While they initially stalled, the opposition Labor party eventually gave their support and the Bill passed by both houses of Parliament prior to the break. The Bill is now valid law and can be viewed (as passed) here.
A Little Bit about Five Eyes
Before we begin dissecting the Bill, we should quickly cover Five Eyes. If you’re already familiar with the Five Eyes Surveillance and Law Enforcement Agreement (and the broader Fourteen Eyes network), then please feel free to skip ahead.
Five Eyes is an intelligence alliance of five member states – Australia, New Zealand, Canada, the United Kingdom and the United States. It’s essentially a multi-national spy network which allows agencies from member states to ‘assist’ other agencies within the network.
Former NSA contractor and whistleblower Edward Snowden described Five Eyes as a “supra-national intelligence organisation that does not answer to the known laws of its own countries”. Snowden’s leaks demonstrated that the Five Eyes alliance allowed a member nation to neatly circumvent its own domestic regulations by allowing another alliance nation to spy on its citizens, and then share that information with the member nation’s surveillance organisations. It remains one of the strongest espionage alliances in the world.
Cooperation between the two countries, particularly, in SIGINT, is so close that it becomes very difficult to know who is doing what […] it’s just organizational mess.
– Former British Spy on Five Eyes
The practical effect of Five Eyes was perhaps most aptly demonstrated by the recent arrest (and subsequent release) of Kim Dotcom by New Zealand Police at the behest of the United States FBI.
When considering the AA Bill, the Five Eyes arrangement must naturally be factored into the mix. Indeed, the mandates of the Bill conform with the wider intelligence strategy foreshadowed at the latest Five Eyes summit held in August 2018, because it permits acting on behalf of foreign governments. The Bill can therefore be used to perform surveillance not only for Australian agencies, but for the remaining Five Eyes nations.
Who does the Bill apply to?
With the groundwork out of the way, let’s get into the Bill itself. The first question we must always ask when analysing new legislation is who it applies to. In the case of the AA Bill, it’s almost everyone.
Under the current terms, anyone considered a designated communications providers can be served with notices. You can be a designated communications provider if you “provide an electronic service that has one or more end-users in Australia.”
An electronic service is classified as, “a service which allows end-users to access material using a carriage service (the internet)”, and includes websites. This means anyone who runs a website, develops software or provides any kind of service to users could be captured by the definition.
The Bill also states that a designated communications provider is anyone who manufactures, supplies or installs equipment, components, data processing devices, or software. If you’re an employee, contractor or administrator of any company which has a computer, a piece of electronic equipment or a data collection device, you’re also a designated communications provider for the purposes of the Bill. Basically, if you’re involved in any way with technology, this Bill applies to you.
The breadth of this Bill’s application is quite stunning. From a social network with millions of users to a small company developing transmitter chips, many (if not most) Australian businesses can expect that one day they may receive a notice or be covertly breached by one of their employees/contractors. Likewise, individuals may one day be asked to ‘hack’ their own companies, essentially performing corporate espionage.
What Can They Make Me Do?
It’s important to note that the Bill is effectively split into two halves. The first half, which I’ll call the Intelligence Rules, deals with what intelligence agencies like ASIO can compel someone to do using this Bill. The second, which I’ll call the Police Rules, relates to what law enforcement officers, like officers of the Federal and State police, can force someone to do. There’s significant crossover between the two, so I’ll try throughout this article to make it clear where it relates to one or both of these rules.
The Intelligence Rules set out a number of ‘acts and things’ which intelligence agencies can force someone to do under the Bill. It’s an incredibly long list, but most important acts they can require you to do are:
- remove one or more forms of electronic protection in any software under your control;
- install, maintain, test and use software or equipment;
- provide access to your facility, equipment, devices, services, software, applications or communications;
- test, modify, deploy and maintain technology which they install on your software/hardware;
- modify your business model or service;
- cease using a certain service provider in your software and begin using another (which they stipulate); and
- conceal the fact that you’ve done any of the above acts, as long as you do not have to be dishonest.
As you can see, it’s an incredibly broad and invasive list of powers. To exercise these powers, the intelligence agency must serve an individual or company with a notice. We’ll deal with the specifics of these notices later, but they must specify how an agency’s demands qualify as ‘acts or things’ under the Bill.
While the powers provided to law enforcement are somewhat similar, there are some differences with the Police Rules. The Police Rules are amendments to already existing powers for police to investigate and access computer systems with a warrant. However, while police were previously only given passive investigative powers, these are far more active, in that they enable officers to use, alter, delete and even conceal their work on company’s systems.
