Why your clients’ files are probably no longer safe
On 6 December 2018, the Australian Parliament passed the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018.
Put simply, this gives the Australian Attorney- General the power to force any company operating in Australia to hack its own security, allowing access to the information it holds on behalf of its clients.
Reasons for requiring such access include national security (a wide-reaching coverall purpose), prosecution of crimes within Australia and prosecuting crimes committed in other countries.
Failing to provide access, or notify the customer of the intrusion are, in themselves, criminal offences.
That is a quick interpretation of a monumental change in law. It needs to be investigated further and we’ve attempted to provide this below. The Bill is 224 pages long so we won’t comment on every change. However, we will consider its practical impact on the New Zealand government, companies and residents.
While some technical publications have realised the magnitude of the change, they have misinterpreted its application. Similarly, legal comment I’ve seen on the Act seems to miss the wide-ranging impact of the law change. We hope to clarify ways it may be interpreted, and its effect on people and business in New Zealand.
The first page includes the following statement:
A Bill for an Act to amend the law relating to telecommunications, computer access warrants and search warrants, and for other purposes.
The US Cloud Act provides for similar access to be granted to the US government for data held by US companies in Australia (and other jurisdictions).
From this it would also appear to cover the same area as our Search and Surveillance Act 2012. But its application goes much further.
The other jurisdictions require access, but do not necessarily require companies to breach their own security. This Act forces companies to break the security that may form the foundation of the service they provide to clients and, at the same time, may compromise the security of other information held by these companies.
To do this, the Bill amends 13 separate Acts and many of these changes are now in place. The main changes we are considering in this article are to the Telecommunications Act 1997.
We have yet to see any court cases under the new law. And with the Attorney-General’s requests themselves being confidential, we imagine any dispute about such a request will be handled with some care and would most likely be suppressed, at least until a decision was made in favour of the DCP (designated communications provider).
As the DCP is restricted from notifying its client, we may not see any cases under this new law until a company with the funds to fight, such as Google or Amazon, receives a request.
Carriage, services, and electromagnetic energy
Requests under the Act are made to a DCP. This is defined in s317C as parties who control the networks, carriers, those providing communication services over those networks, carriage service providers, and those who provide services allowing access to information over a carriage service, and electronic services.
The actual definition for carriage service is poorly written, being
a service for carrying communications by means of guided and/or unguided electromagnetic energy.
From this we would assume any service providing communication services via the internet is a carriage service provider.
Combined with those providing electronic services, it would seem to include almost all internet-based, or even present, companies.
There are some exceptions, notably where the information traditionally flows in only one direction, such as with broadcasting services. It remains to be seen how the Broadcasting Services Act 1992, where broadcasting services are defined, has kept up with the explosion in new media delivered online.
Requests and notices
The Bill is based around access to information. There are three types of possible request: a technical assistance request (TAR), a technical assistance notice (TAN), and a technical capability notice (TCN).
There are several fundamental differences between the three, based around who may issue them, the threshold required and what can be requested.
A TAR may be requested by the Director General of Security, Australian Secret Intelligence Service, Australian Signals Directorate, or the chief executive officer of an interception agency. Inception agencies are the Australian Federal Police, the Australian Crime Commission or the police force of a state or the Northern Territory.
A TAN can be provided by the Director-General of Security or the chief executive of any interception agency. A TCN can be provided only by the Attorney-General, at the request of the Director- General of Security, or the chief officer of an interception agency.
The basis for a TAR is relatively open and outlined in s317G(5) of the Act. It includes mentions of safeguarding national security, in the interest of Australia’s foreign relations, and security and integrity of information.
How this information is meant to help, or what the threshold might be, is not clearly defined. As it is a voluntary request, it appears to leave the decision largely to the DCP, which is protected from civil litigation should it follow the TAR.
The TAR is a voluntary request, asking a DCP to take certain actions. While there is no reason such a voluntary request could not already be made, s317G(1)(c) provides the DCP with protection from any civil liability for following the TAR.
