Reviewing Australia’s Encryption Landscape | Strategic Technologies Blog

Australian security services express their concerns about extremist groups via social media companies encrypted messaging services. Speaking at the National Press Club in Canberra this year, Mike Burgess, chief executive of the Australian Security Intelligence Organisation (ASIO), said: that “privacy is important, but not absolute”. The concerns come amid reports that domestic extremist groups are using encrypted messaging services to plan attacks and incite “race warfare”. Australia’s encryption and content moderation law landscape has recently been reignited by a battle between X CEO Elon Musk and Australia’s eSafety Commission, an independent online safety watchdog, over the social media platform’s distribution of violent images that it demanded be removed. The cases have reignited debates over Australia’s digital regulatory landscape, particularly its robust national security legislation that was a world-first in anti-encryption laws.

Both law enforcement and intelligence agencies in Australia have expressed concerns their concerns about criminal networks hiding behind encrypted messaging services. The spotlight has once again been on the unprecedented anti-encryption legislation passed in 2018, the Telecommunications and Other Legislation Amendment (TOLA). TOLA created a framework for industries to help law enforcement and intelligence agencies with decryption and data access in response to the rise of end-to-end encrypted messaging services, including WhatsApp and Signal, which allowed criminal groups to hide from law enforcement, otherwise known as “going dark.” TOLA was a world-first piece of legislation that expanded law enforcement and intelligence agencies’ access to encrypted communications by issuing several types of notices or requests ranging from voluntary to mandatory cooperation, requiring communications providers to build “a new capacity” to comply with their request.

Public reaction to TOLA has ranged from the tech industry calling it dangerous, to civil society groups concerned about its impact on Australia’s economy and digital development, particularly given the cost of complying with notices falls on tech companies. However, law enforcement and intelligence agencies have maintained that TOLA is a necessary tool to intercept criminal and terrorist organisations, and it was used in one of the largest interception operations undertaken by the Australian Federal Police (AFP). Known as ‘Operation Ironside’, the AFP, in partnership with the Federal Bureau of Investigation (FBI), began operating an encrypted messaging app called An0m. The operation was an innovative strategy that allowed law enforcement to read messages from organised criminals on the platform in real time and led to large-scale arrests, including 224 arrests in Australia, 35 in New Zealand and at least eight in the United States. This unprecedented access to encrypted messages during the operation was made possible through powers granted under TOLA, with some believing that Australia’s involvement in the operation could be due to the country’s lack of privacy and civil liberties protections. However, there has been a recent resurgence of debate around encryption and law enforcement that has called into question Australia’s current ability to effectively combat these problems of organised crime and terrorism. Speaking to the National Press Club in April, Mike Burgess raised concerns that technology companies were failing to comply with ASIO warrants to access encrypted messages between suspected terrorist groups. In one example, he described how targeted access to one individual’s communications “could have meant the difference between life and death.”

These comments come six years after TOLA was introduced into parliament and expanded its powers for both law enforcement and intelligence agencies, and initial concerns about overuse appear to have abated, instead revealing the lack of power it has to enforce this level of compliance from tech companies. ASIO is required to report on the number of TOLA notices it issues, but the appendix detailing these numbers is redacted from its annual reports and is not publicly available information, making it difficult to assess the utility of this legislation and its intended use. In a rapidly changing technological environment, the debate over encryption is being revisited, and with Australia’s robust legislative environment around this issue, it may be time to revisit existing frameworks and how they can be adapted to effectively protect national security while addressing concerns about privacy and digital innovation. This timeline provides an overview of the current legislation affecting encryption, surveillance and content moderation in Australia.

Australian timeline for encryption, surveillance and content moderation:

Telecommunications (Interception and Access) Act 1979

Overview: Prohibits unauthorized interception of communications or access to stored communications, with certain exceptions. Amended in 2015, carriers and transportation service providers must be able to transmit communications from their system for interception in accordance with warrants issued under the Act.

It is a criminal offence to interfere with private telecommunications without the person concerned being aware of it. However, there are explicit exceptions.
Law enforcement and intelligence services can access communications for national security purposes. To do so, they first need an order from a court or tribunal.
Unless exempted, telecom providers are required to set up systems that allow communications to be intercepted and pay the associated costs.