How can they do this? Through a new instrument called an assistance order. This is something that all law enforcement officers can apply for, and once granted, it allows them to compel anyone to provide “information or assistance that is reasonable or necessary” to enable police to do any of the following:
- access data held in a computer;
- copy data held in the computer to their device; or
- convert data into a form which will assist the officer to use it.
Just like the Intelligence Rules, this can be the a business owner, employee, contractor or even a system administrator. It’s also not just limited to Australia – the new Bill allows officers to apply to an Australian Judge for permission to gain access (forcibly, if necessary) to computers anywhere in the world.
How Can They Compel Me to Do It?
Under the Intelligence Rules, agencies can compel an individual or company to do what they want through use of a notice. There are three different types of notices introduced under the Bill – Technical Assistance Requests (TAR), Technical Assistance Notices (TAN) and Technical Capability Notices (TCN). Many of the basic requirements for each are the same or substantially similar, but the main differences are what each type of notice can (and can’t) compel you to do.
A TAN for example may ask a company to provide chat logs for a specific user suspected of a crime. A TCN on the other hand could require a company to completely redesign their software to actively report the activity of all users back to an agency.
It’s therefore important to understand what each request, notice and order can demand, and how that must be communicated.
Intelligence Rules – Technical Assistance Requests
A TAR is a voluntary notice under the Bill and doesn’t need to be complied with. Agencies can use it to request that you voluntarily do the acts or things we listed earlier to help them achieve any relevant objectives. What’s a relevant objective? The Bill says that its anything that relates to:
- safeguarding national security;
- the interests of Australia’s foreign relations, economic wellbeing or security;
- security and integrity of information communicated electronically;
- enforcing criminal law relating to serious Australian offences; or
- enforcing criminal law relating to serious foreign offences.
This request can be given in written or verbal form, but you must be advised that compliance is voluntary. The request must be reasonable and proportionate, and compliance must be practicable and reasonably feasible.
I won’t spend much time on TARs simply because they’re voluntary. My recommendation would be to seek advice whenever you’re served with a voluntary notice, but given what you may be expected to do, I’d caution against ever consenting to voluntarily have your software (or the software of your employer, as the case may be) compromised by anyone, including law enforcement, without some very strict requirements around what can and can’t be done. Be aware that you’re not protected from civil liability for compliance with a TAR (we’ll deal with this in more detail later).
Intelligence Rules – Technical Assistance Notices
Technical Assistance Notices (TAN) are similar in many ways to the above TARs except they aren’t voluntary. Once you’re served with a TAN, you must comply with the directions given to you (unless you dispute the TAN, which we’ll deal with later). As with the TARs, the directions from the agency must be in relation to the relevant objectives and be a listed act or thing.
Generally speaking, a TAN is focused on things that you’re already able to do with your current systems and technologies. For example, if you run an online service which allows users to upload and store their confidential documents, you would be required to give access to that storage under a TAN. However, if those documents are encrypted and don’t have a way to decrypt them yourself, a TAN could not compel you to alter your software so you receive a copy of the encryption keys when users register their accounts.
In essence, a TAN is like a more invasive warrant. Not only are you required to give your data up to the authorities, you’re also obliged to assist them in any way they need to access, use, alter, decrypt and delete your data (or the data of your customers). This doesn’t mean that new capabilities can’t be built into your system by agency employees – but you can’t be forced under a TAN to build any new capabilities into software, hardware or data storage mechanisms yourself.
Some additional requirements of a TAN are:
- it must be approved by the head of an agency;
- it must (in most cases) be given in writing;
- you must be advised of your obligations under the TAN and your right to make a complaint;
- the requirements of the notice must be ‘reasonable’ and ‘proportionate’; and
- compliance with the notice must be ‘practicable’ and ‘technically feasible’.
You’ll notice the requirements of those last two dot points are becoming a common theme in these notices. We’ll spend some time on them later, as they present viable routes for disputing a notice.
Intelligence Rules – Technical Capability Notices
The final type of notice allowed by the Intelligence Rules is a Technical Capability Notice (TCN). This is by far the most invasive of all three, as it effectively requires people to build exploits and vulnerabilities directly into their software (or hardware) to ‘assist’ a government agency on a prolonged basis. The same requirements of both the TAR and TAN apply to these notices, in that they must meet both the relevant objectives test and the listed act or thing test, as well as being reasonable, proportionate and technically feasible. There are, however, some differences.