Therefore, if it were to follow the TAR request, the party whose information was provided would be restricted from taking action. A voluntary request may then be more likely to be followed.
TANs and TCNs are more restrictive in the purposes for which they can be made.
They must have a relevant objective of enforcing Australian criminal law, assisting with enforcing criminal laws in a foreign country, or safeguarding national security. The crime must have a maximum sentence of at least three years, whether in Australia or in the foreign country.
A foreign state may also request assistance for a crime that holds the death penalty in that country. Assistance can be provided to the foreign country under s27A of the Surveillance Devices Act 2004.
TANs and TCNs must be followed by the DCP. A TAN is to provide help using capabilities the DCP already has, such as the use of access to information stored within its systems. A TCN requires a DCP to create access to that information where such access may not currently exist. This is where the vulnerabilities argument begins.
A TCN sets a requirement for a DCP to create a method to access the required information. Typically, such information may be encrypted, or the DCP’s systems have been set up to make such access difficult. This is done to give the DCP’s customer some comfort around confidentiality. A TCN requires a DCP to break that security.
This requirement has been widely attacked by those in the IT community. The mainstream media have largely portrayed it as an attack on messaging services. However, it extends to any DCP holding information so it would cover any encrypted email service, any cloud service, and any other information held in a storage centre in Australia.
This includes anything within Amazon’s cloud services, and Office 365 (though this information could possibly be retrievable under a TAR/TAN).
It also includes a substantial number of New Zealand government documents now stored in cloud storage in Australia.
The Act does include an allowance that a TAR/ TAN/TCN does not need to be followed if it requires the introduction of a systemic vulnerability or systemic weakness.
Unhelpfully, neither term is properly defined. Many commentators have suggested the only way to access encrypted services is to introduce a form of ‘back door’ or vulnerability that would then allow access.
This would be required as the DCP has deliberately created a secure system and most likely sold its services on that basis. So the IT community’s argument is that any access breaking such security would be a systemic vulnerability or weakness. Logically, that would be a valid argument.
However, it should be looked at from a perspective of legal interpretation.
The interpretation of law is relatively similar between New Zealand and Australia, both being based on the same source legal system (and with decisions in one often being referenced in the other). A court will typically interpret legislation in a way that gives it meaning and purpose.
While the IT community would see any break in security as being a system vulnerability, that would make the law toothless. So the court would need to set a higher threshold and look at implementing the intentions of Parliament.
With any request for a TCN having to go through the Attorney-General, Parliament has provided its own security, so using such law will be only with the approval of the Attorney-General, likely on the advice of the executive.
A court could then take most such requests as being within the allowances of the law, restricting notices only where they would create an easily accessible vulnerability.
We believe the court could argue that a vulnerability can be sufficiently protected and therefore would not meet the threshold. On this basis, most TCNs would likely be enforceable.
However, there have been situations, at least in New Zealand, where the court has deliberately taken a very narrow view.
On these rare occasions, it has been done to restrict what could be seen as a breach of other rights, allowing the court to effectively override Parliament’s right to make law. Such a situation may exist here as the new law does seek to breach rights to privacy.
A TCN being granted isn’t just an issue for the party whose information is being sought. The creation of such vulnerabilities could reduce the security for any other information stored by the DCP. For law firms, our clients, and the NZ government, that could be private and commercially-sensitive information.
We have yet to see how the courts will handle such disputes and how systemic vulnerabilities or weaknesses might be interpreted.
Such definitions may not be publicly available until a company wealthy enough to take on the Australian government, such as Amazon with its AWS service, receives such a request.
Hopefully, for New Zealand at least, government documents can in the meantime be moved to onshore facilities.
If you are using DCPs in Australia, consider personally encrypting information in a way the DCP has significant difficulty in accessing it. Or store it with a non-US-owned company in New Zealand.
Arran Hunt is a partner at Stace Hammond Lawyers.