4.1
This chapter provides an overview of the powers under Schedule 1 of the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (TOLA Act) and examines the remaining concerns of stakeholders in relation to the provisions.
Overview of Schedule 1 powers
4.2
Schedule 1 of the TOLA Act amended the Telecommunications Act 1997 as well as additional amendments to the Australian Security Intelligence Organisation Act 1979 (ASIO Act), the Criminal Code 1995 and the Telecommunications (Interception and Access) Act 1979 (TIA Act) to establish the industry assistance framework.
4.3
The industry assistance framework is an attempt to modernise an existing provision of the Telecommunications Act 1997 which required Australian telecommunications providers to provide reasonably necessary assistance to Australian authorities. As discussed in Chapter 3, advancement in communications platforms and the global nature of the internet means that the ability of law enforcement to gather information to assist in the investigation and prosecution of serious offences has been tangibly hampered by this historical construct.
4.4
Schedule 1 of the TOLA Act introduces a broader definition of a designated communications provider (DCP) which includes carriers or carriage service providers, as well as a company whose electronic product or service is used by one or more end-users in Australia. Section 317C of the Telecommunications Act 1997 provides an extensive list of a designated communications provider and the eligible activities of the person that incur an obligation.
4.5
When the requirements of s317C are met, law enforcement, national security or intelligence agencies may enter into an agreement with a DCP under a technical assistance request (TAR), or these parties may seek a technical assistance notices (TAN) or a technical capability notice (TCN) which requires providers to give assistance.
4.6
Such a request may only be made for an authorised reason. For applications made by ASIO, this must be for the purposes of safeguarding Australia’s national security. For applications made by other law enforcement and intelligence agencies, assistance may only be sought for the enforcement of criminal law in the investigation or prosecution of a serious offence incurring a penalty of 3 years or more of imprisonment. These provisions also empower law enforcement agencies to cooperate with mutual legal assistance requests as provided for by the Mutual Assistance in Criminal Matters Act 1987.
4.7
Since the commencement of the TOLA Act in December 2018, the only assistance instrument used by law enforcement was a TAR. In general terms, TARs are negotiated between the relevant agency and DCP using a present capability or by building a new capability. The agreement takes the form of a contracting arrangements between parties on matters such as the terms of assistance to be provided, or financial arrangements. In making an agreement under a TAR, a DCP receives immunity from civil liability and computer related offences contained in the Criminal Code 1995 for conduct undertaken in accordance with the TAR.
4.8
Where an agreement is not reached through the voluntary process, law enforcement or intelligence agencies may seek to access assistance through an existing capability – through a TAN – or require the DCP to establish a new capability through a TCN.
4.9
Chief Officers or their delegates have the ability to issue a TAN, however, prior to State or Territory police forces issuing a TAN they must have their application approved by the Commissioner of the AFP. Prior to issuing a TAN, the chief officer or their delegate must be satisfied that the assistance sought is reasonable and proportionate and also that the notice is practicable and technically feasible.
4.10
A TCN requires the approval of the Minister for Communications and is issued by the Attorney-General on behalf of law enforcement and intelligence agencies. As above, prior to issuing a TAN the Attorney-General must be satisfied that the capability is reasonable and proportionate and also that the assistance is practicable and technically feasible. Further discussion on the appropriateness of the approval process is contained in Chapter 7.
4.11
The Department of Home Affairs explains that an assessment of practicability and technical feasibility considers resourcing and the required technical procedures:
An assistance instrument is technically feasible when the assistance sought relates to an existing capability that is within the provider’s power to utilise or, in the case of TCNs and TARs, where the new capability that is sought is one that the provider is able to build. Conversely, an assistance instrument may not be technically feasible if it is unclear what technical procedure would need to occur in order to provide the assistance or produce the outcome sought or if no technical procedure exists that could produce the outcome that is sought from the assistance.
The assessment of technical feasibility also denotes an assessment of what is technically feasible within the bounds of the legal safeguards in the legislation. For example, consider a situation where it is feasible to enable access to a targeted user’s encrypted data carried over an end-to-end encrypted service, however doing so would create a material risk that unauthorised parties could access the data of another, non-targeted user. This activity would not be technically feasible, in a legal sense, within the parameters of the legislation because it would contravene the prohibition against systemic weaknesses.
4.12
While the TOLA Act provides a certain degree of flexibility in relation to the types of assistance and capabilities that can be sought, there are limits in place which prevent the introduction of anything that would create a systemic weakness or systemic vulnerability in a whole class of technology. In addition, the TOLA Act also provides that assistance must not have the effect of weakening the information security of a third party.
