14 August 2018

Crypto and the Cth Telco 'Assistance and Access' Bill

The Australian Government has released the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 (Cth) "to secure critical assistance from the communications industry and enable law enforcement to effectively investigate serious crimes in the digital era", significantly extending the Telecommunications (Interception and Access) Act 1979 (Cth).
The Bill provides national security and law enforcement agencies with powers to respond to the challenges posed by the increasing use of encrypted communications and devices. The proposed changes are designed to help agencies access intelligible communications through a range of measures, including improved computer access warrants and enhanced obligations for industry to assist agencies in prescribed circumstances. This includes accessing communications at points where it is not encrypted. The safeguards and limitations in the Bill will ensure that communications providers cannot be compelled to build systemic weaknesses or vulnerabilities into their products that undermine the security of communications. Providers cannot be required to hand over telecommunications content and data.
The Bill seeks to amend the Telecommunications Act 1997 (Cth), Australian Security Intelligence Organisation Act 1979 (Cth), Mutual Assistance in Criminal Matters Act 1987 (Cth), Surveillance Devices Act 2004 (Cth), Telecommunications Act 1997 (Cth), Telecommunications (Interception and Access) Act 1979 (Cth), International Criminal Court Act 2002 (Cth), International War Crimes Tribunals Act 1995 (Cth), Crimes Act 1914 (Cth), and Customs Act 1901 (Cth).

The 167 page background document states
... encrypted devices and applications are eroding the ability of our law enforcement and security agencies to access the intelligible data necessary to conduct investigations and gather evidence. 95 per cent of the Australian Security Intelligence Organisation's (ASIO) most dangerous counter-terrorism targets actively use encrypted messages to conceal their communications. 
In many instances encryption is incapable of being overcome, limiting possible avenues for agencies to gain important information. However, in some instances, law enforcement agencies may access data by employing specialist techniques to decrypt data, or access data at points where it is not encrypted. This can take considerable time. In order to do this more effectively, Australia’s agencies need assistance from companies and individuals involved in the supply of communications services and devices in Australia. Globalisation and the advent of the internet have significantly increased the volume of communications that cross national borders and crucial services and products are increasingly being sourced from offshore providers. The purpose of the Bill is to allow agencies to seek help from providers, both domestic and offshore, in the execution of their functions. The Bill also provides agencies with alternative-collection powers, allowing them, under warrant, to access devices. The Bill explicitly provides that the new industry assistance powers cannot be used to compel communications providers to build weaknesses into their products. Cyber security will be ensured and privacy will be protected through robust safeguards in the Bill and the existing warrant regime for access to telecommunications content. ... 
The Bill introduces a suite of measures that will improve the ability of agencies to access intelligible communications content and data. Three distinct reforms will help achieve this purpose:
1. Enhancing the obligations of domestic providers to give reasonable assistance to Australia’s key law enforcement and security agencies and, for the first time, extending assistance obligations to offshore providers supplying communications services and devices in Australia. 
2. Introducing new computer access warrants for law enforcement that will enable them to covertly obtain evidence directly from a device. 
3. Strengthening the ability of law enforcement and security authorities to overtly access data through the existing search and seizure warrants.
It goes on to state -
Under section 313 of the Telecommunications Act 1997 (Telecommunications Act), domestic carriers and carriage service providers are required to provide ‘such help as is reasonably necessary’ to law enforcement and national security agencies. 
Schedule 1 of the Bill will enhance industry-agency cooperation by introducing a new framework for industry assistance, to operate alongside section 313. The Bill introduces new powers for agencies to secure assistance from the full range of companies in the communications supply chain both within and outside Australia. In consultation with industry, national security and law enforcement agencies and the Attorney-General will be able to specify what assistance or capability is required. 
Specifically, the Bill inserts a new Part 15 into the Telecommunications Act. This Part will:
  • Provide a legal basis on which a ‘designated communications provider’ can provide voluntary assistance under a technical assistance request to assist ASIO, the Australian Secret Intelligence Service (ASIS) and the Australian Signals Directorate (ASD) and interception agencies in the performance of their functions relating to Australia’s national interests, the safeguarding of national security and the enforcement of the law. 