For starters, you’ll be required to implement solutions that meet the surveillance and access requirements of the agencies. Similar to the manner in which a service company or professional receives a brief from their client regarding what they need done, a TCN will act as a brief from an agency setting out what they need you to do on your system. Some ‘briefs’ which would be permissible for a TCN include (but certainly aren’t limited to):
- building a program which can decrypt and feed all communications between users of a platform directly to an agency, without the knowledge of the user;
- requiring that all key pairs used in a platform to encrypt user data are stored in a central repository where the agency has access;
- requiring a software company to re-engineer their software to use an ‘agency approved’ data management service or solution; and
- requiring any company which uses software for its day to day business to cease using a particular type of software and swap to another system which can be ‘appropriately‘ monitored.
While it’s been said that this Bill doesn’t require organisations to ‘break’ encryption, it can neatly side-step the issue with a TCN. Should an agency discover that software (or hardware) has some form of encryption which prevents you from breaking it yourself, they can simply ask you build a new system which gives you, and by extension them, the keys.
So to return to our previous example of a company what has been served with a TAN and can’t decrypt files uploaded by their users, the next logical step for that agency would be to serve them with a TCN. This would allow the agency to compel them to create an entirely new data management system which doesn’t allow for end-to-end encryption of user data. The company would be required to develop this software using their own resources (although there is provision within the Bill for the agency to pay some costs associated with development) and undertake the difficult task of migrating data from one platform to another without the knowledge of their users.
Why can’t they let their users know? The Bill specifically prohibits anyone indicating they’ve been subject to a notice or made changes to their software because of one. If they were to have a crisis of conscience and inform their users that their previously secure data is now compromised and potentially vulnerable, they’d be liable for heavy fines and up to 10 years imprisonment.
In essence, TCNs give agencies the ability to compel companies and individuals to perform surveillance on their behalf. It forces private companies to become psuedo-spy organisations, jettisoning the traditional separation between companies and government in our society for an arrangement more akin to the state-sponsored ‘companies’ of Soviet Russia and communist China.
Prior to this Bill, agencies had their own digital surveillance methods, which relied on programs and software they’d written. Investigations worked in a similar manner – through a system of requests and warrants. The TCN scheme forces you to allow your systems (or those of your employer) to be repurposed as an invasive surveillance instrument without the knowledge of your users, clients or consortium members.
There’s also no hard limit on what can be requested by a notice. If an agency feels that their request doesn’t meet the (very) wide definition of an act or thing, it may petition the Home Affairs Minister (a new position and department only formed in 2017) to approve their expanded definition.
It’s not all doom and gloom however. There are some checks and balances which may be at your disposal which we’ll investigate a little later.
Police Rules – Computer Access Warrants
While law enforcement agencies are granted powers similar to those of the TAN and TCN under the Bill, they are required to follow a more traditional ‘warrant’ process to get them. The Bill dubs the new type of warrant ‘Computer Access Warrants’ (CAWs). Creative, I know. When granted, a CAW affords officers the following powers:
- entry to a premises on which there is a computer or any other equipment to which the warrant relates;
- use of the computer, facility, equipment or data storage device at any time for the purpose of obtaining data on that device;
- adding, copying, deleting or altering data on a computer;
- intercepting communications on any system; and
- concealing the fact that anything has been done.
These Warrants can be applied for when investigating traditional offences, but also where an investigation relates to recovery orders, integrity operations or control orders. To be issued, the officer must (in most cases) demonstrate that access to data held on a computer is necessary to achieve one of the following:
- obtain evidence of an offence being committed;
- obtain the location of ‘relevant individuals’;
- protect against a terrorist act; or
- prevent ‘hostile activity’.
As opposed to the Intelligence Rules, which only require the tick of approval from a Department head, CAWs require the approval of a Judge. The Judge can only approve a CAW if he/she is satisfied that there’s reasonable grounds for the officer’s suspicion, and, in the case of a control order, that it would be likely to substantially assist in protecting or preventing a hostile or terrorist act. The Judge must also consider a number of other factors, including:
- the nature and gravity of the alleged offence;
- the extent to which the privacy of any person is likely to be affected;
- the existence of any alternate means of obtaining the information or evidence; and
- the value of the information likely to be obtained.
Once the warrant is issued however, the powers are markedly similar to those provided by the TANs and TCNs. The Bill also affords Police who access and potentially reprogram your software/hardware the additional power of concealing what they’ve done from you. Put simply, you may not know what’s been done to your software/hardware and won’t be entitled to find out – which is a huge issue for any company with a digital presence.
