Australia’s encryption laws are ‘highly unlikely’ to dragoon employees in secret
Software developers fear that Australia’s new encryption laws can force them to secretly add malware and backdoors to their employers’ products and services. These fears are largely unfounded, say experts.
These fears appear to stem from the wording of section 317C(b)(6) of the Assistance and Access Act [PDF].
The Act defines three kinds of notices that can be served on what are called “designated communications providers”.
- Technical Assistance Requests (TAR), which are “voluntary” requests for the designated communications providers to use their existing capabilities to access user communications;
- Technical Assistance Notices (TAN), which are compulsory notices to use an existing capability; and
- Technical Capability Notices (TCN), which are compulsory notices for a designated communication provider to build a new interception capability, so that it can meet subsequent Technical Assistance Notices.
Section 317C(b)(6) says that one kind of designated communications provider is a “person” that “develops, supplies or updates software used, for use, or likely to be used, in connection with: (a) a listed carriage service; or (b) an electronic service that has one or more end-users in Australia”.
Section 317D(1)(a) then explains that “electronic service” includes “a service that delivers material to persons having equipment appropriate for receiving that material, where the delivery of the service is by means of a carriage service”, and according to section 317D(2), “service includes a website”.
But according to a Department of Home Affairs staffer who drafted the new laws, a compulsory Technical Capability Notice (TCN) cannot be served on individuals within a corporation.
“The corporate entity is the endpoint there. So we can’t require, say, an employee of that at all to be operating under a secret notice that [their employer] is ignorant of,” Adam Ingle told the Crypto 2018 Workshop on Encryption and Surveillance in August.
“It does have the ability to be served on individuals and corporations, but only when those individuals are their own separate entity.”
Ingle also pushed back against the fear that designated communications providers can be forced to develop whatever malware or backdoors agencies wanted.
“If the industry and government would reach a solution that would enable access that doesn’t go to removing electronic protection, and doesn’t attract that prohibition against systemic weaknesses and vulnerabilities, if the industry player was mindful to challenge that, there’s a very robust judicial review process in Australia,” Ingle said.
“They can very well go to the courts and determine that arguably this notice is not reasonable, proportionate, technically feasible, [or] practical, or say that it will introduce a systemic vulnerability, and is therefore unlawful.
Unlike the UK equivalents, an Australian TAR or TAN cannot force the removal of electronic protection such as encryption or authentication mechanisms, interception capabilities to be made, or data retention capabilities to be made.
“They actually are a more limited power, and what they can do is set out explicitly in the primary legislation, rather than regulations themselves, so parliament will need to scrutinise any additional things,” Ingle said.
Developers have also latched onto the wording of section 114 in Schedule 2 of the Assistance and Access Act, which is headed by: “Person[s] with knowledge of a computer or a computer system to assist access etc”.
This schedule refers to assistance from persons such as “an employee of the owner or lessee of the computer or device”, “a person who is or was a system administrator for the system including the computer or device”, and even “a person who uses or has used the computer or device”.
However this schedule is about amendments to the rules applied to devices which are subject to computer access warrants, something entirely separate from the TAR/TAN/TCN regime.
According to Elizabeth O’Shea, a lawyer and board member of Digital Rights Watch, a TAN or TCN can be given to a person if they fit the definition in the Act, and that includes “natural persons”, the legal term for individuals as opposed to corporate persons like an incorporate company, but she downplays the fears.
“It is highly unlikely, however, that an individual employee would be a recipient of a notice (other than as an officer for the company), and even if the employee was the recipient, that he or she would be prohibited from disclosing information about the notice to others in the company,” she told ZDNet.
O’Shea doubts that an agency will utilise the notices in this manner for two reasons.
First, the regime only requires that someone comply to the extent they are capable of doing so, as outlined in sections 317ZA and 317ZB.
“It would probably be difficult for a person to do the act or thing required by the notice alone,” she said.
Second, the regime allows for disclosures about the notice for the administration or execution of the notice.
“It would seem very unlikely therefore that an individual employee would be given a notice in circumstances where the company would have no knowledge of the notice,” O’Shea said.
“It does remain technically possible however, even if this was not the intention of the drafters. Given the broad definition of acts or things that can be required to be done by a notice, it is not impossible to imagine something like this happening at some point, so if the drafters did not intend it, they should have drafted it differently.”
Australia’s encryption laws don’t breach GDPR
Some developers have also been concerned that they’d be forced to perform acts that would breach Europe’s strict General Data Protection Regulation (GDPR), but that’s not the case, according to Anna Johnston, director of Sallinger Privacy.
In using GDPR terminology, there are six grounds on which personal data can be lawfully “processed”, as defined in Article 6. One of those, Article 6.1(c), is “to the extent that … processing is necessary for compliance with a legal obligation to which the controller [the entity that controls the personal data] is subject”.
Also, Article 2.1(d) says that the GDPR doesn’t apply at all to “the processing of personal data … by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences … including the safeguarding against and the prevention of threats to public security”.
Each European Union nation has its own definition of “competent authorities”, but essentially they are statutorily authorised law enforcement and national security agencies operating under the rather complicated limits defined in Directive (EU) 2016/680.
“Whether you are talking about the GDPR or the Australian Privacy Act, privacy laws set limitations on when personal information can be used or disclosed by an organisation. However, those limitations will be overridden where a use or disclosure is necessary in order to comply with other legislation,” Johnston told ZDNet.