4.13
In its administrative guidance to industry the Department of Home Affairs says that this protection is broad:
Put simply, the law treats anything that would jeopardise the integrity and security of data, services and products used by any natural or legal persons, the general public and the business community as a systemic weakness.
4.14
The relevant agency requesting either a TAN or a TCN must consult with a DCP prior to issuing a notice. In addition, for TCNs a DCP may write to the Attorney-General within the consultation period to request that an assessment of the proposed TCN be conducted. Upon receiving such a request, the Attorney-General must appoint two assessors one of whom must have the technical knowledge to determine whether the capability would have the potential to establish a systemic weakness and must have the appropriate level of security clearance, and the other must be a judge of the High Court of Australia, the Federal Court of Australia, the Supreme Court of a State or Territory, or a District Court of a State of Territory who served for a period of at least five years and is now retired.
4.15
The assessors must make a determination in relation to the following issues:
whether the proposed technical capability notice would contravene section 317ZG
whether the requirements imposed by the proposed technical capability notice are reasonable and proportionate
whether compliance with the proposed technical capability notice is practicable
whether compliance with the proposed technical capability notice is technically feasible, and
whether the proposed technical capability notice is the least intrusive measure that would be effective in achieving the legitimate objective of the proposed technical capability notice.
Impact of implementation on industry bodies
4.16
Submitters considered that the implementation of the TOLA Act had an impact on the economic and business prospects of Australian industry as well as impacts, more generally, on human rights.
Economic and business impacts of the TOLA Act
4.17
As discussed in Chapter 2, consideration of the TOLA Bill was expedited due to reported imminent terrorism threats. Mary Greene said that the expedited consideration did not give ‘due consideration of [its] ramifications in terms of the privacy of all persons in the community regardless of who they are’.
4.18
Additionally, the Australian Civil Society Coalition said that the expedited consideration did not allow for parliamentarians to appropriately indicate concerns as part of the process.
4.19
Several submitters described the negative impact that the implementation of the TOLA Act had or could have on the Australian technology sector.
4.20
Riana Pfefferkorn said that the TOLA Act is affecting Australia’s competitiveness in the global market:
In short, the Act is hurting Australian companies, spooking both current and potential customers, and making other countries look like more attractive options for doing business. If the Government wants to help Australia’s young cybersecurity sector become a global leader by closing the gaps in innovation, exports, and skills training, it can ill afford to give with one hand while taking away with the other.
4.21
Communications Alliance said that anti-competitiveness is already being observed in Australia’s largest ICT providers:
The geopolitical impact of the Act must be further interrogated, and particular attention should also be focused on the legal and economic implications of the application of the law on Australian Industry. This issue and the already visible anti-competitive consequences of the Act have also been raised by some of Australia’s largest ICT businesses and leading software and encryption services providers – it must not be underestimated.
4.22
However, the Department of Communications and the Arts considered that it is not yet possible to ascertain the broader impacts of the TOLA Act:
While the impacts of assistance requests can be considered on a case-by-case basis, the Department recognises it is difficult to ascertain the broader impacts of the legislation at this stage. This is largely in part due to the infancy of the framework with some processes yet to be bedded down, and the need to protect information about assistance requests and notices.
4.23
Telstra said that since the TOLA Act came into effect, it has been working with the Department of Home Affairs to develop administrative guidance:
Since passage of the Act, we have been working with the agencies and the Department of Home Affairs to develop administrative guidance on the operation of the assistance and access framework. While we have generally found the operation of the assistance and access framework to represent a workable expansion of the ‘reasonable assistance’ requirements of the Telecommunications Act 1997, the ability of agencies to request (or require) the development of new capabilities represents a more fundamental change to the way they engage with carriers (or other Designated Communications Providers (DCPs)).
4.24
The Department of Home Affairs has developed administrative guidance for agencies’ engagement with DCPs, a factsheet for industry and a factsheet for investors, a set of frequently asked questions, and a scenarios factsheet.
4.25
Communications Alliance conducted a survey in December 2019 following the introduction of the TOLA Act. In the survey, 95% of participants assessed that the TOLA Act had a negative impact on the reputation of Australian tech companies in global markets, and 61% of respondents indicated that international or domestic customers expressed concerns about the impact of the TOLA Act on their organisation’s products and services.
Human rights considerations
4.26
A number of submitters considered that the TOLA Act did not appropriately balance the need to uphold Australia’s national security with broader human rights considerations.
4.27
As a party to the International Covenant on Civil and Political Rights, Australia has an obligation to, among other obligations, protect the right to privacy and the right to freedom of expression. These specific rights may be limited where the limitation is reasonable, necessary and proportionate to achieving a legitimate aim; such as for the purposes of national security, public order, public health, public morals, and rights and freedoms of others.