Prohibitions and Punishments
Given the alarming powers afforded by the Bill, legislators were understandably paranoid that people might do anything they could to avoid complying with notices. As a result, there’s a number of prohibitions and penalties within the Bill designed to ensure that people follow orders – just like good surveillance surrogates should. We’ll deal with several of the most important here.
If you’re served with either a TAN or TCN, the Bill states you must comply with all requirements to the extent which you’re capable of doing so. If it’s judged that you’re not, you’re liable for a fine of $10,000,000 (for a company) or $50,000.00 (for an individual).
If you’re a designated communications provider (or an employee/contractor of one) and you disclose any information about a TAR, TAN or TCN to a third party, you’re liable for up to 5 years in prison. This includes information which was obtained in accordance with any notice – which means that even if you don’t know about the notice itself, but you inadvertently disclose information to which that notice relates, you can still be charged and imprisoned.
If you think this sounds a little ambiguous, you’d be correct. We’ll deal deal with this more in the “What Should I Do” section later.
If you’ve been served with a CAW and you fail to comply to the standard required by an officer, you’re liable for imprisonment for up to 5 years and a fine of approximately $63,000.00. If your non-compliance relates to an investigation of what they consider a serious offence (including terrorism) you can double both of those penalties.
All this seems very serious, and there’s definitely not much here to be happy about. However, there are some limitations on what agencies and law enforcement are allowed to do.
Limitations of Notices and Warrants
When the first draft of the Bill was released, there was only some paltry limitations on the powers of the agencies. Thankfully, there are now several limitations and avenues for dispute within the Bill.
That being said, it remains to be seen how useful these will be given the secrecy requirements and the pressure that may be brought to bear when notices are served. That being that case, it’s vitally important that you’re aware of the limitations so that if you are served with a notice, you can assess it against the requirements and formulate an appropriate response.
Systemic Weaknesses and Vulnerabilities, Security and Material Risks
The biggest criticism when this Bill was introduced was that notices, particularly TCNs, could force businesses to implement systemic weaknesses or vulnerabilities in their software to accommodate the demands of the agencies. While these would serve the purposes of the Bill, they’d also create some glaring chinks in company cybersecurity armour which they’d be prohibited from repairing.
Malicious actors usually only require a small weakness to force themselves into a network or system, so companies were rightfully concerned that the Bill would make any business with a presence in Australia an irresistable target. Potential customers would be very hesitant to use Australian software for the same reason.
In response to these concerns, a new section was introduced into the Bill, which to summarise, states that notices can’t have the effect of either:
- requiring a provider to build systemic weaknesses or vulnerabilities into a form of electronic protection; or
- preventing providers from rectifying a weakness or vulnerability caused by a notice.
The Bill also now specifies that buildingnew decryption capabilities in electronic protections, or rendering systemic methods of authentication or encryption less effective, is not permissible. This includes any acts or things which will:
- jeopardise the security of any information held by another person; or
- create a ‘material risk’ that data could be accessed by an unauthorised third party.
When weighed against the earlier sections of the Bill, it’s difficult to conceive of any instance where a notice wouldn’t require the creation of a systemic weakness or vulnerability within a system. Just as difficult is picturing a notice which didn’t require jeopardising the security of others or creating a material risk that data could be accessed by an unauthorised third party.
That the Bill made it all the way through both houses with such an obvious contradiction between the requirements of notices and these types of prohibitions is deeply concerning. It means that any dispute over a notice will likely devolve into an argument about whether it’s requirements constitute a vulnerability, weakness or risk. These arguments are almost always solved only one way – with a long and protracted court battle.
Any dispute over a notice will likely devolve into an argument about whether its requirements constitute a vulnerability, weakness or risk.
I must say that I think it’s very unlikely agencies will consider that most of their requirements meet these tests. Given the issues with the dispute mechanisms (covered below), these limitations may not be worth the paper they’re written on until you take it all the way to court.
I’ll share some strategies for giving yourself the best chance to access these protections in the “What Can I Do” section later.
The Bill also stipulates that any notices which require something which, under specific legislation, would usually require a warrant (mainly Acts which are concerned with covert surveillance) will be invalid without one.
Importantly, there’s no requirement on who a warrant must relate to – it’s simply enough that there’s a valid warrant for something and the notice may help in enforcing that. This means that, should you seek to rely on this exception, it would be sufficient for an agency to state that there’s an active warrant currently issued which concerns national security and this may help with it. In my view it would still be worth raising a dispute on these grounds, but it’s unlikely that this limitation will hold much protection.
As is often the case in this Bill, this requirement can also be waived if it’s deemed to relate to serious criminal offences or matters of national security. Surprise, surprise.
