Revisiting Australia's Encryption Landscape

Australia’s security agencies are voicing their concerns over extremist groups using social media companies encrypted messaging services. Addressing the National Press Club in Canberra this year, Mike Burgess, Director of the Australian Security Intelligence Organisation (ASIO) said that “privacy is important but not absolute”. These concerns come in the wake of reports that domestic extremist groups are using encrypted messaging services to plan attacks and ignite a ‘race war’. The landscape of Australia’s encryption and content moderation laws have recently been reignited by a battle between X CEO Elon Musk and Australia’s eSafety Commission, an independent regulator for online safety, over the dissemination of violent footage on the social media platform that was demanded to be taken down. These instances have revived debates over Australia’s digital regulation landscape, in particular its robust national security legislation that was a world first approach to anti-encryption laws. 

Both the law enforcement and intelligence communities in Australia have voiced their concerns of criminal networks hiding behind encrypted messaging services. The spotlight is once again on the unprecedented anti encryption legislation that was passed in 2018, the Telecommunications and Other Legislation Amendment (TOLA). TOLA created a framework for industries to assist law enforcement and intelligence agencies through decryption and data access in response to the increase of end-to-end encrypted messaging services including WhatsApp and Signal that allowed for criminal groups to hide from law enforcement also known as ‘going dark’. TOLA was a world first legislation that expanded the access law enforcement and intelligence agencies had to encrypted communications by issuing different types of notices or requests that range from voluntary to compulsory cooperation that would require communications providers to “build a new capability” to fulfil their request. 

The public reactions to TOLA ranged from the tech industry calling it dangerous, to civil society groups concerned about its impact on Australia’s economy and digital development, especially considering the cost of complying to notices falls on tech companies. Law enforcement and intelligence services, however, have maintained that TOLA is a necessary tool to intercept criminal and terrorist organizations and that it was used in one of the largest sting operations undertaken by the Australian Federal Police (AFP). Known as ‘Operation Ironside’ the AFP in partnership with the Federal Bureau of Investigation (FBI) began operating an encrypted messaging app called An0m. The operation was an innovative strategy that gave law enforcement the ability to read messages from organized criminals on the platform in real time and led to sweeping arrests including 224 arrests in Australia, 35 in New Zealand an at least 8 in the United States. This kind of unprecedented access to encrypted messages during the sting was due to powers granted under TOLA, with some believing Australia’s involvement in the operation could have been for the countries lack of privacy and civil liberties protections. Since then, however, there has been a recent revival of discussion around encryption and law enforcement that brings into question the current legislation available in Australia to effectively combat these issues of organized crime and terrorism. In his address to the National Press Club in April, Mike Burgess expressed his concerns that tech companies weren’t complying with ASIO warrants to access encrypted messages between suspected terrorist groups. In one example he described how targeted access to the communications of one individual “could have been the difference between life and death.”

These comments come six years after TOLA was introduced to parliament and powers were expanded for both law enforcement and intelligence agencies, and the original concerns of its overuse seem to have waned and instead reveal the lack of power it has to enforce this level of compliance with tech companies. ASIO is required to report the number of notices it issues from TOLA however the appendix with these numbers has been redacted from their annual reports and is not publicly available information, making it difficult to assess the usefulness of this legislation and its intended use. In a rapidly changing technological environment the debate around encryption is being revisited once again, and with Australia’s robust legislative environment surrounding this issue, it could be time to revisit existing frameworks and how they can be adapted to effectively protect national security whilst addressing concerns over privacy and digital innovation. This timeline provides an overview of current legislation affecting encryption, surveillance and content moderation in Australia. 

Australian Encryption, Surveillance and Content Moderation Timeline: 

Telecommunications (Interception and Access) Act 1979

Overview: Prohibits the unauthorized interception of communications or access to stored communications, with certain exceptions. Amended in 2015, carriers and carriage service providers must be capable of passing communications from their system to be intercepted in accordance with warrants issued under the act. 

• It is an offence to interfere in private telecommunications without that person knowing; there are however explicit exceptions.
• Law enforcement and intelligence agencies can access communications for national security purposes; they must first obtain a warrant from a court or tribunal. 
• Unless exempt, telecom providers are required to set up systems to allow interception of communications and pay the costs associated. 