4.28
The INSLM considered the interplay of Australia’s human rights obligations with the various provisions of the TOLA Act, and said that the High Commission for Human Rights had considered ‘legitimate aims’ in the context of preventing terrorism and upholding national security:
The High Commissioner for Human Rights has stated that surveillance on the grounds of national security or for the prevention of terrorism or other crime may be a measure that serves a ‘legitimate aim’. However, the degree of interference must be assessed against the necessity of the measure to achieve that aim and the actual benefit it produces towards such a purpose.
4.29
In relation to the Schedule 1 powers, the INSLM referred to the conclusion reached by the Parliamentary Joint Committee on Human Rights (PJCHR) that the TOLA Act may be incompatible with Australia’s human rights obligations:
The PJCHR concluded that, while TARs, TANs and TCNs pursue a legitimate objective and are likely to be rationally connected to that objective, the current regime is unlikely to constitute a proportionate limitation on the rights to privacy and freedom of expression and is therefore likely to be incompatible with those rights.
4.30
Access Now said that the lack of judicial authorisation, discussed in Chapter 7, inappropriately impinged on individual human rights. The INSLM said that the Australian Human Rights Commission mirrored this concern. Part of the concern raised by the parties related to the ability of an affected party to seek review of a decision, especially where a party is not informed that a request or notice is issued.
4.31
The INSLM identified that others expressed concerns about the potential breadth of ‘acts or things’ with the ability to be compelled, the current form of limitations on TARs, TANs and TCNs, as well as the definitional matters discussed further below.
4.32
However, the INSLM said that this position was not necessarily supported by ‘agency submitters’.
4.33
The INSLM concluded that the TOLA Act was necessary and that the Schedule 1 powers in the TOLA Act would meet the threshold of proportionality for the purposes of the human rights obligations if the central recommendations related to the establishment of an Investigatory Powers Commission were implemented – see Chapter 7 for further discussion.
Prescribed form for TARs, TANs and TCNs
4.34
The INSLM noted that in the course of the inquiry, a number of TARs were reviewed. Further, the INSLM noted that the form of the TARs varied depending on the issuing authority and the type of information being requested.
4.35
The INSLM suggested that a prescribed form for TARs could provide a set of requirements to be fulfilled as part of the request or notice, and the rights and obligations imposed on the recipient. Additionally, the INSLM said the a prescribed form would allow for a set of standardised data that could be used for reporting purposes:
I propose that the prescribed form would include key information as to, for instance, the ‘listed acts or things’ in respect of which the notice issues, the ‘eligible activities’ of the DCP to which it relates, and the rights and obligations of the DCP in relation to the notice. In this way, it will perhaps perform a similar function to the ‘notice to occupier’ that Australian Federal Police (AFP) members are required to serve on the occupier of premises during the execution of a Crimes Act 1914 (Cth) s 3E search warrant. The inclusion of those details in a prescribed form would also assist agencies in compiling and reporting general information as to their use.
4.36
Internet Australia supported the INSLM’s recommendation saying that the use of a prescribed form containing all rights, obligations and options to respond to the issue of a TAR will allow DCPs who are not familiar with TOLA requirements to respond appropriately to the requirements of a TAR.
4.37
The Department of Home Affairs said that it generally supported the introduction of a prescribed form, but noted that such a form would have to provide sufficient flexibility for law enforcement, intelligence agencies and DCPs to negotiate the terms appropriately:
The Department notes this recommendation and will consider the development of standard forms for the use of technical assistance requests and other industry assistance powers working with all agencies empowered to use the framework. The Department notes advice from agencies that overly prescriptive forms may limit agencies’ ability to negotiate with industry and that different organisational requirements will require some flexibility. The Department is also conscious that some standardisation of forms could lead to improved efficiency and lower regulatory burden from an industry perspective, and welcomes comment from industry on the design of forms.
4.38
The Law Council supports the intent of the INSLM’s recommendation to provide information on the rights of the recipient to challenge a request or notice, and said that there should be ‘consultation with industry and civil society, including the Law Council, on the suite of prescribed forms before they are finalised’.
4.39
The INSLM also suggested that the recommended statutory office of the Investigatory Powers Commission in the Administrative Appeals Tribunal could have the responsibility of establishing a prescribed form for TANs and TCNs.
4.40
The Department of Home Affairs said that it had ‘previously provided guidelines for the use of the industry assistance framework which are available on the Department’s website’.
Definitional concerns raised by stakeholders
4.41
Stakeholders raised concerns with certain definitional aspects of the TOLA Act, including the scope of the ability to service a notice on a DCP and aspects of the definitions of systemic vulnerabilities and systemic weaknesses.
