2. NICOLE
MURDOCH
BEng(Elec). J.D. (Hons 1) MIP FIPTA
• Principal EAGLEGATE Lawyers
• Director Australian Information
Security Association (AISA)
• Registered Trade Marks Attorney
eaglegate.com.au
nmurdoch@eaglegate.com.au
+61 7 3862 2271
linkedin.com/in/nicolemurdoch/
3. KEY TAKEAWAYS
1. Overview of the Assistance and Access Act (AA Act)
2. Who it applies to
3. Types of assistance
4. Criticism
5. GDPR Issues
6. Comparisons to Patriot Act (USA)
5. THE ASSISTANCE AND ACCESS ACT
1. Compels entities involved in the telecommunication supply chain to provide
access to data, even if that data is encrypted
2. Very broad scope of “designated communication providers” (DCPs)
3. DCPs notified in 3 ways:
1. Technical Assistance Request (TAR); or
2. Technical Assistance Notice (TAN); or
3. Technical Capability Notice (TCN).
4. No guarantee you will know a DCP in your supply chain has received a TAR,
TAN or TCN
5. Offence provisions for disclosure
6. Some judicial review available through FCA, limited internal review
8. DESIGNATED COMMUNICATION
PROVIDERS
• Carriers – the owners of telecom network infrastructure in Australia;
• Examples: Optus, Telstra, Vodafone, TPG
• Carriage Service Providers – entities that sell telecom services
delivered over Carrier networks in Australia;
• Examples: iiNet, NBN Co, Verizon, Vocus Fibre, Uecomm, AAPT
9. DESIGNATED COMMUNICATION
PROVIDERS
• Network Facilitators – any entity that manufactures, supplies,
operates or maintains telecom network infrastructure, or components
used in that infrastructure, in Australia;
• Examples: technical experts, contractors, maintenance crews
• Customer Equipment Facilitators – any entity that manufactures or
supplies customer equipment for use, or that is likely to be used, in
Australia;
• Examples: manufacturers and retailers of mobiles, modems and computing
devices, circuit boards, subscriber identification modules (SIMs) or memory units
of a mobile device
10. DESIGNATED COMMUNICATION
PROVIDERS
• Websites and Messaging Applications – any entity that supplies “electronic
services” (any service that allows end-users to access material using a
Carriage Service) in Australia;
• Examples: Facebook, Instagram, WhatsApp, operators of websites and chat forums,
secure messaging applications, hosting services including cloud and web hosting,
peer-to-peer sharing platforms and email distribution lists
• Service & Software Developers – any entity that provides services or
software for use in connection with a Carriage Service or an “electronic
service”;
• Examples: software developers, suppliers, app developers
12. TAR & TAN
Under a TAR (voluntary) or TAN (mandatory), a DCP can be compelled to:
• decrypt communications:
• But only where the DCP holds the encryption key already
• install, test, maintain or use agency software on an existing DCP network;
• modify the characteristics of a service or substitute a service provided by the DCP;
• facilitate access to a relevant facility, piece of equipment, device or service;
• provide a broad range of technical information:
• Includes "source code, network or service design plans, and the details of third party providers contributing to the
delivery of a communications service, the configuration settings of network equipment and encryption schemes"
• '"conceal the fact that agencies have undertaken a covert operation";
• Notify any changes to, or developments of, the DCP’s service that may be relevant to a warrant:
• Including notice of new or improved products, new outsourcing or offshoring arrangements
13. TCN
Under a TCN (mandatory), a DCP may be required to:
• build a capability to provide a type of assistance listed in the Act;
• do anything within the scope of a TAN
• I.e. to avoid duplicitous notices
14. LIMITATIONS
• A TAR, TAN or TCN must not have the effect of requesting or requiring the
implementation or building of a "systemic vulnerability“
• BUT – “Systemic Vulnerability” s.317B
"a vulnerability that affects a whole class of technology, but does not include a vulnerability that is
selectively introduced to one or more target technologies that are connected with a particular person. For
this purpose, it is immaterial whether the person can be identified”
• Backlash from many tech companies regarding the wording of these
provisions
• e.g. Apple and the FBI “backdoor” issues in USA
15. JUDICIAL OVERSIGHT?
• Unlike a warrant, no judicial oversight
• TAR – approved/issued by DG of Security, ASIO, Signals Directorate
• TAN – approved/issued by DG of Security or “the chief officer of an
interception agency of a State or Territory”
• TCN – approved/issued by Attorney-General only
• must be first approved by Minister for Communications + DCP must be consulted
16. PENALTIES
• DCP immune from civil liability complying with TAR, TAN or TCN
• DCP recommended to contract with requesting agency re costs
recovery
• Max. civil penalty for DCP = 47,619 penalty units (~$10mil)
• Unauthorised disclosure of information about a TAR, TAN or TCN,
or its existence = up to 5 yrs imprisonment
17. APPEALS?
• Decisions under Part 15 not subject to review through the ADJR Act,
nor are they “made by a judicial officer”
• However, judicial review through the original jurisdiction of the High
Court or Federal Court of Australia by operation of section 39B(1) of
the Judiciary Act 1903 (Cth) is available
• Limited Internal Review:
• If TCN requires you to build a new capability, you can request that the TCN is assessed to
determine whether it should have been given;
• Conducted by two assessors, including a technical expert and former judicial officer
• Can apply for JR of that decision also
19. • Telstra – no civil immunity from system faults or service degradation
• Senetas – non-disclosure prevents public explanation
• Amazon – users expect products/service free from interference
• Australian Information Industry Association (membership –
Apple, Adobe, Cisco, Deloitte, Google, IBM et al) – clash with GDPR
and overseas jurisdictions
20. • Mozilla – TCNs can be used against any user
• FastMail – tech companies not qualified to evaluate due cause
• Apple – innovation founded on strong device security
• AFP ABC Raids - “In executing these search warrants, the AFP
used section 3F of the Crimes Act, which was amended by schedule
3 of the Assistance and Access Act.”
22. GDPR ISSUES
• To comply with TCN or TAN (“build a capability” vs “systemic vulnerability”), DCP
must effectively breach consumer protection standards in GDPR
• AA Act defence for breach of foreign law only applies to acts done outside of Australia
• Art 32 GDPR: “… implement appropriate technical and organisational measures to ensure a
level of security appropriate..” = within Australia
• Jurisdiction & conflict of laws – what if the targeted technology, software or
communication for decryption is located or partly located in EU?
• Civil Immunity and cost recovery – only applies in Australia
• GDPR Compliance Teams – how to evaluate compliance when DCP is unable to
disclose information about or “about the mere existence of” a TAR, TAN or TCN?
24. PATRIOT ACT (NOW FREEDOM ACT)
• Patriot Act was to expire in 2015, but renewed by Freedom Act
• FBI and NSA vs ASIO and Signals Directorate
• Dept of Homeland Security vs Home Affairs/Communications
• Also very broad in scope
• Access to financial transactions, emails, internet records, library records and
essays of university students on an undisclosed basis
• Detention of persons and searches of residential/business premises on an
undisclosed basis