Cyber Security
The encryption act
I By Nicole Murdoch B Eng (Elect) J.D MIP Principal EAGLEGATE Lawyers Director AISA The views expressed herein are her own and do not reflect the position of AISA.
n late 2018, on the final day of parliament for 2018, the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill passed both houses of Parliament and a mere three days later it received Royal assent and became law. Since that date Australia has been criticised not only due to the mere existence of the law but also based on the scope and operation of that law and the perceived lack of consultation within industry. Let’s all take a step back and look at the Assistance and Access Act, how it operates and how it came into existence. Firstly, it must be stated that the Assistance and Access Act (Encryption Act) is not a blanket back door to allow access to law enforcement to access all devices. However, it does provide for a backdoor for some devices. This may be seen as a semantic word game, but it does provide some comfort overall. The act applies to designated communication providers (DCPs) which include carriers, manufacturers of devices, entities that supply electronic services to consumers such as secure messaging applications and entities that provide
60 | Australian Cyber Security Magazine
services or software for use in connection with a carriage service or an electronic service. In short it affects everyone in the chain involved in the manufacture of devices and use of devices over any carriage service. The types of assistance which can be required under the act include removing electronic protections, providing technical information, installing, maintaining, testing or using software or equipment nominated by an agency, notifying an agency of changes to, or developments of, the DCP’s service that may be relevant to provide a warrant. The term providing technical information is to be interpreted broadly and could include source code, and all of the material necessary to amend, build and deploy that source code onto devices. Access is also defined to include access subject to a precondition, push technology and a standing request. There are three kinds of requests or notices that can be issued under the act and they are; a technical assistance request, a technical assistance notice or a technical capability notice. A technical assistance request may ask the provider to do things on a voluntary basis,