Individuals and the definition of designated communications providers
4.42
As mentioned above, the TOLA Act contains a table defining DCPs. Each item commences with ‘the person…’ and the revised explanatory memorandum explains that ‘[individuals], as well as body corporates, may be designated communications providers’.
4.43
The INSLM noted that several submitters raised concerns that this construction could lead to a TAR, TAN or TCN being issued to an individual rather than appropriately directed at the relevant carrier or provider. This concern was echoed by submitters to this inquiry.
4.44
The Department of Home Affairs said that it was not the intention of the legislation to serve a TAR, TAN or TCN on a natural person who is an employee of a DCP:
The intention of the legislation is that a designated communications provider not be taken to include a natural person who is an employee of that designated communications provider, and that designated communications provider only applies to natural persons who are sole traders.
4.45
The INSLM acknowledged evidence by the Department of Home Affairs to this effect as part of the TOLA Act inquiry, but considered that the definition should put this issue beyond doubt.
4.46
Internet Australia supported the proposal by the INSLM to clarify that the term ‘persons’ is not taken to ‘include a natural person (where that natural person is an employee of a DCP) but only applies to natural persons where that natural person is a sole trader responsible for the relevant eligible activity.
Systemic vulnerability, systemic weakness and related definitions
4.47
Division 7 of the TOLA Act outlines the limitations on the industry assistance framework. Section 317ZG of the TOLA Act requires that a DCP not be requested or required to build a systemic weakness or systemic vulnerability. These concepts are defined earlier in the TOLA Act as follows:
systemic vulnerability means a vulnerability that affects a whole class of technology, but does not include a vulnerability that is selectively introduced to one or more target technologies that are connected with a particular person. For this purpose, it is immaterial whether the person can be identified.
systemic weakness means a weakness that affects a whole class of technology, but does not include a weakness that is selectively introduced to one or more target technologies that are connected with a particular person. For this purpose, it is immaterial whether the person can be identified.
4.48
Communications Alliance said that as presently defined, the definitions of systemic weakness and systemic vulnerability are difficult to understand, ambiguous and too narrow:
It has proved very difficult to adequately define the terms ‘systemic weakness/vulnerability’ and ‘target technology’. As currently drafted in the Act, these definitions are difficult to understand, ambiguous and – on the basis of initial interpretation - are significantly too narrow. The limitations intended to be given to systemic vulnerability/weakness through the definition of target technology do not achieve the desired objective. Specifically, it is unclear what constitutes a ‘class of technology’
…
Assuming the definition of whole class of technology as proposed by the Department of Home Affairs creates a far too narrow characterisation of what constitutes a systemic weakness or vulnerability and provides avenues for agencies to operate outside the spirit of the legislation.
4.49
In addition, Kaspersky said that the definition of systemic weakness and systemic vulnerability are identical and may contradict the definition of target technology:
Both definitions are identical, and they do not provide differentiation between ‘weakness’ or ‘vulnerability’. It may be reasonable to avoid duplication and leave one term. Both definitions also contradict the definition of a ‘target technology’. The latter definition implies targeting a particular person: ‘for the purposes of this Part, a particular carriage service, so far as the service is used, or is likely to be used (whether directly or indirectly) by a particular person, is a target technology that is connected with that person’. However, the Act adds that ‘for the purposes of paragraphs (a), (b), (c), (d), (e) and (f), it is immaterial whether the person can be identified (italic - Kaspersky)’. If it is immaterial that the target person can be identified, the provision means that the TOLA would permit bulk interception/surveillance. If the person cannot be identified, he or she shall not be targeted in the first place.
4.50
The INSLM recommended that any mention of systemic vulnerability be removed because it did not reflect the use of the term by law enforcement, intelligence agencies and industry:
There seems to be little if any difference conceptually or in normal language or technical usage between a ‘systemic weakness’ and ‘systemic vulnerability’. A ‘weakness’ and a ‘vulnerability’ are synonymous, at least in the present context. If a ‘weakness’ is something that is at risk of exploitation then it seems equally accurate to describe it as a ‘vulnerability’. Further, none of the materials I have seen, including in response to s 24 notices I issued to police and intelligence agencies, indicated that either of the concepts had any meaning or operation that distinguished one from the other. To the extent that the terms are already used interchangeably in industry and public discourse, there should be no further need to use both in the legislation, especially where they are defined separately. Separate definitions for the same thing invites confusion.