  • Allow the Director-General of Security, or the head of an interception agency, to issue a technical assistance notice requiring a designated communications provider to give assistance they are already capable of providing that is reasonable, proportionate, practicable and technically feasible. This will give agencies the flexibility to seek decryption in appropriate circumstances where providers have existing means to decrypt. This may be the case where a provider holds the encryption key to communications themselves (i.e. where communications are not end-to-end encrypted). 
  • Allow the Attorney-General to issue a technical capability notice, requiring a designated communications provider to build a new capability that will enable them to give assistance as specified in the legislation to ASIO and interception agencies. A technical capability notice cannot require a provider to build or implement a capability to remove electronic protection, such as encryption. The Attorney-General must be satisfied that any requirements are reasonable, proportionate, practicable and technically feasible. The Attorney-General must also consult with the affected provider prior to issuing a notice, and may also determine procedures and arrangements relating to requests for technical capability notices. ...
 The type of assistance that may be requested or required under the above powers include (amongst other things):
  • Removing a form of electronic protection applied by the provider, if the provider has an existing capability to remove this protection. 
  • Providing technical information like the design specifications of a device or the characteristics of a service. 
  • Installing, maintaining, testing or using software or equipment given to a provider by an agency. 
  • Formatting information obtained under a warrant. 
  • Facilitating access to devices or services. 
  • Helping agencies test or develop their own systems and capabilities. 
  • Notifying agencies of major changes to their systems, productions or services that are relevant to the effective execution of a warrant or authorisation. 
  • Modifying or substituting a target service. 
  • Concealing the fact that agencies have undertaken a covert operation.
Assistance is expected to be provided on a no-profit, no-loss basis and immunities from civil liability are available for help given. The Bill maintains the default position that providers assisting Government should not absorb the cost of that assistance nor be subject to civil suit for things done in accordance with requests from Government. 
The new industry assistance framework is designed to incentivise cooperation from industry, providing a regime for the Australian Government and providers to work together to safeguard the public interest and protect national security. However, in the unlikely event that enforcement action is required, the Commonwealth can apply for enforcement remedies, like civil penalties, injunctions or enforceable undertakings. Enforcement of notices for carriers and carriage service providers will continue to be regulated by the Telecommunications Act. 
What are the limitations and safeguards? 
The new industry assistance framework has several important limitations and robust safeguards to protect the privacy of Australians, maintain the security of digital systems and ensure agency powers are utilised only where necessary for core law enforcement and security functions. Reasonable, proportionate, practicable and technically feasible. In every case, the decision-maker must be satisfied that requirements in a technical assistance notice and technical capability notice are reasonable and proportionate and compliance with the notice is practicable and technically feasible. This means the decision-maker must evaluate the individual circumstances of each notice. In deciding whether a notice is reasonable and proportionate it is necessary for the decision-maker to consider both the interests of the agency and the interests of the provider. This includes the objectives of the agency, the availability of other means to reach those objectives, the likely benefits to an investigation and the likely business impact on the provider. The decision-maker must also consider wider public interests, such as any impact on privacy, cyber security and innocent third parties. In deciding whether compliance with the notice is practicable and technically feasible, the decision-maker must consider the systems utilised by a provider and provider expertise. 
Agencies still need an underlying warrant or authorisation. The new framework is designed to facilitate industry assistance – not serve as an independent channel to obtain private communications. Importantly, Schedule 1 does not change the existing mechanisms that agencies use to lawfully access telecommunications content and data for investigations (see process diagram on page 12). New technical assistance notices and technical capability notices cannot require that providers hand over telecommunications content and data without an underlying warrant or authorisation. Access to this material will still require a warrant or authorisation under the Telecommunications (Interception and Access) Act 1979 (TIA Act). The TIA Act has strict statutory thresholds that must be met. For example, a judge or Administrative Appeals Tribunal (AAT) member can only issue a warrant authorising the interception of communications where he or she is satisfied that the intercepted information would assist in the investigation of a serious offence (generally offences punishable by at least 7 years – see section 5D of the TIA Act). The judge or AAT member must have regard to the nature and extent of interference with the person’s privacy, the gravity of the conduct constituting the offence, the extent to which information gathered under the warrant would be likely to assist an investigation, and other available methods of investigation. The TIA Act also has prohibitions on communicating, using and making records of communications. 