Interference and Loss
Under the Police rules, officers aren’t permitted to materially interfere with, interrupt or obstruct the lawful use of software or a computer – or cause material loss or damage to others lawfully using it – unless they deem that it’s ‘necessary’. As with the notices, many (if not most) of the proposed uses for Police powers under the Bill could be considered ‘material interference‘ or ‘potentially causing loss or damage‘ to users.
There are provisions in the Bill which require the agency serving a notice to pay some of the costs associated with compliance – provided that you don’t profit in any way from compliance. Given what the Bill requires this would seem difficult, but it’d nevertheless be prudent to ensure you don’t turn compliance to your commercial advantage.
Should an agency refuse to pay for your costs in complying, you may elect to have an arbitrator or costs negotiator appointed to settle the issue.
This Bill has a number of small but powerful provisions tucked away in its 220 pages – but none might raise more eyebrows than the provision regarding members of Parliament. While the rest of the Australia (and in many cases, the world) is subject to the new legislation, the only people who are expressly excluded from everything in the Bill are the very people who rushed it through Parliament in the first place – the politicians.
It’s not a big deal though – it’s common knowledge that our politicians are the most trustworthy and transparent of anyone in our society. I for one am glad they have blanket immunity.
Are There Any Avenues for Dispute?
It’s not all bad news though. Australian administrative principles require mechanisms for review within all legislation. It’s no different with this Bill – and there are avenues for dispute which are generally similar for each type of notice. Through these avenues, you can attempt to have a notice varied, re-issued or revoked.
Of course, the nature of this Bill means that all disputes will be conducted behind closed doors, and the official who originally signed off on the notice will usually also be responsible for assessing the merits of your argument. Nevertheless, a good administrative appeal strategy is your primary defence against a notice or warrant – so it’s important to know your options.
Prior to serving a TAN or TCN, the agency is required to consult directly with you – except in cases of urgency or where a decision maker (like the Director-General or Attorney-General) waives compliance. This means that there’s a chance you may be consulted before being served with a notice.
If you are consulted, don’t let the opportunity pass you by – the period runs for 28 days and is the perfect time to get a competent legal advisor on board and lobby heavily to prevent the notice. If the consultation period is waived, it would be prudent to request the evidence for why a consultation period was considered unnecessary.
Where you’re afforded the courtesy of a consultation before you’re served with a TCN, you’ll have the extra option of requesting an assessment. An assessment must be carried out by three third-party assessors, one of which must be a former judge with at least five years experience, and will weigh the TCN against the requirements of the Bill, including those relating to systemic vulnerabilities.
As usual, there is a catch – the agency will get to choose the assessors. So while the dice are still stacked very much in the agency’s favour, you’ll have at least one quasi-independent party assessing the notice. In practice, it’s likely that agencies will use the latitude afforded them to simply side-step the whole consultation and assessment requirements wherever possible.
Requirements not reasonable and proportionate
The most promising option for dispute once a notice has been served is a submission detailing why the notice requirements aren’t reasonable or proportionate. The Bill doesn’t elaborate much on what may be ‘reasonable’ or ‘proportionate’, which means your submissions will need to contemplate what these both may mean before detailing why the notice doesn’t meet the bar.
There are some factors listed in the Bill which the agency can consider in relation to your response. These involve weighing the demands of the notice (and your submissions) against a number of listed interests, including:
- national security;
- law enforcement;
- the provider (you);
- the ‘legitimate expectations‘ of the Australian community in relation to privacy and security; and
- anything else which is considered relevant.
As usual, there’s plenty of ambiguity and subjective judgement. This is both a blessing and curse when dealing with administrative disputes. On one hand, it gives you (and your lawyer) significant room to make detailed submissions, pulling in expert opinions and listing why complying with the notice is an incredibly bad idea. On the other hand, it gives the agency leeway to consider your submissions, weigh them against the other interests and continue on regardless.
Compliance with the notice is not practicable and technically feasible
The second option for dispute is a submission which holds that complying with a notice is not practicable or technically feasible. Demonstrating this is quite straightforward – you must show how it’s not practical or technically possible to do what the notice is asking you to do. In my view, this is of particular relevance to organisations which are being asked to build functionality which breaks or circumvents encryption in their applications, particularly where that encryption is zero-knowledge and/or end-to-end.
As with the reasonable and proportionate submission, demonstrating that the notice requirements are not practicable or feasible will require significant evidence and expert opinion. Keep in mind that any dispute could incorporate both options, as well as the other factors we’ve listed earlier (like the systemic vulnerabilities and material risks).
