The Australian Assistance and Access Bill (AA Bill) is legislation introduced and passed in 2018 by the Parliament of Australia to support law enforcement and security agencies in their ability to collect evidence from electronic devices. The bill is modeled after the Regulation of Investigatory Powers Act (RIPA), a law enacted in the United Kingdom in 2000 that governs the use and interception of electronic communications.
The Australian AA Bill gives government representatives the legal power to make tech companies give government representatives access to encrypted data. The bill is aimed at helping law enforcement investigate individuals who are suspected of committing a crime that carries a maximum penalty of three years or more under Australian or international law.
The legislation, which is often referred to as Australia's "anti-encryption bill" in the media, was championed by its supporters as a way for law enforcement to gather encrypted evidence about crimes taking place on the dark web.
What's in the Australian anti-encryption law?
The AA Bill has the following five sections:
- Schedule 1 identifies voluntary or ordered industry assistance.
- Schedule 2 provides additional power to law enforcement agencies to obtain covert computer access warrants.
- Schedule 3 enhances the ability of law enforcement agencies to collect evidence from electronic devices under warrant in person or remotely.
- Schedule 4 expands the search warrant powers of the Australian Border Force (ABF).
- Schedule 5 provides civil liability protections for a person or body who provides voluntary assistance.
The driving force for anti-encryption legislation is a problem that government agencies call going dark. The term has been adopted by law enforcement to describe digital communication that cannot be monitored because of strong encryption.
Mobile apps that use end-to-end encryption (E2EE) are designed to protect data at rest and in transit and keep the end user's text messages, emails and video chats private and secure. The same encryption technologies that protect end users from intruders, however, can prevent law enforcement and government agencies with the legal right to monitor transmissions from being able to do so.
According to the General Outline of the original bill, 90% of telecommunications lawfully intercepted by the Australian Federal Police (AFP) use encryption. The Assistance and Access Bill specifies that designated communication service providers, including carriage service providers, can be ordered to assist in intercepting information relevant to a law enforcement case.
In Australia, a carriage service provider uses carriers' facilities to supply telecommunications services to the public. This includes cellular voice and data providers, as well as internet service providers (ISPs). The bill also applies to any electronic service with end users in Australia and to companies that develop software used by a carriage service provider.
In the past, encrypted communications have negatively affected law enforcement's ability to collect intelligence and investigate organized crime and terrorism. The intent of the Assistance and Access Bill is to solve that problem.
Ironically, the legislation itself is considered to be problematic because the language in the bill is so vague that it's difficult for those affected by the legislation to understand their legal responsibilities.
The uncertainty over risks and liabilities has already had a negative effect on the Australian economy, according to the Department of Home Affairs (DHA). In a review submitted to the to the Parliamentary Joint Committee on Intelligence and Security (PJCIS) in July 2019, DHA concluded that the businesses in Australia have been impacted by the negative impression the bill has garnered around the world.
Cybersecurity implications and the Assistance and Access Bill
Contrary to rumor, the bill prohibits the building of any weakness or vulnerability in software or devices that jeopardize the security of innocent users. Instead, it simply allows the director-general of security or the chief officer of an interception agency to order providers to delete messages, collect extra data, offer technical details of systems to help agencies exploit weaknesses, install software or build new systems. Communication service providers are required to conceal any action taken covertly by law enforcement. Violations of this law could result in a fine of as much as AU$10 million.
Types of notices with the Assistance and Access Bill
The new law enables the Australian government to issue three types of notices:
- Technical assistance requests (TARs) enable law enforcement, security and intelligence agencies to request assistance. TARs are voluntary -- not compulsory -- and can be issued by a variety of intelligence or interception agencies working in Australia's national interests and the safeguarding of national security.
- Technical assistance notices (TANs) require -- not simply request -- designated communication providers to use an interception capability they already have. TANs can be issued by the head of Australia's intelligence organization or the chief officer of an interception agency.
- Technical capability notices (TCNs) require designated communication providers to build new interception capabilities in order to meet subsequent TANs. TCNs can be issued by the attorney-general.
Who enforces the notices?
Notices do not require independent approval by a judge. However, a warrant must exist under the Telecommunications (Interception and Access) Act or the Surveillance Devices Act before a notice is issued. Notices proceed when the requester determines that the bills required are reasonable, proportionate, practicable and technically feasible.
The bill has been criticized in the media for making manufacturers build a backdoor into their systems that can be accessed at will. While the legislation proposes backdoors as a compromise measure, critics argue that it is impossible for manufacturers to provide limited access to encrypted communication without weakening their products' overall security.
The Australian Information Industry Association (AIIA) is concerned that the bill will undermine the reputation of Australian businesses both locally and internationally and have a negative impact on the ability for Australian tech vendors to compete in international markets.
Another concern is that the bill will simply cause criminals and terrorists to change the technology and algorithms they use to encrypt their data. Instead of using commercial encryption software, critics of the legislation expect that law breakers will begin to use custom encryption apps from the dark web or cloud encryption services from countries that are not subject to Australian law.
The idea of governments wanting to access private information in order to keep the general population safe is not a new concept. What is new, however, is the concept that manufacturers should be required to help law enforcement and other government representatives access private information.
A number of Australian companies have complained that the new law has already hurt business. Bron Gondwana, CEO of Australia-based Fastmail, a hosted email provider, noted that the company has lost existing and potential customers because of the perception that Australia no longer respects the right to privacy.
DHA published a webpage listing myths about the Assistance and Access Bill. The page lists the myths along with detailed information explaining why -- according to the Australian government -- the myths are false. Example myths addressed by the Australian government include the following:
- This law does not have adequate oversight.
- Police will use this law to prosecute minor offenses.
- This law will lead to mass surveillance.