4.51
The Department of Home Affairs said that the definition of a ‘whole class of technology’ is set out in the supplementary explanatory memorandum and is designed to capture actions that make general items of technology less secure:
As set out in the supplementary explanatory memorandum, the term ‘whole class of technology’ is intended to capture actions that make general items of technology less secure; a ‘class’ is a category of technology that includes a product line, or a facet of a product line, or any constituent element of a particular technology that is also widely applied and available. For example, a class of technology encompasses:
a particular model of mobile phone
a particular type of operating system within that model of mobile phone, or
a particular form of encryption or authentication that secures communications with that operating system.
As the above indicates, the protection has been broadly cast to be consistent with the Government’s general intent to preserve electronic protection. That is, the Assistance and Access Act may not weaken or make vulnerable the services and devices that are used by the general public, business community or legitimate and specialised subsets of either. Any use of an industry assistance power that interacts with the information security of products may only impact the target person/s, or related parties.
4.52
However, the INSLM said that it would be more appropriate to include the definition of ‘whole class of technology’ in the legislation itself rather than relying on the supplementary explanatory memorandum.
4.53
Systemic weaknesses and systemic vulnerabilities are not taken to include ‘target technologies’ introduced to a system or device that are connected with a particular person – whether or not the person can be identified.
4.54
The Department of Home Affairs says that the ‘target technologies’ aspect of the definition provides additional assurance on the circumstances where interaction with encryption is permitted:
The definition of ‘target technology’ further reinforces the precise circumstances under which interaction with electronic protections such as encryption is permissible. This definition takes each likely item of technology, like a carriage service or electronic service, which may be supplied by a provider, and reinforces that a weakness or vulnerability may only be introduced to the particular technology that is used, or likely to be used by a particular person.
For example, a single mobile device operated by a criminal, or suspected to be used by a criminal, would be classified as a target technology for the purpose of paragraph (e) of the definition. However, a particular model of mobile devices, or any devices that are not connected with the particular person, would be too broad to fall within the definition. This ensures that the services and devices enjoyed by any person other than the target of the power remain unaffected. This is an additional protection to the need to have a valid warrant or authorisation (which are already inherently targeted) in place to lawfully access personal information…
4.55
The INSLM said there was evidence provided regarding the potential breadth of the application of the term ‘target technology’:
At the public hearing, Mr Murray of Electronic Frontiers submitted that the term ‘target technology’ requires clearer guidance because it is unclear, for instance, how it would apply to the Facebook Messenger application.447 Would Facebook Messenger amount to a ‘technology’ if deployed on a single device? Would Facebook Messenger be classed as a ‘whole class of technology’ to the extent it operated as an application on all devices around the world, or the totality of a network, or something located on a server either inside or outside Australia?
4.56
The International Civil Liberties and Technology Coalition recommended that the definition of systemic weakness and systemic vulnerability should be amended to specify that the definitions cover any weakness or vulnerability that extends beyond the specifically targeted device or individual:
We renew our recommendation that these definitions should clarify that systemic vulnerabilities or weaknesses mean any vulnerability or weakness that could or would extend beyond the specifically targeted device or service that the targeted individual is using and is implemented in such a way that any other user of the same device or service, or any other device or service of the Designated Communications Provider, could or would be affected.
4.57
The INSLM considered the applications of the limitations placed on requests and notices in the industry assistance framework and noted that it was generally agreed by stakeholders that the legislation should not permit actions which create an unacceptable risk of compromising the security of users. While the INSLM disagreed that any level of risk is unacceptable, and instead recommended an amendment to s 317ZG to articulate the prohibited effects of a systemic weakness:
I conclude that s 317ZG(4A) should state prohibited effects as follows:
(4A) In a case where a weakness is selectively introduced to one or more target technologies that are connected with a particular person, the reference in sub-s (1)(a) to implement or build a systemic weakness into a form of electronic protection means a reference to any act or thing that creates a material risk that otherwise secure information will be accessed, used, manipulated, disclosed or otherwise compromised by an unauthorised third party.
I further conclude that the following definitions should be introduced:
a.
‘Otherwise secure information’ means ‘information of any person who is not the subject, or is not communicating with the subject, of an investigation’.
b.
‘Unauthorised third party’ means ‘anyone other than a party to the communication, the agency requesting the relevant technical assistance request, technical assistance notice or technical capability notice and/or integrity agencies’.
4.58
Prior to the prorogation of the 45th Parliament, the Telecommunications Amendment (Repairing Assistance and Access) Bill 2020 proposed amendments to the operation of these definitions which would clarify actions that DCPs must not be requested or required to do as part of TARs, TANs or TCNs. The Bill lapsed at the conclusion of the 45th Parliament.