Administrative review is a murky process at the best of times, and disputes under this Bill will be no different. Since the consequences of an unsuccessful dispute will be to breach customer trust, build exploits into your software or generally do things your clients (or board of directors) would be very unhappy about, it’s imperative that you get qualified assistance in drafting any kind of submission.
Can I Be Sued For Exploits, Hacks and Thefts Which Occurred Due to a Notice or Warrant?
In complying with a notice, you may be forced to implement changes in your business which could result in a critical breach of security, theft of data or hack. TCNs particularly may require you to leave a permanent ‘back door’ or to install closed-source software which may not be aggressively patched.
When things go wrong and an incident occurs which affects your clients or customers, they’ll likely assume you didn’t implement sufficient security measures to protect their data and commence legal proceedings. Tucked away in the Bill is an ‘immunity’ provision which states that a provider (and their employees or agents) can’t be held liable by a third party for anything done to comply with a TAN or TCN. The same exemption doesn’t apply to a TRN though, which is another reason to never comply with a voluntary notice, as you won’t be protected should a civil suit eventuate.
There are some difficulties with this defence of course. First, when a breach or theft happens you won’t be able to make a press release blaming a notice- that would be breaching the secrecy provisions. This will mean you’ll need to manage any dispute or defend any legal action, until such time as you’re able to communicate that it was because of a notice without breaching the gag provisions. This may not be possible until well into the process.
Worse (and perhaps most problematically), you’ll need to prove that the issue occurred because of the notice and not from a lack of adequate security measures within your own organisation. This will likely involve detailed analysis of your code, network and systems by an expert security firm, which would be expensive and time consuming (and potentially illegal, given that you would be, again, sharing the fact you’ve been served with a notice). It will also probably require evidence of the notice itself (and any conversations surrounding it), something you’re prohibited to share without the express permission from the agency.
Relying on the agency to help you out in the event of a dispute is not somewhere you want to be, so your best option will always be successfully fighting a notice with the agency at the beginning. If you can’t, there are some things you can do to both minimise the chance of civil action and deal with any legal disputes efficiently. I’ll cover strategies for both fighting a notice and managing civil claims in the “What Should I Do?” section.
What does this all mean?
If you’ve made it this far, you’ve realised that the potential consequences of this Bill are sobering. The few industry bodies who were able to get submissions into Parliament before the very short ‘consultation’ period ended thought the same. For example, the Electronic Frontiers Foundation’s submission was suitably scathing:
“We have numerous serious concerns with this Bill, in particular that it:
1. Introduces a seemingly scopeless definition of “designated communication providers”;
2. Increases the obligations on communication providers to assist with law enforcement agencies;
3. Introduces covert computer access warrants enabling law enforcement to searchcomputers and electronic devices without an individual’s knowledge; and
4. Increases the powers of law enforcement to use and apply the currently available search and seizure warrants.”
Likewise, Apple had this to say in their submission:
The devices you carry not only contain personal emails, health information and photos but are also conduits to corporations, infrastructure and other critical services. Vital infrastructure — like power grids and transportation hubs — become more vulnerable when individual devices get hacked. Criminals and terrorists who want to infiltrate systems and disrupt sensitive networks may start their attacks by accessing just one person’s smartphone.
In the face of these threats, this is no time to weaken encryption. There is profound risk of making criminals’ jobs easier, not harder. Increasingly stronger — not weaker — encryption is the best way to protect against these threats.
…We also challenge the idea that weakening encryption is necessary to aid law enforcement.
Apple also detailed several specific concerns, including:
- Overly broad powers for authorities;
- Mandated weakening of cybersecurity and encryption;
- Insufficient judicial oversight;
- Determinations are based on the governments subjective views;
- Unnecessary secrecy requirements; and
- Extraterritorial and global impacts.
Vanessa Teague and Chris Culnane of the Applied Cryptography Academics stated in their response that an important misconception of the Bill was that Australian authorities would be able to “adequately assess the unintended security consequences of their technical changes.“
Apple’s list of concerns provide a good summary of the main concerns with this Bill. The powers conferred upon authorities are incredibly broad, and smack of a totalitarian approach to law enforcement that we’ve not seen before in Australia. While we should be taking measures to make the investigation and capture of serious criminals easier, this legislation goes so much further than requests for chat logs or location information. It should also not be done at the expense of the rest of us.
There’s little doubt that any TAN or TCN served on a company would require it to avoid, weaken or otherwise negatively alter their cybersecurity and encryption strategies. TCNs particularly will make it almost impossible for a company to effectively secure their software, as they’ll be forced to leave deliberate vulnerabilities in their systems which allow privileged external access.