The Privacy Act 1988 

Overview: The primary piece of legislation in Australia that outlines how private information can be handled, including both government and private entities. 

• It includes the 13 Australian Privacy Principles that apply to government and private organizations that are principle-based approaches to governing private information.
• Recent high profile data breaches in Australia prompted the ‘Notifiable Data Breaches Scheme’ as part of the Privacy Act in 2018 that requires notification of a data breach of personal information to the Office of the Australian Information Commissioner. 

Surveillance Devices Act 2004

Overview: The act sets out the powers of law enforcement agencies and their use of surveillance devices. It establishes the procedures for law enforcement to obtain warrants, emergency authorizations and tracking device authorizations to install surveillance devices. 

• Each year it is required the SDA releases reports on how often law enforcement use their powers in the act. 
• The latest report states that: “In 2022–23, 5 law enforcement agencies were issued 682 surveillance device warrants, a decrease of 107 from the 789 issued in 2021–22. In 2022–23, one application for a surveillance device warrant was refused by an issuing authority, compared to the 7 refused in 2021–22.”

Telecommunications and Other Legislation Amendment “TOLA” (Assistance and Access) Act 2018

Overview: Introduced broad sweeping legislation that gave law enforcement and intelligence agencies unprecedented power to access encrypted communications. 

The act has three types of requests agencies can make: 

1. Technical Assistance Request (TAR): Police ask a company to “voluntarily” help. 
   
    
2. Technical Assistance Notice (TAN): A company is required to provide assistance, including decrypting communications, if they refuse, they face fines. 
   
    
3. Technical Capability Notice (TCN): The company must build a new function to help agencies access data or face fines. 

Requests can be made by a number of different sources including Director-Generals of Australia Security Intelligence Organization (ASIO), Australian Secret Intelligence Service (ASIS), Australian Signals Directorate (ASD), Australian Federal Police, Australian Crime Commission and any State/Territory Police Force. 

The act is powerful in how broad it is. “Designated communication provider” has three pages of definitions, and “communication material” is defined as “text, data, speech, music or other sounds, visual images (moving or otherwise), in any other form, in any combination of forms.”

The chief officer of the agency making the request only needs to satisfy that the request is “reasonable and proportionate” and that compliance by the company is “technically feasible and practicable”. 

If the provider cannot comply due to feasibility a TCN is then requested. As of 2021 there were no reported uses of a TCN. 

Service Legislation Amendment- Identify and Disrupt Act 2021  

Overview: The act is an amendment to the Surveillance Devices Act (2004) and the Crimes Act (1914) that allows law enforcement to obtain three new warrants for online activity. The act was introduced to combat crime and extremism that operates using the Dark Web. The three warrants can be issued to the Australian Federal Police (AFP) and the Australian Criminal Intelligence Commission, and they include:

1. Data Disruption Warrants
2. Network Activity Warrants 
3. Account Takeover Warrants 

For these warrants to be provided law enforcement must provide compelling and reasonable suspicion to the courts. 

Content Moderation

Online Safety Act 2021 

Overview: The Online Safety Act was designed to moderate extreme online content, and imposed codes on industry groups to regulate content based on classifications. 

• Class 1A material includes child sexual exploitation material and content that advocates or depicts extreme violence and terrorism. 
• Class 1B material includes matters of crime without justification and drug related content.
• The five codes include social media services, app distribution services, hosting services and persons who manufacture, supply, maintain or install equipment.  

Evidence on the effect of encryption on law enforcement and security operations in Australia is limited and is difficult to gain a full scope of the challenges agencies face in gaining evidence for investigations. The introduction of TOLA was aimed to remedy these challenges and provide easier access for law enforcement agencies to intercept criminal and terrorist organizations. It is one of the many legislative efforts the Australian government has made regarding encryption, surveillance and government access to private communications. Despite the initial concerns about the effects the law could have on privacy and civil liberties in Australia, recent public comments from the country’s top intelligence and law enforcement agencies suggest that TOLA has been harder to enforce than previously thought. It could be time to revisit this legislation as criminal groups continue to evolve with new technologies and debates continue over security and privacy.