The Privacy Act of 1988

Overview: The main legislation in Australia that describes how private information may be handled, including both government and private entities.

It includes the 13 Australian Privacy Principles which apply to government and private organisations. They are principles-based approaches to managing private information.
Recent high-profile data breaches in Australia led to the introduction of the Notifiable Data Breaches Scheme in 2018 as part of the Privacy Act. This scheme requires a data breach involving personal information to be reported to the Office of the Australian Information Commissioner.

Surveillance Equipment Act 2004

Overview: The law describes the powers of law enforcement agencies and their use of surveillance equipment. It establishes the procedures for law enforcement to obtain warrants, emergency authorizations, and tracking device authorizations to install surveillance equipment.

The Seventh-day Adventist Church (SDA) is required to publish an annual report on how often law enforcement uses its powers appropriately.
The latest report states that: “In 2022-23, 5 law enforcement agencies were issued 682 surveillance equipment warrants, a decrease of 107 from the 789 issued in 2021-22. In 2022-23, one application for a surveillance equipment warrant was rejected by an issuing authority, compared to the 7 rejected in 2021-22.”

Telecommunications and Other Legislation Amendment “TOLA” (Assistance and Access) Act 2018

Overview: Broad, comprehensive legislation has been introduced that gives law enforcement and intelligence agencies unprecedented powers to access encrypted communications.

The law recognizes three types of requests that authorities can submit:

Request for Technical Assistance (TAR): The police ask a company to “voluntarily” staff.
Technical Assistance Notice (TAN): A company is required to If they refuse to provide assistance, for example in deciphering communications, they risk a fine.
Technical Capacity Notice (TCN): The company must build a new function to help agencies gain access to data, otherwise they risk fines.

Requests can be made by a variety of sources, including Directors-General of the Australia Security Intelligence Organisation (ASIO), the Australian Secret Intelligence Service (ASIS), the Australian Signals Directorate (ASD), the Australian Federal Police, the Australian Crime Commission and any state or territory police force.

The law is strong in how broad it is. “Designated communication provider” has three pages of definitions, and “communications equipment” is defined as “text, data, speech, music or other sounds, visual images (moving or otherwise), in any other form, in any combination of forms.”

The chief executive of the agency making the request need only be satisfied that the request is “reasonable and proportionate” and that compliance by the company is “technically feasible and practicable.”

If the provider cannot comply due to feasibility, a TCN is requested. As of 2021, there were no reported applications of a TCN.

Amendment to the Provision of Services Act – Identify and Disrupt Act 2021

Overview: The law is an amendment to the Surveillance Devices Act (2004) and the Crimes Act (1914) that allows law enforcement agencies to obtain three new warrants for online activity. The law was introduced to combat crime and extremism that takes place via the Dark Web. The three warrants can be issued to the Australian Federal Police (AFP) and the Australian Criminal Intelligence Commission, and include:

Data Disruption Commands
Network Activity Commands
Account Takeover Warrants

To issue these orders, law enforcement agencies must demonstrate to a court that they have compelling and reasonable suspicion.

Content Moderation

Online Safety Act 2021

Overview: The Online Safety Act is intended to moderate extreme online content and imposes codes on industry organizations to regulate content based on ratings.

Class 1A material includes material relating to the sexual exploitation of children and content depicting or encouraging extreme violence and terrorism.
Class 1B material includes, but is not limited to, content relating to unjustifiable crimes and drug-related content.
The five codes include social media services, app distribution services, hosting services and persons who manufacture, supply, maintain or install equipment.

Evidence on the impact of encryption on law enforcement and security operations in Australia is limited and it is difficult to gain a full picture of the challenges agencies face in obtaining evidence for investigations. The introduction of TOLA was intended to address these challenges and provide law enforcement with easier access to intercept criminal and terrorist organisations. It is one of a number of legislative efforts the Australian government has undertaken regarding encryption, surveillance and government access to private communications. Despite initial concerns about the impact the law could have on privacy and civil liberties in Australia, recent public submissions from the country’s leading intelligence and law enforcement agencies suggest that TOLA is more difficult to enforce than previously thought. It may be time to revisit this legislation as criminal groups continue to evolve with new technologies and debates over security and privacy continue.