4.59
However, in its submission Atlassian said that the amendments proposed by the Telecommunications Amendment (Repairing Assistance and Access) Bill 2019 provided a starting point for addressing industry concerns with these definitions, but recommended that the protections afforded by the provisions of the Bill should go further:
Atlassian would also add further protections to the prohibition, as drafted in the provisions of the Bill, to address the specific concerns that industry assistance notices should not be used to prevent improvements to a DCP’s security capabilities or to create new points of access into a DCP’s electronically protected systems or products that would expose otherwise secure data… With respect to the building of points of access, Atlassian’s primary concern is that — once created — a point of access into a DCP’s systems and products can be exploited by unauthorised parties without the knowledge of law enforcement or the DCP, and without following the legal procedures required for notices under the Act. This specific example is also helpful to clarify the bounds of the ‘material risk’ prohibition that already exists in the Act, which is also repeated in the proposed Bill. Given the commercially valuable data entrusted to DCPs like Atlassian and the ongoing threats of intellectual property theft by state-sponsored and private actors alike, this is an important area for clarification.
4.60
The INSLM recommended that the definition of ‘target technology’ be amended to include examples in statute that would clarify the intention of the powers:
I conclude that the definition of ‘target technology’ in s 317B should be clarified through the use of non-exhaustive statutory examples to clarify it refers to the specific instance used by the intended target. For example, whether it includes:
c.
the mobile phone service as provided only to one or more specified mobile phone numbers
d.
a particular physical device such as the mobile phone that belongs to a target?
‘Class of technology’ can then be defined through examples of services used by a group of users broader than the intended target – for example, all Telstra mobile phone subscribers or all subscribers in a particular location.
4.61
The Department of Home Affairs suggested that the existing construction of ‘target technology’ limits the use of powers to a particular person, or circumstances where ‘target technology’ is connected to a person. Further the Department said that the inclusion of the term ‘electronic protection’ within the definition of ‘target technology’ provides examples of what the term covers, rather than what it doesn’t cover.
4.62
The INSLM noted that submissions to the TOLA Act inquiry considered the definition of electronic protection was ‘too vague to provide any useful assistance’ and that the definition should also include non-exhaustive examples of what is excluded from its meaning.
4.63
The Department of Home Affairs considers it would be not be practical to exhaustively define current electronic protections and also allow for future technological developments:
It would be impractical to define all current electronic protections and allow enough flexibility to capture future technologies. For this reason, the definition must remain technologically neutral. Further, what the Monitor describes could amount to a particular interaction with electronic protection rather than a type of protection excluded from the concept of electronic protection itself and may, therefore, be of limited use for setting the boundaries of the concept.
4.64
The New South Wales (NSW) Police Force said it agreed with the Department of Home Affairs, and said that it was important to achieve balance between privacy of data and the need to keep Australians safe:
NSWPF agree with Department of Home Affairs’ position that any clarification or amendment of the term 'systemic weakness' should balance the need for a DCP to keep its customer data secure against the need for law enforcement to access the data to keep Australians safe. An overly restrictive definition could make aspects of the legislation unworkable.
Serious Australian offences and serious foreign offences
4.65
The industry assistance framework can be exercised in respect of a ‘serious Australian offence’ or a ‘serious foreign offence’ which is defined in the Telecommunications Act 1997 to mean an offence that carries a maximum term of imprisonment for three years or more, or for life.
4.66
The Communications Alliance said that less serious offences than that originally contemplated by the TOLA Bill could be captured by the definition:
When assessing this threshold, it becomes clear that less serious offences, compared to the crimes originally contemplated to be combatted by the legislation (terrorism, child abuse, human trafficking etc.) can be captured by this definition. For example, under the Crimes Act a prank or menacing phone call could satisfy the 3-year prison sentence criterion. Consequently, we strongly recommend raising the threshold for offences which could give rise to the powers of the Act being used.
4.67
Similarly, StartupAUS said that a broad definition of serious offence erodes the exceptional intent of the TOLA Act powers and undermines Australia’s reputation in the technology market:
The result of such a broad definition of serious offence is that rather than the powers under this Act being reserved as a critical measure in times of great need, they will simply fall into regular use as part of the daily toolkit of law enforcement, at significant cost to Australian technology companies, their customers and their products.
In addition, the Act specifies a similar definition for foreign crimes, which may well allow international counterparts to use Australia as a channel to exercising law enforcement power that they do not possess in their native country, further harming Australia’s reputation within the technology market.
The definition of ‘serious crime’ should be restricted only to those crimes which are the stated target of the Act, that pose a genuine and serious threat to Australia and its citizens. Further, the ability to exercise powers in furtherance of other countries’ criminal laws should be withdrawn.
