TELECOMMUNICATIONS AND OTHER LEGISLATION AMENDMENT (ASSISTANCE AND ACCESS) ACT 2018

(Otherwise referred to as TOLA, the AA Act or the encryption legislation.)

Late in 2018, the Federal Parliament passed controversial new laws that grant law enforcement and intelligence agencies a variety of powers to access data, metadata and communications of individuals. The Act also grants the ability to compel companies to assist in this purpose, including providing specific information or in some cases building infrastructure to help circumvent security measures (including encryption of data).

The intent of the legislation was to equip law enforcement and intelligence services to better combat serious crimes and threats to national security. However the broad scope of the law and the lack of checks and balances coupled with the speed with which the bill was passed caused serious concerns for the technology sector.

THE PROCESS

A draft of the legislation that would become TOLA was released in August 2018. The bipartisan Parliamentary Joint Committee on Intelligence and Security (PJCIS) led a review of the draft, which included an expedited submission and consultation period, in order to release its report on December 5. The next day, the last sitting day of Parliament for 2018, the bill was introduced and passed through Parliament.

The bill was passed with bipartisan support despite Labor introducing amendments to the legislation and indicating it considered the legislation flawed. Labor withdrew those amendments in the Senate in order to allow the bill to be passed before Parliament rose for the summer break. There was significant pressure leveraged by the Government revolving around the risk of a serious threat to national security emerging over the long summer break immediately before an election to be held in the first half of 2019.

The pace at which the bill was pushed through Parliament took the tech sector by surprise. Local industry leaders took to the media to share their concerns15 and even international media dedicated column inches to the laws. Human rights and privacy organisations were also concerned about the new powers. Labor vowed to push for an amendment to the laws in the new year, and TOLA was submitted for a further review by PJCIS on December 17.

The long summer break was followed by an election campaign and ultimately an election in May 2019. Momentum for amending the legislation was fading. PJCIS was asked to conduct yet another, separate review, which it forwarded on to the Independent National Security Legislation Monitor (INSLM), Dr James Renwick. Dr Renwick subsequently pushed out the timeline for his report by six months, to June 2020. PJCIS’s report based on the INSLM analysis is now not expected until September 2020.

TOLA, which managed to go from a draft bill all the way through the first PJCIS review and then through Parliament within four months, is now facing a review period of almost two years before the Parliamentary Committee reports its findings, with no guarantee or timeline for amendment after that.

There were 105 submissions for the original review of the draft legislation, the vast majority of them expressing concerns about aspects of the bill. By the time the INSLM chose to extend the submission deadline for the latest review, it had received only 15 submissions from industry.

timeline

THE KEY POINTS IN OUR SUBMISSIONS HAVE BEEN:

1. REMOVE THE POSSIBILITY FOR INDIVIDUAL EMPLOYEES TO BE TARGETED

In its current form, our advice is that the legislation allows a Technical Capability Notice (TCN) to be issued to an individual within a company, without that individual being able to inform management. That would put individuals in an extremely difficult position. It also makes it extremely difficult for companies to assure potential investors and customers that their systems are fully secure.

The agencies empowered by this legislation have made it clear that this part of the legislation is intended to apply in a very limited way to sole traders and individuals acting alone and that they wouldn’t use these provisions to target individuals within larger organisations. Nevertheless, the possibility that, somewhere down that, somewhere down the track, the legislation could be used in this way is unacceptable. Even the perception that it may be possible is harmful for the Australian technology brand, as Atlassian co-founder Scott Farquhar says is already happening for his business.

The good news is that industry and enforcement agencies seem to be aligned on the view that individuals working within a company should not be issued a TCN and that it should instead be issued to the company via management. Formal codification of this in the legislation would add clarity and certainty for companies and employees at no cost to the effect of the legislation.

 

“It would seem very unlikely that an individual employee would be given a notice in circumstances where the company would have no knowledge of the notice.

“It does remain technically possible however, even if this was not the intention of the drafters. Given the broad definition of acts or things that can be required to be done by a notice, it is not impossible to imagine something like this happening at some point, so if the drafters did not intend it, they should have drafted it differently.”

Elizabeth O’Shea, Director, Digital Rights Watch

 

2. REDUCE THE BROAD BASIS FOR EXECUTING THE POWERS OF THE ACT

While the justification for TOLA was that it was important for fighting paedophile rings and terrorists, the legislation allows for these powers to be used in the investigation of any crime with a maximum jail sentence of three years - essentially any non-trivial crime. In fact, the maximum penalty for unauthorised disclosure of information pertaining to this Act is five years jail time, qualifying it as a serious offence under the legislation. There is no requirement for the crime to be violent in nature.

What was sold as a critical tool for crisis situations involving the worst criminals may instead become part of the routine toolkit of law enforcement. Given the invasive nature of the powers bestowed under TOLA to access even highly secure personal data, it is appropriate they be restricted for use in only the most serious cases. As it stands, there is a risk that these powers will eventually be applied broadly.

3. REDUCE THE BREADTH OF ORGANISATIONS THAT MAY BE TARGETED 

Despite the Act clearly targeting communications between criminals, the definition of a communications provider is so broad that it essentially encompasses any digital product on the internet. Computer games, online shopping, business tools, databases, health and wellbeing products and any application on a smart phone is within the scope of the law. This has the effect of extending the application of the law beyond the boundaries necessary to capture the information required.

4. INCREASE OVERSIGHT AND PROVIDE LIMITS ON USE

Australia’s limited set of constitutionally-protected civil rights means that, unlike in the US and elsewhere, there is no individual right to privacy and/or unreasonable search and seizure. That limits the ability to balance individual rights against the broad application of powers granted under TOLA. Judicial oversight of the process for issuing TCNs would help overcome this concern.

Additionally, terms in the Act designed to limit its power like ‘systematic vulnerability’ and ‘reasonable’ remain undefined. It is critical therefore that the Act include mechanisms for each TCN application to be subject to a rigorous, objective, merits- based review to ensure TOLA powers are used appropriately.

SUBMISSIONS FOR PJCIS REVIEW

STARTUPAUS ANALYSIS AND SUBMISSIONS

StartupAUS has made multiple submissions to the various reviews, attempting to represent a consensus view across Australian emerging technology. Our original submission was initially co-signed by a dozen leaders in the technology ecosystem:

Daniel Petre, Co-Founder & Partner, Airtree

Mike Cannon-Brookes & Scott Farquhar, Co-CEOs & Co-Founders, Atlassian

Niki Scevak, Partner, Blackbird

Katherine McConnell, CEO & Founder

Brighte Didier Elzinga, CEO & Founder, Culture Amp

Melanie Perkins, CEO & Co-Founder, Canva

Cliff Obrecht, COO & Co-Founder, Canva

Matt Barrie, CEO & Founder, Freelancer

Sarah Moran, CEO & Co-Founder, Girl Geek Academy

Luke Anear, CEO & Founder, Safety Culture

Paul Bassat, CEO & Co-Founder, Square Peg Capital

Bede Moore, Executive Chairman, Tech Sydney

Richard White, CEO & Founder, WiseTech Global

Patrick Llewellyn, CEO, 99designs

Once our submission to PJCIS was initially made, 500 members of the Australian technology community expressed a desire to co-sign. Their names were added to the document and remain on all of our subsequent review submissions.

submissions summary