Systemic weaknesses or vulnerabilities cannot be implemented or built into products or services. 
The Bill expressly prohibits technical assistance notices or technical capability notices from requiring a provider to build or implement a systemic weakness or systemic vulnerability into a form of electronic protection. This includes systemic weaknesses that would render methods of authentication or encryption less effective. The Australian Government has no interest in undermining systems that protect the fundamental security of communications. The new powers will have no effect to the extent that requirements would reasonably make electronic services, devices or software vulnerable to interference by malicious actors. Importantly, a technical capability notice cannot require a provider to build a capability to remove electronic protection and puts beyond doubt that these notices cannot require the construction of decryption capabilities. 
Notices must be revoked if requirements cease to be reasonable. Decision-makers must revoke a technical assistance notice or technical capability notice if satisfied that any ongoing requirements are no longer reasonable, proportionate, practical or technically feasible. Accordingly, notices that have become obsolete or excessively burdensome must be discontinued. These same notices may be varied to account for changing commercial and operational circumstances. 
Agencies cannot prevent providers from fixing existing systemic weaknesses. Notices cannot prevent a provider from fixing a security flaw in their products and services that may be being exploited by law enforcement and security agencies. Providers can, and should, continue to update their products to ensure customers enjoy the most secure services available. 
Core interception and data retention will not be extended. The powers cannot be used to impose data retention capability or interception capability obligations. These will remain subject to existing legislative arrangements in the TIA Act. 
Assistance that may be requested is defined. The types of things a provider may be required to do under a technical assistance notice is listed in the Bill. While this list is not exhaustive, as it relates to technical assistance notices, anything specified in these notices must be consistent with the matters specified in the legislation. In the case of technical capability notices, new capabilities can only be developed to ensure that a provider is capable of giving help as specified (exhaustively) in the Bill. 
The scope of agency notices is limited to core functions. Things specified in notices must be for the purpose of helping an agency perform its core functions conferred under law, as they specifically relate to:
  • enforcing the criminal law and laws imposing pecuniary penalties, or 
  • assisting the enforcement of the criminal laws in force in a foreign country, or 
  • protecting the public revenue, or 
  • safeguarding national security.
This will ensure that the scope of the powers is consistent with the purposes for which agencies currently seek assistance from domestic carriers and carriage service providers under section 313 of the Telecommunications Act.
Further
Schedule 2 of the Bill provides an additional power for Commonwealth, State and Territory law enforcement agencies to apply, in certain circumstances, for computer access warrants under the Surveillance Devices Act 2004, similar to those available to ASIO in section 25A of the ASIO Act. An eligible judge or AAT member must approve the warrant and authorise the activities that can be done under the warrant. 
A computer access warrant will enable law enforcement officers to search electronic devices and access content on those devices. These warrants are distinct from surveillance device warrants, which enable agencies to use software to monitor inputs and outputs from computers and other devices. 
The things that may be specified in a warrant include:
  • entering premises for the purposes of executing the warrant 
  • using the target computer, a telecommunications facility, electronic equipment or data storage device in order to access data to determine whether it is relevant and covered by the warrant 
  • adding, copying, deleting or altering data if necessary to access the data to determine whether it is relevant and covered by the warrant 
  • using any other computer if necessary to access the data (and adding, copying, deleting or altering data on that computer if necessary) 
  • removing a computer from premises for the purposes of executing the warrant 
  • copying data which has been obtained that is relevant and covered by the warrant 
  • intercepting a communication in order to execute the warrant 
  • any other thing reasonably incidental to the above things. 
A computer access warrant will also authorise the doing of anything reasonably necessary to conceal the fact that anything has been done in relation to a computer under a computer access warrant. Concealment activities may occur at any time while the warrant is in force, or within 28 days after it ceases to be in force, or at the earliest time after this period at which it is reasonably practicable to do so. 
Where a computer access warrant is in place, a law enforcement officer may apply to a judge or AAT member for an order requiring a person with knowledge of the device to provide reasonable and necessary assistance. This provision is similar to section 3LA of the Crimes Act, which allows a constable to apply to a magistrate for an order requiring a person to provide assistance where a search warrant is in place. This ensures that law enforcement agencies that have a warrant for computer access will be able to compel assistance in accessing devices.