4.68
The Telecommunications (Interception and Access) Act 1979 (TIA Act) provides a definition of serious offence that aligns in some respects with the intent of the industry assistance framework to provide a tool that can assist with the investigation and prosecution of murder, kidnapping, terrorism and national security offences. The Law Council suggested that the definition of serious offence for the purposes of the industry assistance framework should be amended to align with the definition in the TIA Act:
The Law Council does not support the definition of ‘serious Australian offences’ and ‘serious foreign offences’ as introduced by the Government amendments. The Law Council recommends that the definition of ‘serious offences’ should be consistent with the TIA in so far that ‘serious offences’ is defined as laws of the Commonwealth, a State or a Territory that is punishable by a maximum term of imprisonment of seven years or more, rather than three years.
4.69
The INSLM noted that the Department of Home Affairs had provided in evidence that the TIA Act powers were appropriately limited because of the intrusive nature of the powers, and that the industry assistance framework does not intrude on privacy and the collection of personal data. However, the INSLM noted that the evidence reviewed did not point to that outcome:
I have reviewed a selection of agencies’ documentation as to how industry assistance powers have been deployed since TOLA commenced. I am satisfied that the investigative steps they make possible can be characterised as less intrusive than telephone interception.
4.70
Consequently, the INSLM said that there was significant benefit in aligning the definition in the Telecommunications Act 1997 with the definition in the Telecommunications (Interception and Access) Act 1979:
I see significant merit in aligning the definition of ‘serious offence’ under the Telecommunications Act and the TIA Act. To begin with, both the TIA Act and the Telecommunications Act concern the covert use of coercive powers in the investigation of certain types of offence. Because they have that fact in common, it is sensible that they use the same types of offence as the threshold for the exercise of powers. Further, risks arise from a proliferation of different standards for different powers, without any compelling reason for the distinction. Law enforcement officers are expected to exercise a range of different powers, in different jurisdictions, on application to different issuing authorities, who are tasked to apply different standards depending on the type of power involved. Adding another point of distinction between comparable powers – in terms of thresholds at which they become available for use – is liable to confuse and perhaps contribute to inadvertent excesses of power.
4.71
The Department of Home Affairs said that amending this definition would increase the likelihood that law enforcement agencies would be unable to issue a technical assistance request:
The Monitor’s recommendation would preserve the ability to obtain industry assistance in relation to the interception of telecommunications. However, it would exclude numerous offences which may form the basis of a warrant to obtain stored communications or install a surveillance device. Many technical assistance requests have been given to support the execution of surveillance device warrants. Surveillance devices warrants carry an offence threshold of three years’ imprisonment which allows many offences outside of the section 5D threshold to form the basis of an application to use a surveillance device.
Adopting this recommendation would increase the likelihood that law enforcement agencies will be unable to issue a technical assistance request. This recommendation would also limit the availability of industry assistance to overcome technological obstacles frustrating the use of stored communications and surveillance device warrants.
Committee comment
4.72
The Committee notes the concerns raised by industry bodies in relation to the impact of the introduction of TARs, TANs, and TCNs on Australia’s ICT industry, and in particular, notes the survey results provided by the Communications Alliance outlining the perceived negative impact of the TOLA Act powers on industry.
4.73
Additionally, the Committee notes that because TANs and TCNs have not yet been used, it is difficult to quantify the economic impact of the legislation on Australia’s ICT industry. The Committee considers that this issue warrants monitoring and recommends that the Department of Home Affairs conduct a periodic survey of industry bodies to ascertain any ongoing economic impacts.
4.74
In the interests of transparency wherever possible regarding the operation of the TOLA Act scheme, the Committee recommends that the result of such a periodic survey be made publicly available.
4.75
The Committee recommends that the Government implement a periodic survey, starting in three years from the presentation of this report, to ascertain ongoing economic impacts of the TOLA Act legislation on Australia’s ICT industry and the results should be made publicly available.
4.76
The Committees notes the evidence of the INSLM that the format of TARs varies between applications, and that a prescribed format for TARs would assist in ensuring that relevant information regarding the rights and obligations of designated communications providers are adequately articulated. The Committee also notes the benefit of providing consistent information for those who do not often receive TARs, as per the evidence of Internet Australia.
4.77
The Committee therefore recommends that the Department of Home Affairs work with industry, law enforcement and intelligence agencies to develop a prescribed set of requirements for TARs.
4.78
The Committee recommends the Government, in consultation with relevant stakeholders, develop a prescribed set of requirements for information that must be included in technical assistance requests.
4.79
The Committee notes the recommendation of the INSLM that the proposed Investigatory Powers Commissioner should have a role in developing a prescribed form for TANs and TCNs, and the evidence from the Department of Home Affairs regarding the development of guidance material to facilitate consistency in industry assistance notices. The Committee expects that consideration of the development of a prescribed form for TANs and TCNs will form part of the Government’s consideration of the recommended Investigatory Powers Commission and vesting of powers in the AAT outlined in Chapter 7.
