A new Assistance and Access Bill has been controversially passed into law by the Australian Parliament in early December 2018, amid cries from technology and industry experts claiming its’ strong-arm tactics creates uncertainty and will stymie innovation and may be technically impossible to achieve.

The new bill known by its full name as the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2019, sets forth changes to several other pieces of legislation and broadly aims to address “the challenges of ubiquitous encryption.”

Specifically, the government have stated that this bill is an attempt to safeguard national security against terrorism by providing greater powers of interception and inspection of electronic communications, achieved by compulsorily requesting assistance from certain communications and platform providers.

The mechanism by which these new laws will operate is through three types of notices and requests issued from government agencies, such as Australia’s Secret Intelligence Service (ASIS), the Australian Signals Directorate (ASD), Australian Federal Police (AFP) as well as state and territory police, and others:

  • Technical Assistance Requests (TARs)– these are intended to be a polite request to a cooperating provider asking to share information or a capability that is already in place. Requests must be for the reason of national security or otherwise relate to a “serious offense” which is defined as being something punishable by 3 years imprisonment or more.
  • Technical Assistance Notices (TANs)– this is essentially the mandatory version of a TAR and compliance is compelled, but again can only relate to an existing capability that the communications provider has to be able to assist.
  • Technical Capability Notices (TCNs)– this has arguably been the most controversial part of the bill as a TCN compels a provider to develop a new “capability” just for the requesting agency. Examples here could include deliberately weakening an authentication mechanism or being able to target the communications of a specific user or system.

While the law does provide definitions for a “systemic vulnerability” and “systemic weakness” which aim to exclude all users being affected through selectively targeting “a particular person”, it is little comfort without the fine technical detail. And to make matters worse we’ll never know the detail because it remains secret, and there are heavy fines for anyone publicly revealing such information.

Furthermore, there has been much discussion and public fear-mongering around the concept of “backdoors” – the weakening the security of systems for all of us, and rightly so. If the reason for this legislation is to address the challenge of “ubiquitous encryption” does this mean it may result in ubiquitous weakness for us all? One issue for concern is that the legislation is deliberately vague and lacks technical detail – again raising the eyebrows of many technical experts.

However, it is understandable that in today’s fast-moving technological landscape, one of the biggest issues facing law makers is keeping up with technology, and increasingly this means having to create laws that are generic and non-specific in an attempt to cover all possible use-cases, now and into the future.

Whether this approach is appropriate, only time will tell, but it’s the uncertainty that these new laws have created about the long-term impact on our technology market and Australia’s global reputation that has caused the greatest concern.

Michael McKinnon

Michael is a Principal Consultant for PS+C Security in Melbourne, where he manages a team of penetration testers, helping provide technical assurance and guidance to some of Australia’s best-known brands. With a deep technical background, Michael’s interests include Cryptography, Risk Management, Business Management for Cybersecurity Resilience, Security Automation & DevSecOps, and the emerging risks related to Cryptocurrencies. Michael has also been a past member of the Steering Group Committee for the Australian Government’s Stay Smart Online initiative.