Given the prevalence of high-value hacks and data theft we’ve seen recently (for example, Marriot’s recent breach of ~300 million accounts), following a notice will be like leaving your back door unlocked in a high-crime district. You wouldn’t be asking for it, but you might as well be.
We must also consider how the human factor plays into legislation like this. It’s well documented that governments typically aren’t that great at keeping data secure. From employees leaving laptops on public transport to plugging in USB drives which they’ve found in a car park, things often go wrong not because of the technology itself but the humans involved in managing it.
Prior to this legislation, private companies didn’t have to include government employees in their threat modelling. Now, they may hold high volumes of very sensitive data – data that, if it found its way into the wrong hands, would represent significant liability for the originating company. There’s no guarantee in this Bill that appropriate security measures or training will be implemented in these agencies, nor is there any recourse if these agencies do lose or leak the data.
Regardless of how it happens, when someone does suffer a data breach, they’ll be answerable to their customers. While some customers may be understanding, the more egregious the damage, the more likely the company is to face legal action.
Usually in these circumstances you could pull out the notice which you were required to comply with, attach that to a defence and tell your former customers to sue the Government. Unfortunately, the secrecy provisions mean that any disclosure of that notice could land you with heavy fines and prison for up to 5 years. While there are other options (covered earlier) and there are some provisions which allow disclosure, things are murky on how to properly engage them. That’s not to mention the potential reputational damage a perceived breach can cause – even if you’re later exonerated.
What Should I Do?
All hope is not lost, however. As with most things in life, preparation is half the battle – and in this case, it may prove the difference between being forced to comply with a notice and having reasonable grounds for a successful dispute.
I’m going to split my advice on minimising risk and preparing for a notice into two sections here. The first will be for those that own, manage or make decisions for businesses which have an online, digital or technological element to them. The second is for everyone else – individuals, employees and contractors.
Owners, Managers and Decision Makers
For owners, managers or decision makers of organisations, particularly those based in Australia, these are some measures you can take now to minimise the impact of the Bill:
- Consider engaging a cybersecurity firm to undertake a full review of your software and hardware, with the aim of hardening them as much as possible. Concurrently, have them write a report which includes an analysis of the effect of complying with a notice and weakening your data security. Request that they specifically contemplate whether changing your security or creating ‘backdoors’ would systematically weaken your security. In the event that you’re served with a notice, you’ll be able to use this report in filing your dispute. It can also be tendered at a later date if the agency denies your dispute and you’re forced to seek an injunction from a Court.
- references the Bill;
- states what your obligations are;
- lists what you may be forced to share;
- signposts that you may have to keep things secret; and
- requires other parties to agree that they won’t hold you liable for an issues relating to a notice.
- Wherever possible, put measures in place to monitor your software for unauthorised alterations and suspicious activity from your employees. The Bill gives authorities the power to compel employees to make changes without the knowledge or involvement of anyone else in a company. If you’re unaware of the existence of a notice, you must treat any unauthorised alterations as a cyberattack and deal with it accordingly.
- Have a lawyer who’s well-versed in this Bill (and administrative law generally) on hand. These notices shouldn’t be followed without seriously considering a dispute. Not only may they put your business at significant risk, but the notice may not be compliant with the requirements of the Bill. The dispute and review mechanisms can at the very least delay, and if you’re fortunate, entirely scuttle a notice, so you shouldn’t let that opportunity pass you by. Just remember that you’re on the clock once you’ve been served.
- For any company or individual who provides you services and/or does work for you which involves technology or software, require they guarantee that they haven’t been served with a notice. While they won’t be able to give the guarantee if they have, the Bill can’t force anyone to lie either, meaning that a refusal to provide this guarantee is confirmation enough.
- Make sure your insurer understands the implications of this legislation, and insures you fully for any costs arising from it.
- Choose companies which operate outside the Five Eyes for storing sensitive data & correspondence. I’d recommend organisations based in countries which have strong individual privacy laws like Switzerland.
- Investigate if there’s a way to outsource parts of your data management services to an external, international third party who can’t be compelled by anyone (including you) to break their data protection or encryption.
- If the above isn’t an option, consider using only ‘end-to-end’ and ‘zero-knowledge’ encryption methods in your software.
- It may also be time to consider moving parts of your business off-shore. Keep in mind, however, that as long at least one employee remains in Australia, they can be compelled to follow the requirements of a notice.