4.80
In relation to definitional matters, the Committee notes the concerns from submitters regarding the potential for individuals to be served with a request or notice under the industry assistance framework. The Committee also acknowledges the evidence provided by the Department of Home Affairs that it is not the intention of the TOLA Act for a request or notice to be provided to an individual when it would more appropriately be directed to the body corporate.
4.81
The Committee considers, therefore, that it would be appropriate to amend this definition to provide assurance to Australian industry and ensure that definition operates as intended. The Committee recommends that the definition of designated communications providers be amended to clarify that it shall not be taken to be a natural person except in the case of a sole trader.
4.82
The Committee recommends that s317C of the Telecommunications Act 1997 be amended to clarify that a designated communications provider does not include a natural person, where that natural person is an employee of a designated communications provider, but will only apply to natural persons insofar as required to include sole traders.
4.83
The Committee notes that the definitions of ‘systemic weakness’ and ‘systemic vulnerability’ have unintentionally caused confusion from industry representatives. While the Committee notes the evidence of the Department of Home Affairs that the definition of ‘systemic vulnerability’ was initially introduced following consultation with industry, the Committee acknowledges the evidence of the INSLM that this definition has not continued following the introduction of the TOLA Act.
4.84
The Committee therefore recommends that the definition of systemic vulnerability be removed from the Telecommunications Act 1997.
4.85
The Committee recommends that Part 15 of the Telecommunications Act 1997 be amended to remove references to ‘systemic vulnerability’.
4.86
The Committee notes the tangible benefits that arise from ensuring consistency and clarity in legislative definitions. In relation to ‘prohibited effects’ the Committee acknowledges the recommendation made by the INSLM and believes that this strikes a balance between the views of industry and the view of the Department of Home Affairs. The Committee therefore recommends that the Telecommunications Act 1997 be amended to provide clarification on ‘prohibited effects’.
4.87
The Committee recommends that s 317ZG of the Telecommunications Act 1997 be amended to describe the ‘prohibited effects’ of a technical assistance request, a technical assistance notice or a technical capability notice.
Such an amendment could take the form of the words put forward by the Independent National Security Legislation Monitor in his recommendations 9 and 10, and the government may consider incorporation of additional definitions in s317B of the Telecommunications Act 1997 arising from the proposed amendment.
4.88
Additionally, the Committee notes the uncertainty raised by industry submitters in relation to ‘whole class of technology’ given the evidence by Atlassian that there is not a settled industry definition of the term.
4.89
While the Committee notes the concerns of the Department of Home Affairs that a definition could unintentionally restrict the operation of the powers, the Committee considers that a non-binding list of examples of what may constitute a ‘whole class of technology’ would provide more certainty to industry on their responsibilities in complying with industry assistance framework requests and notices. The Committee therefore recommends that non-exhaustive guidance documents that set out examples of what may constitute a ‘whole class of technology’ be developed, maintained and published by the Department of Home Affairs.
4.90
The Committee recommends that the Department of Home Affairs develop, maintain, and publish non-exhaustive guidance documents that set out non-binding examples of what may constitute a ‘whole class of technology’ for the purposes of defining a systemic weakness.
4.91
In line with the Committee’s recommendation 12 in its August 2021 Advisory report on the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020, the Committee considers that the definitions of ‘serious offence’ and ‘relevant offence’ should be made consistent across different Acts of Parliament, including the Telecommunications (Interception and Access) Act 1979, the Telecommunications Act 1997 and the Surveillance Devices Act 2004.
4.92
The Committee notes it is probable the Government will address the issue of definitions of serious offences with the creation of the proposed Electronic Surveillance Act. The Committee therefore recommends that the Government commission a review of Commonwealth legislation to provide consistency across different Acts of Parliament of the definitions of ‘serious offence’ and ‘relevant offence’ and that this body of work should inform the electronic surveillance bill being considered by the Department of Home Affairs and other departments.
4.93
The Committee recommends the Government commission a review of Commonwealth legislation to determine whether the concept of ‘serious offence’, ‘relevant offence’, and other similar concepts:
should be made consistent across different Acts of Parliament; and
whether the threshold for the concept of ‘serious offence’ in all Commonwealth legislation should be – at a minimum – an indictable offence punishable by a maximum penalty of seven years’ imprisonment or more, with a limited number of exceptions.
This body of work should inform, or occur as part of, the eventual electronic surveillance bill being considered by the Department of Home Affairs and other departments.