The ability of a government to force a technology provider to create a “back door” into their technology to allow security agencies to “listen in” to communications is a very controversial step, but it has not been the subject of much discussion as any recipient of such intervention is gagged.
It was interesting to see that the Independent National Security Legislation Monitor has released a report on its review of the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (Cth) (TOLA Act). The review considered, and provided recommendations on, the operation, effectiveness and implications of the TOLA Act and whether it is necessary, is proportionate to the threats it seeks to meet and treats human rights properly.
A quick recap: The TOLA Act was enacted in December 2018 with limited parliamentary scrutiny. It gives the police and intelligence agencies new powers to agree to, or require, significant industry assistance from “designated communications providers” (which is a concept defined very broadly, not being just telecommunications companies but also device and application sellers).
Assistance may be agreed to or required through certain types of notices, such as a Technical Assistance Request, which is a formal request for assistance. A Technical Assistance Notice (TAN) is used where the provider already has technical means to provide access to law enforcement, and is issued by an agency head. A Technical Capability Notice (TCN) is a direction to implement a new capability in a product or service, and is issued by the Attorney-General with the concurrence of the Minister for Communications.
Currently, the notices can be issued without any independent oversight. The report recommends the TOLA Act be amended to remove the power to issue TANs and TCNs from the agency heads and the Attorney-General. This power should be given to a new statutory office to be established within the Administrative Appeals Tribunal. This amendment will protect classified information and allow independent rulings on technical questions, such as “systemic weakness”, and will “guarantee consideration of human rights, privacy and technical implications by the issuing authority”.
Other recommendations of the report include giving the State and Territory anti-corruption commissions the power to agree to, or apply for, the notices, and that a designated communications provider should not be taken to include a natural person (where that natural person is an employee of such a provider), but should only apply to natural persons insofar as required to capture sole traders.
With the theme of “trust but verify”, the report concludes that the TOLA Act is a necessary legislative response to “going dark” through encryption. But when it comes to other matters such as privacy, the absence of an independent decision-maker with access to technical advice so they fully understand the privacy and other implications is a matter of “real concern”. In order to achieve proportionality, the Australian Government will need to balance necessity with the greater need for “traditional safeguards” in the virtual world.