I’d also like to give a special mention to cybersecurity firms. I’m not sure if agencies have considered this yet, but focusing on professional security firms who handle protection for a number of businesses would be a very efficient way to use their notices. If you do run or manage a cybersecurity firm, it’s imperative you make it as hard as possible for one of these notices to stick.
If you were to code vulnerabilities and security backdoors into your clients’ systems, especially without their knowledge, you’d be on very shaky ethical ground. I have serious doubts that the civil protections would apply to you in this case. At the very least, I recommend you update your agreements with your clients to state that if you’re served with a notice, you’ll end your agreement with them rather than program vulnerabilities and/or breach data without their knowledge.
Individuals, Contractors & Employees
For individuals, contractors and employees, your threat model is (in some ways) more complex. First, you need to be very careful about who you trust your data with and what you store on at-risk platforms. You also need to consider what you’ll do if you’re served with a notice – particularly if you’re told to compromise an organisation that you work for without their knowledge.
These are some measures you can take to minimise the impact of the Bill on your personal data:
- Use end-to-end encrypted services like Signal and VeraCrypt wherever you can, preferably ones that are open source. ‘Open source’ simply means that all code is publicly available and can be reviewed by everyone.
- Don’t use hosted cloud storage like Google Drive, Dropbox or Onedrive for anything important. I cannot stress this one enough. All three companies have complete access to your files on these platforms. If I was an agency, they would be top of my list for a TCN which requires similar privileged access. Instead, look at a self-hosted solution like the incredibly versatile, open-source Nextcloud. Be sure to encrypt it and store your keys somewhere safe.
- Avoid hosted email services like Gmail and Outlook. It’s well known that employees of both can access and read everything in your inbox. Instead, host your own email servers wherever possible, or use a hosted service based in a privacy-respecting country like Protonmail (based in Switzerland).
- Don’t use mainstream social media services like Facebook, Twitter and LinkedIn to communicate anything important or private.
- Avoid ‘smart-home’ devices like Google Home and Amazon Alexa (unless you like having a live wiretap listening to everything in your house, of course).
These are some measures you can take to minimise the impact of the Bill on your professional life:
- Make sure your employment contract or contractor’s agreement deals with what must be done if you’re served with a notice, including absolving you from any liability to the company for actions you’re forced to take.
- For web developers, consultants, project managers and other ‘blended’ contractors, you may need to consider getting some short form advice from a lawyer and/or a security firm about why a notice would put you in a conflict of interest with your employer – and why compliance would not be practicable or feasible.
- Make sure your income insurance contemplates you needing to quit your job due to conflict of interest arising from a notice, and provides you complete protection until you find another job. If the insurer gives you trouble when you call them, send them to this article!
- If you work in an area where you have significant administrative privileges and autonomy over management of sensitive data, try to avoid advertising that fact publicly.
No matter what you do, getting served with a notice can be daunting. I’d recommend that your first step in every case is to get in touch with a legal representative that you trust and are confident has experience with this kind of issue. These things are always manageable, and once the initial shock wears off, you can come up with a response strategy.
At this early stage, the full impact of this legislation is hard to guess. We’re not helped by the fact that most of this will go on in secret, completely away from the public eye. There’s little doubt that some companies have already been served with notices, and that more will be coming once intelligence agencies adjust their strategies to contemplate their expansive new powers.
I’ve limited my advice in this article to dealing with the Bill on its merits, but it’s clear that it should never have passed. It represents either a total disregard for digital privacy and security on the part of Australian politicians or an inexcusable ignorance of technical realities. While I’m not sure it will do any good, if you’re in Australia I’d encourage you to write to your local Federal member and express your concerns.
As I’ve reiterated thoughout, preparation is your best weapon when it comes to protecting yourself, and your business, against this Bill. The steps you take now may prevent a lot of pain down the road and (hopefully) let you sleep a little easier at night.
If you do have more questions, or need help in preparing for or dealing with a notice, please don’t hesitate to reach out.
Matt is a lawyer, consultant, podcast host and speaker. His passion is helping individuals and businesses understand, manage and overcome the challenges of doing business in the digital age.
He advises companies on many aspects of business and technology law, with a particular focus on commercial relationships, cyber security, risk management, compliance and brand protection. He also runs a podcast, hosts a meetup and consults in the area of blockchain technology.
If you’re looking for legal advice, please get in touch below.
* Note – The views express here are my own and are opinion only. They don’t constitute legal advice, and shouldn’t be relied upon without first obtaining specific legal advice catered to your situation. Neither do they constitute the views of any other party, including any employer or company.